Welcome to the first edition of the Layers Bulletin; a new and improved monthly update from Licel. Each month we’ll tell you about the latest features across our products, and we’ll explain how they are evolving to protect the whole mobile channel. We’ll also share insights from the field and from our threat and device intelligence platform, Alice.
If you’re keen to find out about the latest trends shaping the future of mobile security, then you’re in the right place.
What's new with Licel's solutions?
DexProtector
DexProtector strengthens mobile application security by combining advanced integrity controls with actionable threat intelligence. The latest version builds on this.
The latest version of DexProtector enhances iOS jailbreak detection, including Dopamine-based jailbreaks, it introduces new checks for Trollstore and for Corellium virtual devices, and it adds specific detections for camera injection attacks. For Android, we’ve introduced enhanced detections for TrickyStore and unlocked bootloaders for Google Pixel devices. Additionally, DexProtector’s adaptive custom firmware check now triggers further attestation when bootloader anomalies are detected.
Alice Threat Intelligence
The latest DexProtector update also has implications for our threat intelligence solution, Alice. As DexProtector’s integrity control measures continue to evolve and expand, so Alice’s data becomes even more trustworthy, insightful, and influential.
Alice’s attack and threat incident reports for the iOS platform now include more granular data, including app response, Developer Mode detection, and Jailbreak status. And the app version reporting scheme has also been refactored for greater clarity.
NFC Proxy Malware attacks
Attackers are shifting their strategy to target the very technologies that are helping to make payments more seamless. A good example of this is a trending attack; NFC Proxy Malware. It sits between the application and a POS reader, manipulating or intercepting sensitive communications. You can read all about it in our latest article.
Glossary
The NFC Proxy Malware trend is a good reminder that, in mobile channel protection, it’s critical to understand how the threat landscape is evolving. That’s why we’ve launched the Licel Mobile Application Security Glossary. It's our curated explainer of the key threats, attack techniques, and protection mechanisms that matter most.
Attack trends
LiveContainer: a signpost to future exploits?
LiveContainer is an in-app virtual container for iOS. It works like other popular dual account apps on Android, such as Parallel Space and GBox; the kind of attack vector used by a type of Android malware like FjordPhantom which spread quickly and widely across Southeast Asia. LiveContainer stabilized at the end of last year and has grown in popularity ever since. Enabling iOS applications to be run inside it without requiring any installation, LiveContainer not only provides an alternative means for sideloading iOS applications, but also offers tweak injection capabilities to tamper with them. There is no sandboxing inside the virtual container, so apps can sniff or steal data from other apps.
One of the indirect results of Apple closing off loopholes that enable jailbreak exploits on iOS < 16.7 is that fraudsters now require other avenues to analyze apps and conduct their attacks. The upshot of this is the emergence of tools like LiveContainer, which are set to continue gaining traction in the months to come. Here at Licel, our security research team is aware of this growing threat trend and has implemented protection measures against it in the latest version of DexProtector.
Insights from Alice Threat Intelligence data
Every single second, Alice provides visibility about the threats targeting our customers’ applications. This gives our customers intelligence about their apps’ threat landscape and the way that attacks are changing over time. And the macro data for all the attacks prevented by DexProtector gives us vital insights that help us to spot trends and understand the kind of threats our solutions need to be ready to face.
Attacks prevented
Floating in the ether around your mobile application are threats and attack vectors that, if allowed to operate unchecked, could impact the integrity of it. Alice reports on DexProtector-prevented threats to give you full visability. Here’s a snapshot of what it recorded in this past month:
Bootloader tampering for Android dominates the threat landscape, representing more than half of all incidents. But the fact that only 13% of installs are affected suggests a lot of repeated exploitation attempts on the same devices.
Root detections and jailbreaks account for a third of incidents, but they affect a much larger base (73%) of installs. That means that root remains the most widespread compromise method across users.
Malware (more detail, below) and manual installations of modified apps combined might only equate to just over 10% of all incidents, but they are potentially incredibly damaging. Both reveal the persistent risks resulting from rogue app distribution channels.
Similarly, emulators, debuggers, and hooks account for still smaller percentages, yet they too represent some of the most dangerous attack vectors out there as they are indicative of active attempts to reverse-engineer, modify, or hook the application.
Root and bootloader are the top attack vectors, which helps to explain the enhanced bootloader detection capabilities in the latest DexProtector update (see above). Our continual improvements to our solutions are rooted in real data about evolving threats, and so it’s very important you regularly update to the latest version.
Mobile malware trends
Is it time for us to collectively re-frame how we think about anti-malware? After all, a simple scanner no longer cuts it when we’re fighting sophisticated, multi-functional trojans capable of exploiting operating system features. Anti-malware today should be a strategic intelligence operation. A proactive, predictive platform. When we first built Alice, this was our goal - it’s now the brain behind our entire anti-malware module. Here are some of the most interesting insights it has highlighted this past month:
Notable malware samples flagged by Alice include banking trojans (this accounts for the majority of them), as well as spyware and remote access trojans (RATs), and ransomware. A deeper analysis of command-and-control infrastructure and targeted applications highlights distinct geographic concentrations for specific malware families. In Europe, for example, we see a large quantity of banking trojans such as Octo (Coper), Sharkbot, Hydra, and Anatsa.
Anatsa is a good example of a type of malware that abuses Android’s Accessibility Services, which exists to help people with disabilities to use their phones. Once permission is granted on the device, malware samples like Anatsa can read the content of any screen, which includes sensitive information like credentials and 2FA codes. They can also implement powerful keyloggers capable of capturing user input, and can even perform actions on behalf of the user, such as approving transactions or granting additional rights.
Alice’s insights this past month make it clear that the mobile threat ecosystem is now dominated by banking trojans that are highly-sophisticated and multi-functional. And they are primarily using Android’s Accessibility Services as their go-to attack vector. A defensive strategy rooted in threat and device intelligence is therefore more important than it has ever been. Alice’s Anti-Malware module detects and reports the presence of malware, enabling our banking clients to restrict activity and block transactions.
The geographical spread of where some of the malware samples picked up by Alice were most active.
Thanks for reading the first edition of the new and improved Licel Layers Bulletin. We'll be back next month with more product improvement updates and threat intelligence insights.