At the 2018 RSA Conference I attended a session by Kevin McNamee (Director of Nokia’s Threat Intelligence Lab) and learned some valuable things that I would like to share with my blog followers.

From the ransomware samples that Kevin shared, most ransomware targeting Android can be uninstalled by booting the device to safe mode and removing Device Admin priv then uninstalling the app.

In summary the lessons I learned for protecting Android smartphones from Ransomware:

1. Don’t download apps from third party app stores.

2.Make sure “verify apps” is turned on.

3. Keep regular backups of your phone.

4. Consider 3rd party AV for your Android.

Side note: One of the other conference attendees asked Kevin what to do in their situation, where their employees in China are unable to access the Google Play Store, so they have no choice but to use 3^rd party app stores. Kevin suggested that they rely upon 3^rd party AV and employee security awareness training.

What about Apple iOS?

According to Kevin, AV is not necessary for iPhones because Apple doesn’t give AV vendors an API to do much good. He felt that the level of isolation in iOS is sufficient.

Not completely satisfied with this, I approached Kevin in the hallway and asked him about Pegasus Spyware –commercially available spyware sold by a startup company called the NSO Group, targeting iPhones (and Google/Blackberry) that was sold to governments. LookOut software participated in the discovery of this software which used three zero day exploits dubbed Trident (since then it has been patched in iOS 9.3.5). I asked Kevin, “Isn’t Trident an example of why we should advocate for 3^rd party smartphone security software, such as LookOut?” My concern is that there could be more zero day exploits? The point I tried to make is that if you had LookOut software (or software like it), then wouldn’t you be better off? Kevin was skeptical that these vendors are actually doing much good.

For what it is worth, Lookout is still the only software that can detect Trident (according to Trident). Here is more about their discovery and how their software protected against it: https://www.lookout.com/trident-pegasus-enterprise-discovery

My recommendations:

If you are the one responsible for purchasing decisions of “company-owned smartphones” for your company, my recommendation is to avoid purchasing Android and purchase iPhones instead, unless you can mandate good AV installed on the Android. This is because attackers have a higher cost to find zero-day exploits like Trident. Kevin also mentioned that an attacker’s could also target iOS with social engineering techniques to get into the target’s iCloud account, and then perhaps remotely locking the phone until the ransom is paid. Kevin said even in that scenario you may be able to work with Apple to get into the account.

Microsoft has improved their Intune Mobile Device Management to support 3^rd party connectors that can provide conditional access, so that only clean devices can access corporate resources such as Office 365 Exchange and SharePoint.

“Intune Mobile Threat Defense connectors allow you to leverage your chosen Mobile Threat Defense vendor as a source of information for your compliance policies and conditional access rules. This allows IT administrators to add a layer of protection to their corporate resources such as Exchange and Sharepoint, specifically from compromised mobile devices.”

There are currently four vendors supported to integrate with Intune:

 Lookout

 Skycure

 Check Point SandBlast Mobile

 Zimperium

When I looked at them, they looked very similar to me. I have not formally evaluated them but I will be speaking with each vendor since they are here at #RSAC 2018