The National Cyber Security Centre SK-CERT points to attacks by means of tools for remote mobile device management

The National Cyber Security Centre SK-CERT has detected a new attack vector, the essence of which is the compromise of the organization by means of tools for remote mobile device management (MDM). Attackers attack MDM through which a malicious code is installed to mobile devices. This results in the collection of sensitive information, such as logins and passwords, and their sending to a remote control server.

What is MDM

MDM stands for Mobile Device Management. It includes administration solutions of mobile devices, i.e. mobile phones, tablets, laptops or other portable devices. The essence of MDM is to deploy a uniform setting of rules, certificates, used applications and authorizations for the user of a mobile device within the organization infrastructure.

Using of MDM has many benefits. Within the security, MDM is used to set the roles and rights for individual users, to enforce rules when using individual applications, to create restrictions and permissions for installing and using the applications, and also to apply security features to all mobile devices that are administered by MDM. A great added value is that these settings can be implemented and enforced centrally, without a need of going from one device to another, and the use of global rules guarantees a uniform level of settings across all administered devices.

MDM solutions are usually used in a company environment for management of mobile devices that are used to access the company infrastructure, especially the Intranet and its applications.

Attack vector

One of the benefits of MDM is the ability to apply settings or install applications in each device in the same way. Researchers from Checkpoint company[1] revealed that this function is actively exploited by a new variant of Cerberus malware (a bank Trojan for Android).

First the attacker compromises MDM solution deployed in the organization. This is possible, for example, due to its poor security or configuration. After this phase the attacker creates a new configuration that will ensure the spread of malware across individual devices.

Cerberus malware is a type of malicious code considered to be a Malware-as-a-Service (MaaS) that allows everyone to “order” it with their own configuration. However, a new variant, which focuses on the compromise of MDM, has the attributes of the so-called MRAT – Mobile Remote Access Trojan. These include the collection of all touches on the screen, call logs, information about installed applications, a data theft from Google Authenticator service and received SMS (including two-factor authentication) and remote control of the device via TeamViewer software.

The malware contains two parts – a main malicious application, communicating with the remote control server, and a customizable DEX file downloaded by a main application to the device from the remote control server.

After installing the malware, a window that appears on your mobile device will try to enforce an update of the Accessibility service (in some Android devices this service is also called Smart Help). If the user closes the window, it will open over and over until the user allows the update. Afterwards, the malicious code uses the user’s privileges and the accessibility service to take further steps automatically without the user’s interaction.

The malware is configured to collect different types of data. After successful installation, it sends to the remote control server the so-called bot-id (an identifier for sending and receiving messages), security status, a list of the most used applications and the write to disk access. Subsequently, the collected data including received SMS are sent by malware to the remote control server.

A main malware module also obtains login information from Google Authenticator, Gmail passwords and screen unlock patterns. All touches on the screen are sent to the control server as well, so the attacker can see any activity of the victim, including PIN codes and login details into applications. It can also send a list of files and installed applications to the remote control server, and upon a specific request, it sends a required file from the device to the control server. The malware can run TeamViewer too, allowing the attacker a complete remote control of a mobile device.

A complete technical analysis of a new Cerberus malware, including the IOC, is available at

Recommendations for securing MDM

MDM solutions form a part of the organization’s infrastructure which should in no case have any security exceptions. It should be noted that MDM is a strong tool for administration of a large number of devices located in the organization. Therefore, the National Cyber ​​Security Centre SK-CERT recommends to observe at least the following security principles for MDM configuration and operation:

  • to apply all security patches available for MDM software as soon as possible,
  • if the vulnerability to which there is no security patch is published, temporarily disconnect MDM system from the network,
  • if the organization uses MDM for administration of devices connected via local WiFi access points, or has its own private APN set up with the telecommunications operator and MDM does not necessarily require the Internet for its activities, we recommend not to make it accessible from the whole Internet,
  • if MDM must be made available from the public Internet as well, it is possible to limit access to particular mobile operators whose data services are used by affected mobile devices,
  • MDM system does not usually need any contact with the customer’s internal network. Therefore, we recommend to operate it in a separate DMZ network as a single element. Firewall rules must prohibit connections from MDM server to the internal network and limit connections from the internal network to MDM server as much as possible,
  • access to MDM administration requires adequate protection according to number of devices that might be endangered due to its compromise. We strongly recommend to use complex passwords and two-factor authentication,
  • as with other information systems, we recommend individual user accounts instead of a common administrator account in order to identify the account from which the changes occurred. If the system supports different roles, system users should have roles created to minimize the number of actions which individual users are authorized to perform in MDM system,
  • we recommend to save logs from MDM system on a separate log server,
  • firewall logs, especially unauthorized attempts to login into MDM need to be monitored and evaluated.


« Späť na zoznam