Joshua Brindle

How to Win At Security

And here it is... mRAT's found that bypass MAM

As a follow-up to my last blog post, I just came across this article: Mobile malware gets serious – RATs can bypass sandboxes and encryption

1 in 1000 devices, the tools are in the wild. There is no reason to believe this number will go down. Further, these mRAT's apparently know how to bypass MDM and MAM sandboxes and encryption.

of course, mRAT's aren't anything new, but this is the first I've heard about ones that specifically target/bypass MDM/MAM.

Worse, the tools aren't just being used by experts; hackforums.net has tutorials on using them with commands like 'Hit Start then run, type "CMD" without quotations, hit OK, type "IPCONFIG" without quotations, etc'.

The solution is integrating SE Android into your devices; but SE Android, like SELinux is no silver bullet. You need good policies. Mobile device manufacturers are notoriously bad at securing their devices. The fact that a device node directly exposing kernel memory was world readable/writeable on many Samsung devices is direct evidence of this. The same people writing that software could not possibly be trusted to write secure SELinux policies. Separate teams that do security analysis and testing must ensure the policies are reasonable, etc.

This isn't rocket science, but it isn't standard operating procedure either. We've been doing independent verification and validation (IV&V) in government spaces forever. This needs to happen in mobile and there need to be security mechanisms that don't rely on discretionary access controls in place, which, of course, means mandatory access controls, which SE Android offers.