Detecting Unknown Threats Time After Time
Zuk Avraham, Founder
Follow Zuk Avraham (@ihackbanme)
Last week, Ian Beer, from the Google Project Zero research team, released his local elevation of privileges exploit targeting iOS 10.1.1 . We immediately understood that we had another opportunity to assess a new zero day exploit against our Machine-Learning attack and exploit detection engine – z9
z9 detected, once again, the newly released exploit that allows remote shell access as root, without requiring an update.
After catching our breath from all this excitement, we took the liberty to go over all the recent security events utilizing exploits to gain full control over the mobile device, or initial code execution remotely, and felt pretty proud of our track record:
|Exploit/Attack||Type||z9 Detection Status|
|Dirty COW||Local||Successful Dirty COW Attacks: z9 detected without requiring an update.
Unsuccessful exploit attempts: We created new z9 simulation to provide an alert as well.
|Ian Beer’s iOS 10.1.1||Local||Detected without an update|
|Gooligan||Local||Detected without an update - just a reuse of TowelRoot and VRoot in apps, mostly of third party marketstores - z9 doesn’t need to have app’s signatures to detect exploits.|
|Pegasus||Remote||Detected without an update|
|Stagefright||Remote||Using our previous trainings of z9 for CVE-2015-1538 and CVE-2015-3864 z9. Google Project Zero Stagefright exploit CVE-2016-3861: detected without an update.|
New Attack Classes:
Both Drammer and DressCode were not previously considered a valid class type for attacking the device. In security events, our partners and customers expect us to react as fast as possible. As a result, we developed custom simulations for both:
|Exploit||Type||z9 Detection Status|
|Drammer||Local||z9 successfully and reliably detects Drammer attacks|
|DressCode||Local to internal network||New anomaly detection for z9 to detect attempts to steal data via phone - successfully detects the attacks, regardless to the source of the attack.|
In the case of Drammer, it was even harder – the researchers who published the research on the exploit, only published their POC without the exploit. At first, we were concerned because the same researchers claimed that it is impossible to use behavioral methods to detect this, we were able to prove them wrong.
By only looking at the template code released, we were able to generate a generic z9 simulation that is able to detect Drammer accurately.
New and previously unknown threats are becoming more frequent, especially in targeted attacks and corporate espionage. Now when you evaluate a Mobile Threat Defense solution, ensure that it can alert you in case of real attacks, like the one described above.
If you wish to evaluate Zimperium’s Mobile Threat Defense solution and protect your organization, click here.