Mobile antiviruses do not work
TL; DR if you need an antivirus on your corporate mobile devices, then you are doing everything wrong and the antivirus will not help you.
This post is the result of heated debate about whether an antivirus is needed on a corporate mobile phone, in which cases it works, and in which it is useless. The article examines the threat models from which, in theory, the antivirus should protect.
Antivirus vendors often manage to convince corporate customers that antivirus will greatly enhance their security, but in most cases this is an illusory defense, which only reduces the vigilance of both users and administrators.
Proper corporate infrastructure
When the company has tens or even thousands of employees, it is impossible to configure each user device manually. Settings can change every day, new employees come, their mobile phones and laptops break or lose. As a result, all the work of admins would consist in daily deployment of new settings on employee devices.
On desktop computers, this problem began to be solved a long time ago. In the Windows world, usually, this management takes place using Active Directory, centralized authentication systems (Single Sign In), etc. But now all employees have added smartphones to computers, on which a significant part of the work processes takes place and important data is stored. Microsoft tried to integrate their Windows Phone phones into a single ecosystem with Windows, but this idea died along with the official death of Windows Phone. Therefore, in a corporate environment, in any case, you have to choose between Android and iOS.
Now in the corporate environment, to manage employee devices, the concept of UEM (Unified endpoint management) is in fashion. This is a centralized management system for mobile devices and desktop computers.
Unified endpoint management
The UEM system administrator can set different policies for user devices. For example, allow the user more or less control over the device, install applications from third-party sources, etc.
What UEM Can Do:
Manage all settings - the administrator can completely prohibit the user from changing settings on the device and changing them remotely.
Control software on the device - allow the ability to install programs on the device and automatically install programs without the user's knowledge. Also, the administrator can prohibit or allow the installation of programs from the application store or from untrusted sources (from APK files for Android).
Remote lock - if the phone is lost, the administrator can lock the device or clear data. Some systems also allow you to set automatic deletion of data if the phone does not communicate with the server for more than N hours to exclude the possibility of offline hacking attempts when the attackers managed to remove the SIM card before the data cleanup command was sent from the server.
Collect statistics - track user activity, application usage time, location, battery level, etc.
What are UEMs
There are two fundamentally different approaches for centralized management of employees ’smartphones: in one case, a company purchases devices from one manufacturer for employees and usually chooses a control system from the same supplier. In another case, employees use their personal devices to work, and here begins the zoo from operating systems, versions and platforms.
BYOD (Bring your own device, Bring your device) —A concept in which employees use their personal devices and accounts to work. Some centralized management systems allow you to add a second work account and completely separate the data into personal and work.
Apple Business Manager is Apple’s native central management system. Able to manage only Apple devices, macOS computers and iOS phones. Supports BYOD, creates a second isolated environment with a different iCloud account.
Google Cloud Endpoint Management - allows you to manage Android and Apple iOS phones, as well as Windows 10 desktops. BYOD Support Declared.
Samsung Knox UEM - only supports Samsung mobile devices. You can only use Samsung Mobile Management .
In fact, there are much more UEM providers, but we will not analyze them all in this article. The main thing to keep in mind is that such systems already exist and allow the administrator to configure user devices according to the existing threat model.
Before choosing protection tools, you need to understand what we are protecting ourselves from, that the worst can happen in our particular case. Relatively speaking: our body is easily vulnerable to a bullet and even to a fork with a nail, but we don’t put on a bulletproof vest when leaving the house. Therefore, our threat model does not include the danger of being shot on the way to work, although statistically this is not so unbelievable. Moreover, in certain conditions, wearing body armor is quite justified.
Different companies have different threat models. Let’s take, for example, a courier’s smartphone that is going to deliver a package to a client. In his smartphone there is only the address of the current delivery and the route on the map. The worst thing that can happen to his data is the leak of the package delivery addresses.
And here is the smartphone of the accountant. He has access to the corporate network via VPN, a corporate client-bank application is installed, documents with valuable information are stored. Obviously, the value of the data on these two devices varies significantly and they should be protected in different ways.
