How to stop mobile malware before game-over infections? Meet zDefender

Do you recall the security firm Zimperium which came out with ANTI, the killer Android app that allowed even the clueless to hack and pwn like a pen tester? It takes hackers to think like hackers and Itzhak "Zuk" Avraham, otherwise known as @ihackbanme, is back with another app that, like Anti (Android Network Toolkit), is "one to two years ahead of its time."

With the onslaught of mobile malware, everyone should have antivirus up and running immediately after purchasing a smartphone. You'd think you were protected then, huh? Eeenk! Have you ever experienced the hot spot honeypot WiFi Pineapple, automatically connected to Wi-Fi at a coffee shop (Firesheep), routers planted at conferences, or man in the middle (MITM) attacks? Wham bam thank ya ma'am! At DEMO Spring 2012, Zuk planted "2 Routers, providing 3 Access points," which have claimed about 3,000 mobile device victims so far.

As you can see in the video below when Zimperium announced zDefender, Zuk explains that antivirus is a normal app that runs on the same permission level as malware. Once malware infects your device's memory, the malware elevates its privileges until it's higher than the antivirus. "Once a malware has infected your phone, any existing solution will not help, and it's simply game over."

Personally I can't say enough good things about the ultra-sweet Anti and Anti Free apps, which 67,000 users worldwide have downloaded, so I was chomping at the bit, checking everywhere Zimperium,  @zImperium, @ihackbanme, even on Zukifying Security to get the beta versions of zDefender and zCore.

Email Interview with Zimperium's Itzhak "Zuk" Avraham:

I wasn't at DEMO 2012 in Santa Clara, CA, so I'm trying to make sure I have the scenario correct.

zDefender_DEMO.jpg

People are jacked by automatically connecting to the Wi-Fi hot spot, and then were redirected to your site explaining they could have been #?? victim?

 Avraham: We redirect them to a non-malicious website with a counter, that they could have been victim number. In the real DEMO presentation we redirected the traffic to a malicious website which contained a WebKit vulnerability forcing the phone to fully crash, and a potential attacker can take control of such vulnerability to fully hack that device.

When the smartphone crashed it could have been hacked due to visiting a tainted site?

Avraham: Correct. Once malware is on a phone's memory, it can escalate privileges to have higher permissions than antivirus on the phone. "Once a malware has infected your phone, any existing solution will not help, and it's simply game over."

zDefender works at a firmware level and the core OS level to protect the phone before malicious software or a persistent Trojan can be installed?

Avraham: Correct. In case our software was installed too late, and you're already infected, zDefender will also assist in blocking covert channels of the malware trying to communicate with its command and control servers.

19 hours ago, 472 people jumped onto your Wi-Fi hotspot. Then you later tweeted that over 1k people were redirected to your page. How many routers did you plant and how many hits did you get at DEMO?

Avraham: 2 Routers, providing 3 Access points, caused 1,513 Hits on the first day. We will start the test again in the next DEMO session.

zScreenshots.gif

Would you like to explain the demo and defense of the WebKit exploit?

Avraham: We know of dangerous networks around the world. We have ANTI users to also provide us the information needed to know which networks are safe and which are not, you don't want to join a network that has worms spreading. We combine our pentesting software with our defense software to provide you real security.

We also detect web-based vulnerabilities and malicious websites, not only if you're on the same LAN but also for different variations of attack vectors. We will protect you against those threats by recognizing the attempt before it was successful and act accordingly. zCore and zDefender is a patent pending technology to enable the end user, real security.

In the DEMO event I've shown one device that was connecting to our malicious website with a 1 year old reported vulnerability that wasn't fixed properly. This URL caused the phone to crash, and you will have to eject the battery to restart it, it could have also run our code if we had put more effort in it. It was a Use-After-Free vulnerability in WebKi; this vulnerability affects many types of devices and is quite dangerous (someone can send you a tweet with a link to a page containing this code, once you enter - game over). On top of that, and any security expert will be able to confirm, once the malware had elevated its privileges any existing solutions currently available in the market, will not be able (technologically) to assist, as the malware will run with higher privileges than the Anti-Viruses and can basically shut the Anti-Virus or avoid from its detection (even if the signatures are exists within the engine), yes, it's that dangerous!

The second demo was to a device with zCore technology enabled. When I tried to redirect the traffic or just even scan the device, the zDefender got zCore's alert, and acted accordingly by hiding the device and reporting to the cloud-based console. The attack was prevented and the attacker can skip to its next target, a device without our technology. Imagine a Ministry of Defense agent getting hacked, just via his phone. I'm sure no government will be able to accept such scenario.

zScreenMSM.gif

Would you like to explain the security technology zDefender and zCore?

Avraham: With zDefender & zCore we aim to provide true security to smartphones, and stop attacks before they happen. Most people will never even know if they've been hacked, and we'd like to protect them.

Hacking into smartphones is so easy these days. For example, any web-based jailbreak you've heard of could have been used potentially to hack your phone. Basically, when you just sit and drink coffee at your local coffee shop, and do nothing, your phone will automatically connect to the Wi-Fi and people can easily redirect your traffic to a website containing a WebKit exploit, like demonstrated at DEMO. WebKit is only one example of a vector that can cause your device to become compromised. We detect several ways and techniques to hack into the phone, and prevent it, before the attack was successful. In most cases, the attacker will not even know you're there.

On top of Wi-Fi protection, we provide complete security solution for the enterprise with a cloud based management console. Since we focus on Security, you may consider this as MSM - Mobile Security Management, with MDM features. We provide the security that companies require, as more and more enterprises move to a BYOD (Bring Your Own Device) model, which prove to be not effective in terms of security and can endanger the company. Vendors and devices that will implement the zCore technology will be much safer than other device.

Ouch! At the time of publishing, @ihackbanme had owned 2,657 victims' mobile devices at DEMO and counting network redirects

All kinds of cool and emerging tech came out of DEMO 2012, but I'm looking forward to the zDefender app to stop anything malicious before it tries to attack my smartphone and it's game over. If you've ever played around with the completely sweet "penetration testing for the masses" app, then you know how easy Anti makes hacking. If you have not tried it yet, "Please remember, with great power comes great responsibility. Use it wisely." Avraham added that @zImperium "will release an app later on this week that will have beta signup forms for zDefender and zCore technology."

Images: Courtesy Zimperium Ltd 

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies