Kaspersky: ‘Remote Access Trojans Can Have Almost Total Control Over Mobile Devices’

A few weeks ago, the SuriCon conference was inaugurated, a meeting point for technical learning and innovation in security based on the open source ecosystem and community.

Organised by the Open Information Security Foundation (OISF), its main focus is the open source tool Suricata, designed for intrusion detection and network monitoring.

On the occasion of this event, we had the opportunity to interview one of the speakers: Tatyana Shishkova, Lead Security Researcher, GReAT Kaspersky, who has been with the company for more than eight years researching and developing advanced techniques to detect malicious software on Android devices and networks through tools such as Snort and Suricata.

Her experience has led her to present research at global forums such as Mobile World Congress and the Security Analyst Summit. Her most recent research includes the study of banking Trojans and the GravityRAT family of cross-platform cyber-espionage tools.

Shishkova has also been noted for her commitment to STEM inclusion as a member of the Women of Suricata community and for her work with the Stalkerware Coalition, where she is active in detecting and classifying stalkerware threats, helping to protect victims of digital harassment.

She discusses all this and more in this interesting interview:

-What topics did you address in your presentation at this year’s SuriCon? What can attendees expect to learn about threat detection and response?
I talked about using Suricata to detect CVEs in the network – publicly disclosed vulnerabilities in software or hardware that can potentially be exploited by attackers – and highlighted the most popular vulnerabilities that threat actors try to abuse, based on data from our Kaspersky Anti Targeted Attack Platform. I also demonstrated how Suricata can be used to protect against these threats.

-What are the current top trends in Android malware and what challenges do researchers face in detection and mitigation?
Mobile banking Trojans continue to increase, and modern banking Trojans often have full RAT (remote access Trojan) capabilities. Attackers can gain almost full access to the device, including real-time streaming of the device’s screen.

In addition, authors use different tricks to hide malicious functionalities. Modern mobile malware is often multi-stage, which means that it employs a sophisticated and often multi-faceted approach to infect devices, evade detection and carry out its malicious activities. Moreover, it can go undetected for a long time, as demonstrated in the Mandrake case.

-Your recent research has focused on banking Trojans and Mandrake. What particularities have you found in these threats that make them particularly dangerous?
Indeed, my recent research has focused on a new spyware campaign distributing the Mandrake malware via Google Play, disguised as five legitimate apps, including one related to cryptocurrencies. These five apps, published on Google Play in 2022, accumulated more than 32,000 downloads.

Although these malicious apps are no longer available on Google Play, they were previously accessible in several countries, with the majority of downloads occurring in Canada, Germany, Italy, Mexico, Spain, Peru and the UK.

Spyware is one of the most nefarious types of malware, capable of going undetected on a device while collecting information about its owner. The risk increases when spyware masquerades as applications in the official shop, underlining the importance of exercising extreme caution and installing proven security solutions.

Kaspersky did a detailed technical analysis of this campaign: https://securelist.com/mandrake-apps-return-to-google-play/113147/.
The main points are that Mandrake uses many anti-analysis tricks, emulator and environment checks to prevent it from running in an analyst’s environment, and downloads the final payload only on devices that are of particular interest to the attackers. This allowed this malware to remain on Google Play for 2 years, successfully bypassing all security controls.

-How have tools such as Snort and Suricata evolved in threat detection, and what role do they play in the defence strategy against advanced attacks?
Almost all attacks require some form of network communication between the targeted device and the attacker’s command and control servers, and these network activities can be detected using tools such as Suricata and Snort. Suricata versions are constantly being updated, receiving additional capabilities to detect suspicious network activities. The main task for analysts is to keep abreast of Suricata updates and the latest features added to make the most of Suricata’s capabilities.

What progress has the Anti-Stalkerware Coalition made in the fight against digital harassment and how are Kaspersky tools used to detect and mitigate these threats?
The Coalition publishes informational materials that explain how a victim can understand that they are being stalked and what to do in this case; cooperates with non-profit organisations that help victims of stalking by providing them with information and technical support; coordinates the work of various IT security vendors to detect and identify stalkerware applications. Kaspersky products are used to detect the latest versions of stalkerware on the device, Kaspersky also cooperates directly with local non-profit organisations that help victims of stalking.

-In your experience as a speaker at global forums such as the Mobile World Congress, what differences or similarities have you found in cyber security threats and strategies between regions?
Cyber threats are present in all regions, with differences emerging in the financial threat sector, for example. These variations can be attributed to local trends and the distinctive characteristics of financial technology markets in different areas. For example, in Europe, Latin America and Russia, attackers use different strategies to infect users with banking Trojans. The social engineering methods used as an infiltration vector also differ, with malicious applications masquerading as different legitimate applications or services popular in a specific region.

-What technological developments do you expect in the coming years in the field of threat detection and response, and how is Kaspersky preparing for them?
AI and machine learning (ML) have long played a crucial role in defensive cybersecurity, improving tasks such as malware detection and phishing prevention. Kaspersky, for example, has been using AI and ML to solve specific problems for nearly two decades.
We currently have a dedicated Kaspersky AI Technology Research team, which applies data science and AI algorithms to detect various cyber threats, including malware, phishing & spam and large-scale targeted attacks – contributing to the detection of more than 411,000 malicious objects daily.

-As a member of Women of Suricata, what actions do you consider essential to promote inclusion and diversity in the cybersecurity field?
The first step is to eliminate bias in the recruitment of professionals, focus on professional competencies and provide opportunities for entry-level professionals with limited access to education or practice. For example, the OISF (developers of Suricata IDS) works with the Outreachy internship programme.

It is also important to showcase examples of women who have achieved success in the profession, and for these women to share their knowledge with others. At Kaspersky, we provide free access to online Suricata standards writing training to the interns selected by the OISF. The women working with Suricata keep in touch, organise Zoom calls, help each other prepare talks for conferences.

-Finally, what advice would you give to young people interested in a career in cybersecurity, especially women who want to enter the field?
Don’t be afraid to ask for help and ask questions, everyone started at some point!