Will Anti-Virus save us?
Unfortunately, behind the marketing slogans, the real meaning of the tasks that the antivirus performs on the mobile device is lost. Let's try to figure out in detail what the antivirus does on the phone.
Most modern mobile antiviruses audit the security settings on the device. This audit is sometimes called a “device reputation check”. Antiviruses consider a device safe if four conditions are met:
- The device is not hacked (root, jailbreak).
- Password configured on device.
- USB debugging is not allowed on the device.
- The device is not allowed to install applications from untrusted sources (sideloading).
If, as a result of the scan, the device is found to be unsafe, the antivirus will notify the owner of this and offer to disable the “dangerous” functionality or return the factory firmware if there are signs of root or jailbreak.
According to corporate customs, it is not enough just to notify the user. Insecure configurations must be excluded. To do this, you need to configure security policies on mobile devices using the UEM system. And if root/jailbreak is detected, it is necessary to quickly delete corporate data from the device and block its access to the corporate network. And this is also possible with UEM. And only after these procedures can a mobile device be considered safe.
Virus Scan and Removal
Contrary to popular belief that there are no viruses for iOS, this is not true.In the wild, exploits for older versions of iOS are still common, which infect devices through exploitation of vulnerabilities in the browser. At the same time, due to the architecture of iOS, the development of antiviruses for this platform is impossible. The main reason is that applications cannot access the list of installed applications and have many restrictions when accessing files. Only UEM can get a list of installed iOS apps, but even UEM cannot access files.
With Android, the situation is different. Applications can receive information about applications installed on the device. They can even access their distributions (for example, Apk Extractor and its analogues). Android applications also have the ability to access files (for example, Total Commander, etc.). Android apps can be decompiled.
With such capabilities, the following anti-virus algorithm looks logical:
- Application Verification
- Get a list of installed applications and checksums (CS) of their distributions.
- Check applications and their KS first in the local and then in the global database.
- If the application is unknown, transfer its distribution to the global database for analysis and decompilation.
- Scan files, search for virus signatures
- Check the COP files in local, then in the global database.
- Check for unsafe content in files (scripts, exploits, etc.) in the local and then global databases.
- If malware is detected, inform the user and/or block the user’s access to malware and/or transfer information to the UEM. It is necessary to transmit information to UEM because the antivirus cannot remove malware from the device on its own.
The biggest concern is the possibility of transferring software distributions from the device to an external server. Without this, it is impossible to implement the “behavioral analysis” declared by antivirus manufacturers, because you cannot run the application on a device in a separate “sandbox” or decompile it (how effective it is when using obfuscation is a separate difficult question). On the other hand, corporate applications that are unknown to the antivirus because they are not on Google Play can be installed on employees' mobile devices. These mobile apps may contain sensitive data that prevents these apps from being placed in a public store. Transferring such distributions to the antivirus manufacturer seems incorrect from a security point of view. It makes sense to add them to the exceptions, but I still don’t know about the existence of such a mechanism.
Malware without root privileges can
1. Draw your invisible window on top of the application or embed your keyboard to copy user input - account settings, bank cards, etc. A recent example is the vulnerability CVE-2020-0096 , with which it is possible to replace the active screen of the application and thereby gain access to user input. For the user, this means the ability to steal a Google account with access to the device’s backup copy and bank card information. For the organization, in turn, it is important not to lose your data. If the data is in the application’s private memory and is not stored in the Google backup, then malware will not be able to access it.
2. Get access to data in public directories - downloads, documents, gallery. It is not recommended to store information of value to the company in these directories, because any application can access them. Yes, and the user himself can always share a confidential document using any available application.
3. Annoy the user with ads, mine bitcoins, be part of a botnet, etc. . This may adversely affect the performance of the user and/or device, but will not become a threat to corporate data.
