Skip to content

Bit9

← Back to Blog
16 Dec 2011

Android Persistent Threat (Part 2): The Data Mule Threat

Dan Brown

When you think of information theft, you think exfiltration from the corporate network, right?  Maybe with the occasional Manning-style insider threat scenario thrown in. There’s a more pernicious way that data can wend its way from its home to the adversary’s lair: data mules.  “Data mule” is a term I’ll co-opt from Disruption Tolerant Networking (DTN), a networking research area in which I’ve done some work in the past.

In this threat scenario, a compromised mobile device is sent into the corporate environment, carried by an unwitting worker bee where it can collect any pollen of interest, including pictures, audio, video, network communications, location information, and of course email.  At the end of the day, the device is carried back to the hive, where it is connected to an unwatched, unprotected wifi network with lots of bandwidth, for each exfiltration.  Think of all the honey that can be harvested this way (struggling to find any additional use for the bee metaphor, I’ll press on without).

This way we sidestepped the whole sticky issue of getting the data out through the corporate firewall. Who needs steganography and covert channels?

If you think this is a far out scenario, remember that not too long ago we would have thought that the RSA/Lockheed/… attacks were science fiction, theoretically possible but involving far too much effort and risk for the potential payoff. But somebody managed it and the payoff is believe to be quite sufficient. And the data mule attack would not be as hard as one might expect. Do we need a remote zero day vulnerability to get scary malware onto phones? No, we just need physical access. Almost every Android phone out there right now can be rooted.  Neither would the would-be espionage require stealing phones. Simply buy a bunch of used ones off eBay, root them, install whatever you want, and put them back on the market cheap.  It’s an opportunistic approach, but so are most client-side attacks these days.

Will this scenario really happen? Perhaps. The point is that there are a lot of threat scenarios like this that need to be taken seriously even if they seem fanciful right now.

Remember, just because you’re paranoid doesn’t mean they’re not out to get you.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US