Sign-up for the latest Lookout news and threat research
2020 was an especially challenging year, including for the cybersecurity industry. But what should we expect for 2021? Join host Hank Schless, threat researcher Kristina Balaam and Christoph Hebeisen, head of the Lookout Threat Research team, to find out what’s going on with privacy, COVID-19-related threats, ransomware and other trends.
Hank Schless 00:09
Hi, everyone. Happy New Year. And welcome back for another episode of Endpoint Enigma. I'm your host, Hank Schless. And we're glad to have you here listening. One tradition here at Lookout that we like to carry out every year is to reflect on the previous year, look at some security trends we observed and some lessons we learned and other things we witnessed out in the market. So I think looking at 2020 is obviously an especially challenging year for all sorts of reasons for many people. But that includes in the security industry. A lot of the changes that we're going to discuss in this episode, you know, really challenged the industry and everyone across all aspects of it. So we're going to talk a little bit about that and, and also a glimpse into what we can expect in 2021. And joining me today to talk about all of this are two members of our threat research team. So I'm excited to have them on because they spend all day every day making us safer by analyzing mobile threats, and really have an expert understanding of the entire threat landscape. So first, we have Christoph Hebeisen, who is our security Intel Research lead. He's the head of the team. Christoph, thanks so much for joining us.
Christoph Hebeisen 01:22
Thanks for having me on Endpoint Enigma.
Hank Schless 01:25
Always a pleasure. And then we also have another security Intel researcher, engineer Kristina Balaam. And Kristina, we're glad to have you on here as well. So guys, let's dive right into it. So something that has consumed as a part of our everyday lives for everybody is the COVID 19 pandemic. And I remember towards the beginning, people were, you know, more about, “Okay, let's try to contain this virus.” The idea of contact tracing apps was really coming into the forefront of a lot of conversations pretty early on in the pandemic. And understandably, people were kind of afraid that these apps might not be so secure, and that their privacy could be compromised as part of this process. So Christoph, first question is for you. What role do you think privacy will play in 2021, both in the context of COVID and coming out of those woods, and then on a greater scale.
Christoph Hebeisen 02:20
I'm glad you mentioned COVID tracking apps, because that's really a good news story for privacy. I think, initially, there were, of course, those reports of COVID passport apps out of China. And if those showed a red screen, you wouldn't be allowed into certain buildings or certain areas of the city. And that really sounded like a nightmare straight out of 1984. But then Google and Apple and public health authorities got together. And I think they really did the right thing in most places in Europe and North America and created effective apps that don't compromise people's privacy. Now, if everybody actually installed them, maybe we would do better at tracking where COVID is coming and going. But so far, it seems we are not having much luck with that. But I think that in 2020, there was actually another really important privacy story, and it might in the long run have some quite welcome consequences. Strangely enough, it starts with an app that teenagers use to post 60-second videos. I'm talking about TikTok, of course. So as opposed to all your concerns about the data we share on social media, you may remember the Cambridge Analytical scandal three years ago that had absolutely no impact on people's behavior, I would say. And it turns out that the spying accusations against TikTok; they made a lot of noise, but they ultimately turned out to be red herrings or there was simply no evidence that there was actually any spying going on. But it had some real world consequences, especially public sector employers, but then also some private sector employers started banning TikTok from their employees' devices. And I think that woke up enterprises and governments to the exposure of the privacy and confidentiality that they have through their employees’ devices. In the long run, this will really increase consumer awareness as well; it tends to lag a little bit behind. Apple has really taken the lead here. And they have recognized that consumers will want that. And they now require app developers to post for privacy what they call nutrition labels to be displayed for every app in the App Store. And they were the first to take this action, but I doubt that will be the last and I fully expect that users will come to demand to know what happens with all of their data.
Hank Schless 05:00
There's a lot to think about there. You know, I think especially the last couple things you mentioned with the nutrition labels, The first thing I thought of when I saw that come out was when all the fast food restaurants were required to post their nutrition facts somewhere in the restaurant. And then people realize that, oh, this stuff actually is bad for me. Now, that's not to say that mobile apps are bad for people, but sort of a similar, you know, “let's see how the sausage is made” type situation. It will be interesting to see if people beyond just security-conscious folk start to demand a better understanding of what's going on with their data. And we obviously hope for that. Now, Kristina, they continue down the same thread. COVID obviously forced all of us to stay at home. I'd really be interested to know what you think about how that changed things from a threat standpoint in 2020. And if you think any trends will continue to grow in 2020 and wonder if maybe some new ones will come about?