Malware with root privileges can potentially do anything. They are rare, because hacking modern Android devices using the application is almost impossible. The last time a similar vulnerability was discovered in 2016.This is the sensational Dirty COW, which was assigned the number CVE-2016- 5195 . The key here is that upon detection of signs of hacking UEM, the client will erase all corporate information from the device, so the likelihood of successful theft of data using such malware is low in the corporate world.
Malicious files can harm both the mobile device and the corporate systems to which it has access. We will analyze these scenarios in more detail.
Damage to a mobile device can be caused, for example, if you download a picture to it, which, when you open or try to set the wallpaper, turns the device into a "brick" or reboots it. Most likely this will harm the device or user, but will not affect the confidentiality of data. Although there are exceptions.
The vulnerability CVE-2020-8899 was recently discussed. It was alleged that with its help it was possible to access the Samsung mobile device console using an infected image sent by email, messenger or MMS. Although access to the console means that you can only access data in public directories where there should be no confidential information, the privacy of users' personal data is at risk, and this frightened users. Although in fact, attacking devices is possible only using MMS. And for a successful attack you need to send from 75 to 450 (!) Messages. The antivirus here, alas, will not help, because it does not have access to the message log. To protect yourself from this, there are only two options. Update OS or block MMS. You can wait a long time for the first option and not wait, because device manufacturers do not release updates for all devices. Disabling MMS is much easier in this case.
Damage to corporate systems can cause files that are transmitted from mobile devices. For example, there is an infected file on the mobile device that cannot harm the device, but can infect a Windows computer. The user sends such a file by e-mail to his colleague. He opens it on the PC and, thus, can infect him. But at least two antiviruses stand in the way of this attack vector — one on the email server and the other on the recipient’s PC. Adding a third antivirus to this chain on a mobile device seems like paranoia.
As you can see, the greatest threat in the corporate digital world is malware without root privileges. Where can they come from on a mobile device?
Most often they are installed using sideloading, adb or third-party stores, which should be prohibited on mobile devices with access to the corporate network. There are two options for getting malware - from Google Play or from UEM.
Before publishing to Google Play, all applications are tested. But for applications with a small number of installations, checks are most often performed without the participation of people, only in automatic mode. Therefore, malware sometimes gets into Google Play, but still not often. Antivirus, whose databases are updated in a timely manner, will be able to detect applications with malware on the device before Google Play Protect, which so far lags behind in the speed of updating anti-virus databases.
UEM can deliver any application to a mobile device, including malware, therefore any application needs to be checked beforehand. Applications can be checked both in the process of their development using static and dynamic analysis tools, and immediately before their distribution using specialized sandboxes and/or anti-virus solutions. It is important that in this case the application is checked once before downloading to UEM. Therefore, in this case, the antivirus on the mobile device is not needed.
Depending on the anti-virus manufacturer, one or more of the following functions may be offered as part of network protection.
URL filtering is used to:
- Blocking traffic by resource category. For example, to prevent news or other unincorporated content from being watched until noon when the employee is most effective.In practice, blocking most often works with a lot of restrictions - antivirus manufacturers do not always succeed in updating the resource categories directories in a timely manner, taking into account the presence of many “mirrors”. Plus there are anonymizers and Opera VPN, to which the blocking most often does not apply.
- Protection against phishing or spoofing of target hosts. For this, the URLs accessed by the device are pre-scanned using an anti-virus database. Links, as well as the resources to which they lead (including possible multiple redirects), are checked on the basis of well-known phishing sites. It also verifies the domain name, certificate, and IP address between the mobile device and the trusted server. If the client and server receive different data, then this is either MITM (“man in the middle”, man in the middle), or traffic blocking using the same antivirus or various proxies and web filters on the network to which the mobile device is connected. It’s safe to say that there is someone in the middle, it’s difficult.
To access mobile traffic, the antivirus either builds a VPN or uses the capabilities of the Accessibility API (API for applications designed for people with disabilities). Simultaneous operation of several VPNs on a mobile device is not possible, therefore, network protection from antiviruses that build their own VPN is not applicable in the corporate world. The antivirus VPN simply will not work with the corporate VPN that is used to access the corporate network.
