cybersecurity Support

Threat hunting on mobile – why the signing certificate is important

It’s a problem in the cybersecurity industry that infuriates me – the insistence of large cybersecurity companies to apply the same threat model to all platforms.

For example, some cybersecurity companies use the same block list between Android, Windows, Mac and Linux.

This old-fashioned approach to cyber security is no longer valid in the modern threat landscape. Simply put, these operating systems are not equal and don’t face equal threats. 

Android != iOS != Windows != Mac != Linux

But hey, it’s not just the cybersecurity companies that are using out-of-date techniques; the cybercriminals and malware creators are doing the same.

In order to get into the details of what I mean by this, let us dig into an example on Android of Cerberus.

Cerberus is a banking Trojan which has in the past stolen MFA SMS (multi-factor authentication by SMS) tokens, acted as an overlay to banking apps to steal sensitive information and stolen MFA tokens from authenticator apps like Google Authenticator.

In short it’s a really nasty threat created by some really bad folks. 

Cerberus has been made open source by the cybercriminals, making it accessible for people with malicious intent and too much time on their hands.

Maybe it’s this accessibility that means that at Traced we see Cerberus lurking in the wild a lot, it has popped up on our radar over 100 times in the past month in fact. When we do see it, Cerberus often appears hidden as a pretend version of Adobe Flash Player in one form or another. Frankly the fact that any cyber criminal would choose to mimic a service that is so vulnerable that it resembles a programmatic swiss cheese baffles me, however, that is besides the point. 

One malignant string to Cerberus’ bow are its attempts to evade antivirus detection. In the below images of two slightly different versions of Cerberus – caught by the Traced app and synced back to the Traced Control MTD platform – I’ve taken the liberty of highlighting some of the differences between the two variants.

These changes are expected of a more traditional virus affecting Windows, the name modification, the file size change ultimately resulting in the file hash being different. This results in your file sha256 or MD5 hash-based indicator of compromise now being defunct. In fact, it has changed so much, I’d bet that this would also evade any fuzzy hashing you could use to detect these two files with the same IOC.

In less technical terms, your antivirus, which relies on signatures (hashes), is going to miss both of these files even if it has seen Cerberus before.

Luckily for us, most of the people (or software) implementing this evasion haven’t changed something that takes a little bit more effort to change, the signing certificate. This means that the hash of this signing certificate is the same. In fact, they’ve not even changed this signing certificate hash from the default Android debug key. 

It is for these reasons that Traced Control focuses a lot of its threat hunting capability around these signing certificate keys. It is what has allowed the threat research here at Traced to propel so quickly with such a small team.

So if you’re publishing an Android IOC, make sure you don’t just publish the MD5 or SHA256 hash, include the signing certificate to allow other threat hunting teams to hunt for and block all apps by this same signer. 

Further reading

[VIDEO] Threat hunting on Android with Traced Control