Yeah, I mean, as we've talked about, COVID has changed so much about how we live and work. And these kinds of new normals –– the whole work-from-home life and locked-down life have given opportunities to attackers that they didn't really have before, or at least not in the same kind of scale. And now, they're also able to monopolize on the fears that many of us had, especially at the beginning of the pandemic, you know, uncertainties about the stock market, or health or families or work-life for a while. And so you really saw attackers take advantage of that. On top of that, now that we're all at home, more people are using digital channels that they might not have relied on as much before. We have a lot of kids that are in school virtually. And you know, we have nonstop Zoom meetings. And so, you know, that kind of gave attackers just, I guess, another attack surface for any kind of nefarious things that they wanted to try and attempt. So we've seen a lot of phishing emails and messages and websites that are attempting to lure people by pretending to come from trusted organizations like, you know, the U.S. Center for Disease Control and Prevention, the WHO, government health advisors, and phishing kits that are even targeting airline customers. And you can actually find a surprising number of these on the dark web. They're like two US dollars per kit. And part of the advertising campaign, I guess, for them on the dark web is that you don't even really have to have any technical expertise. In kind of like the malware space as well, we're seeing a lot of fake COVID-19 apps that have popped up. And basically every known Android banking Trojan family has been embedded in some kind of fake COVID-19 application. So the most common of these are the ones masquerading as applications for getting COVID alerts from your area, or for tracking global infection rates. So, I mean, for 2021, it doesn't really seem like COVID-19 is going anywhere. And I think we can expect to see these threats continue and probably pivot slightly to lower victims based on the new information and the support we're receiving, like the vaccine distributions and funds and that kind of thing.
Hank Schless 08:01
Yeah, totally. It'd be almost like a full circle for it, you know, to come around and say, “Okay, we… all these bad guys started off by targeting us because we want to learn new information or we want to hear about where infections are increasing rapidly, whatever it may be. And then for it to come full circle on vaccine relief, all of that would be probably not that surprising. Yeah, absolutely. So Christoph, we've talked a lot about phishing so far. You know, Kristina mentioned a little bit about how some of this malware is starting to get embedded into applications, you know; there are other threats in 2020. So what are the ones that you think we need to be most aware of?
Christoph Hebeisen 08:42
In mobile malware, what we kind of saw in the past would mostly have been what you'd refer to as petty crime used to steal some money by our premium text messages, or you annoy the hell out of users through adware and cash in on the pay-per-impression pass to advertisers. Or maybe you rip off the advertisers directly by using click fraud. On the other end of the malware spectrum, you kind of see these very organized but not financially motivated malwares, namely government spying on either their own citizens or on foreigners. But apparently now the crooks are taking a page from Big Brother's book and are becoming more professional. What we have seen over the past couple of years have been legit looking companies engaging in behavior that is really malware. Like, for example, we reported on a business model that appears to have relied a lot on revenue from adware, because after Lookout reported how their Beta SDK spammed users with ads, their market cap took a fairly significant hit. And from what I've seen, they never really recovered from that. So that's legit looking companies doing shady things, we kind of see the same development really in the deep dark criminal underground. Christina mentioned the banking Trojans. What I really find fascinating about those is that they are becoming ever less vertically integrated. It's developed by one group, they stole it, then it's customized and deployed against a target user base. Then the credentials are skimmed, and maybe that group doesn't even use the credentials to get the money –– they sell a big pile of credentials to yet another party that then capitalizes on that. So, that's kind of developments we saw over the last few years. But in 2020, we came across a cross-platform Android and iOS malware that we call Go Intact. And that one is fascinating because it really fills a niche that was largely empty, at least in the mobile malware space. So far. What happened with this malware in short, is that users in East Asia were lured with a promise of explicit chats or video calls with women. And then during those calls, or chats, under some kind of pretext, they were enticed to install what was supposedly a chat app. What was really though, a malware that would steal their address book. Now put those two things together, that makes a perfect recipe for blackmail. So it combined the financial motivation of something like ransomware, with an online honey trap. And the really interesting thing here is that honey traps are a very old trick. They were a favorite of the KGB during the Cold War. And I'd be extremely surprised if they hadn't been used even centuries before that. And while I can't really say what we'll see next year, I'm pretty sure that creativity will continue. And there'll be a whole new set of criminal profitable schemes in 2021.
Hank Schless 12:06
Yeah, absolutely. It seems like every year we say, “Oh, well, there's no way they can get more creative or come up with a wackier idea.” And you know, it does show the different ways that people can take almost like an organized crime approach to it. It actually reminded me a lot of, and correct me if I'm wrong, but I'm pretty sure it was a few years ago, we discovered a remote access Trojan that targeted Israeli Defense Force soldiers, right? And did they kind of take a similar approach where they pretended… the malware pretended to be a woman who is chatting with them? And then they said, “Oh, download this chat app” or something like that.
Christoph Hebeisen 12:37
Yeah, absolutely. That that was another use of a honey trap mobile malware not for money in that case, but falsifying, yes, that we have definitely seen.
Hank Schless 12:47
Yeah, definitely. So I mean, but look, I mean, like you said, they're always evolving. So this is obviously a new evolution in that process. Another thing that was big in 2020, especially for hospitals was ransomware, targeting these types of, of organizations. So, Christina, can you describe first a bit on what ransomware is, but also, how it might also have still have a major role in 2021?