Giving antivirus access to the Accessibility API poses another danger. Access to the Accessibility API actually means permission to do anything for the user - to see what the user sees, perform actions with applications instead of the user, etc. Given the fact that the user must explicitly grant such access to the antivirus, he will most likely refuse to do this. Or, if forced to, he will buy another phone without an antivirus.
This common name hides three functions:
- Collection of statistics on network usage with a breakdown by application and type of network (Wi-Fi, mobile operator). Most manufacturers of Android devices provide this data in the Settings app. Duplication in the interface of the mobile antivirus seems redundant. Aggregate information on all devices may be of interest. It is successfully assembled and analyzed by UEM systems.
- Mobile traffic restriction - setting a limit, notification when it is reached. For users of most Android devices, these features are available in the Settings app. Centralized configuration of restrictions is the task of UEM, not an antivirus.
- Actually, firewalling. Or, otherwise, blocking access to certain IP addresses and ports. Given DDNS on all popular resources and the need to enable a VPN, which, as described above, cannot work together with the main VPN, the function seems to be inapplicable in corporate practice.
Wi-Fi proxy check
Mobile antiviruses can evaluate the security of Wi-Fi networks to which a mobile device connects. It can be assumed that the presence and strength of encryption are checked. At the same time, all modern programs use encryption to transmit sensitive data. Therefore, if some program is vulnerable at the channel level, then it is also dangerous to use it through any Internet channels, and not just through public Wi-Fi.
Therefore, public Wi-Fi, including without encryption, is no more dangerous and no less secure than any other untrusted data channels without encryption.
Protection, as a rule, comes down to filtering incoming calls according to a list specified by the user, or based on well-known spammers who are endlessly annoyed by insurance, loans and theater invitations. Although they don’t call in self-isolation, they will start again soon. Only calls are filtered. Messages on current Android are not filtered. Given the regular change by spammers of their numbers, the inability to protect text channels (SMS, instant messengers), the functionality is more of a marketing rather than a practical one.
Perform remote actions with a mobile device in case of loss or theft.An alternative to the services Find My iPhone and Find My Device from Apple and Google, respectively. Unlike their counterparts, the services of anti-virus manufacturers cannot provide a device lock if an attacker managed to reset it to factory settings. But if this has not happened yet, you can remotely do the following with the device:
- Block. Protection against the near thief, because it can easily be done by resetting the device to the factory settings via recovery.
- Find out the coordinates of the device. Useful when the device was recently lost.
- Turn on a loud beep to find the device using it if silent mode is turned on.
- Reset device to factory settings. It makes sense when the user recognized the device irretrievably lost, but does not want the data stored on it to be disclosed.
- Take a photo. Take a picture of an attacker if he is holding a phone in his hands. The most dubious functionality - the likelihood that an attacker admires the phone in good light is low. But the presence on the device of an application that can quietly control the smartphone’s camera, take photos and send them to your server causes a reasonable alarm.
Remote command execution is basic in any UEM system. They lack only remote photography. This is a sure way for users to remove batteries from their phones after the end of the working day and put them in a Faraday bag.
Anti-virus features in mobile anti-virus are available only for Android. For iOS, only UEM can do this. There can be only one UEM on an iOS device - this is an architectural feature of iOS.
- The situation in which a user can install malware on the phone is UNACCEPTABLE.
- A properly configured UEM on a corporate device eliminates the need for antivirus.
- If you use 0-day vulnerabilities in the operating system, the antivirus is useless. He can only tell the administrator that the device is vulnerable.
- The antivirus cannot determine whether the vulnerability is being exploited. As well as release an update for a device for which the manufacturer no longer releases security updates. From strength - this is a year or two.
- If we ignore the requirements of regulators and marketing, then corporate mobile antiviruses are needed only on Android devices, where Google Play and installation of programs from third-party sources are available to users. In other cases, the effectiveness of using antiviruses is no more than a placebo.