Yeah, absolutely. So in a nutshell, ransomware is basically software that once you install it onto a device, a computer, etc, it allows the attacker to hijack the user's files, photos, the phone, the computer, and then they typically demand some kind of payment in order to get access to whatever has been locked or encrypted. We've seen ransomware really pose a significant threat to desktop users and networks for years. But the evolution of mobile ransomware really hit a milestone in 2020. You know, as we've been talking about with COVID, so much of our life has changed and moved online, and often to our mobile devices. This is, you know, another lucrative opportunity for ransomware developers. So when it comes to mobile, ransomware can kind of operate in a similar way. It can encrypt the files on your device the same way that PC ransomware does. But for a long time, it was using a different method, it was actually just plastering your entire screen with ransomware that would block you from actually using your device or getting into any of your files and stuff. And typically, they did this through using an Android permission called “system alert window.
And this would just create an overlay window that you can’t dismiss or circumvent in any way. But then Google actually added protections against it last year and Android 10. And then when that happened, of course, ransomware developers needed to pivot if they wanted to execute some of the more sophisticated and effective attacks. One of the ransomware families for mobile that we saw do this was called malLocker. And the way that it pivoted was by actually manipulating the notifications you'd get when you get a phone call because the operating system would prioritize those and they combined this with a callback that would notify the application when you're going to close it. So they basically created this, like, infinite loop of ransom note popups, you know. We're seeing this, this growth in sophistication, but also in popularity. Like you said, Hank, ransomware dominated a lot of the discussions about malware for 2020, because it tended to target all of these really important institutions, like hospitals. And there are a significant number of ransomware kits for sale on the dark web. Now, similar to phishing kits, they're not expensive. I mean, you can buy them for 30 U.S. dollars. And a lot of these vendors even promise customer support; they claim you don't really need any technical expertise and they will help you set it up however you like. So it's quite concerning that there are so many kits available online for such a small amount of money and the barrier to entry is quite low. So, you know, just in the same way that we don't necessarily expect the COVID-19 threads to go away, we're likely not going to see this go away in 2021. It’s probably just going to continue to grow in popularity.
Hank Schless 15:54
Yeah, absolutely. If anything had shown… that's a more viable avenue than maybe people thought before. Absolutely. And I remember, yeah, one in particular, was, I think it was, like, the University of Vermont healthcare… hospital system got targeted. And that took down… I mean, that took down all sorts of stuff. It can have more than just financial impact on the lives of the people in hospitals, and people who rely on that, obviously, for their own health and safety. So the last one that I'm going to send back to you here… Christoph, we did see Apple launched new Macs and MacBooks running on some new hardware that's much closer to what we have in our smartphones and tablets. And I'm actually particularly interested in this question, because I actually ordered one of them. But this brings up an interesting shift that it's really making. Desktops, computers, laptops are shifting to look more like mobile devices. And I remember, probably last year, Apple was running an ad campaign that said, your next laptop isn't a laptop. It showed a picture of an iPad. So my question in long winded form is, do you think that this merging of mobile and more traditional operating systems is going to impact how we think about cybersecurity going into the future?
Christoph Hebeisen 17:10
Yeah, absolutely. I think that move towards ARM chips is one in particular that’s exciting at so many levels. But I really think that as this shift goes from desktop towards more mobile OS, like operating systems, no one is really more of a symptom than a driver. For those of us who have been watching this space for a while, the writing's really been on the wall. In 2019, Mac OS Catalina was released. And in that release, Apple already deprecated kernel extensions. So if you can't run a kernel extension anymore, as third party software, you really have much less deep access to the system that you're running on. So you will now have to rely on API's that are supplied by Apple directly and that are essentially the approved way of doing things. Microsoft is kind of coming at the same thing from a different direction. In Windows 10, you can activate something called S mode. And in S mode, you're limited to what apps you can and cannot install or run. And it's just apps from the Microsoft App Store. Again, that should sound familiar. It's something that looks very much like your mobile phone. And at the same time, you may have noticed Chromebooks are becoming ever more popular, I think they got an enormous boost from all the home education that is happening now with COVID and how every child needed a laptop and Chromebooks are just relatively cost effective laptops. But again, it's a laptop operating system that puts very strict limits on what code you can run on the device. Overall, I think from a security perspective, those are positive developments, both for security and for privacy, because now our code is more vetted and third party code can't get as deep into the operating system and access all data. And so in that sense, these developments reduce the attack surface. But there is a bit of a downside to this. Certainly desktop antivirus used to rely on very, very intrusive access to the system. And that is being cut off at an increasing rate. My expectation is that desktop security software will look very much like mobile security software in the near future.
Hank Schless 19:53
Gotcha. Yeah, well, I guess only time will tell you guys. Thank you both for joining. I think that's a good place to wrap things up for our predictions. Well, your predictions on 2021. So Christoph and Kristina, thank you both very much for joining us today. That's been my pleasure. Anytime you want to come back, you know where to find me. And for everyone listening, we do actually have a predictions blog that Christoph wrote. You can find that on blog.lookout.com. And there's also a blog about the Goontact threat discovery that we talked about over the course of this conversation. So check that out. It's pretty interesting in depth, the technological explanation of it, how it works. And that was a very, very cool read. So as always, be sure to follow us on LinkedIn and Twitter –– @Lookout. And the threat research team actually also has a Twitter account, @LookoutThreats, so be sure to check that out. And thank you all for joining us as always, and we'll see you next time.