The Microsoft Threat Intelligence Podcast 2.7.24
Ep 11 | 2.7.24

Mobile Threat Landscape Update


Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cyber crime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cyber security. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. Welcome to the "Microsoft Threat Intelligence Podcast." We have an amazing set of guests today. I am super, super excited to talk to these super talented mobile threat researchers and mobile malware experts. First we've got Apurva Kumar. She is a senior security researcher on the Microsoft Defender team. She has an incredible background where she focuses on nation state and stalkerware surveillance campaigns. She's spoken at RSA. She has a master's degree in applied sciences and all kinds of super talented background with mobile. Apurva, thank you so much for being here.

Apurva Kumar: Thank you for having me.

Sherrod DeGrippo: And next a veteran of the "Microsoft Threat Intelligence Podcast." Christine Fossaceca, senior mobile security researcher at Microsoft. She focuses on IOS. Background in mobile exploit development, forensics, and red teaming. She also does reverse engineering and pen testing. No big deal for her. And she works on the defender for end point team looking at IOS zero days. She also has her own podcast called "Her Hacks" which you should check out where she gives career advice to people interested in entering cybersecurity. Christine, it is so good to have you back.

Christine Fossaceca: I'm glad to be back. Super excited for today.

Sherrod DeGrippo: We're glad that we got you back from the Europeans when you went over to black hat Europe. And we'll talk about that a little bit later. Glad they let you out. And finally we have Laurie Kirk. She is a security researcher at Microsoft. She specializes in cross platform malware analysis with a focus on mobile threats, and she has her own YouTube channel which you have to check out. It's called "Laurie Wired" and it covers in depth malware analysis, reverse engineering, exploits, all kinds of security topics. She has the coolest background that I think I've seen on the podcast. So you have got to go check out her YouTube channel so you can see all of this cool stuff that's in her background behind her. Laurie, thank you for joining the podcast.

Laurie Kirk: Thank you so much for having me. Really excited.

Sherrod DeGrippo: So one of the main reasons that I wanted to have the powerhouse of mobile threat on the podcast is because of this particular release that came out of CCC, the Chaos Computer Congress. This came out about a month ago. If you want to check it out, you can google operation triangulation, what you get when you attack iPhones researchers. And the full video is on YouTube. So I'll kind of set it up and then I'd love to hear from mobile experts which obviously I'm not anything of a mobile expert. I would love to hear kind of your point of view and help our audience understand what this really means. So this attack was found by these researchers at Kaspersky. It's a zero click attack on IOS. So on iPhones. It has four zero day vulnerabilities in IOS and it comes with three main pieces. A malicious iMessage, a hardware bug, and a Safari exploit are all needed to make this work. So there's this spyware that they found. It was targeting researchers. And I want to learn from Microsoft's mobile experts here on threat what does this mean, how worried should we be about it, what is this all about?

Christine Fossaceca: I did want to say the last podcast we talked a little bit about this and you were of the opinion that, you know, security researchers have been targeted in the past and they need to be more protected and I was definitely more like, "Oh, yeah. Maybe." And I was maybe not taking it as seriously as I should because I thought I'm just a security researcher. Who cares about me? So I stand corrected. And it sounds like security researchers are being targeted with increased prevalence.

Sherrod DeGrippo: So when you checked this out, because I know all of you took a look at it, what does this mean for researchers? Like what -- what should they be thinking about? Because a lot of times I'm guilty of it. We're all guilty of it in the past saying, "Oh, you know, that's really crazy. That probably wouldn't happen." So in this instance it did happen and it was specifically targeting security researchers and mobile researchers. What kind of threat is this today?

Apurva Kumar: I think I can try and take that, if that's okay. So having looked at like a lot of surveillanceware for like the last five years of my life before joining Microsoft, this is kind of exactly what the mobile platform is perfect for. One of my mentors used to describe it like if you imagine yourself and you go back to sort of the days of the Cold War and you know you have a time machine. You can go back and you talk to those KGB agents and you tell them that, "Oh, in the future everybody walks around with like this black box in their pocket and it has like a high fidelity camera and a high fidelity microphone and it has, you know, location tracking, and it has every photo that they've ever taken, every file that they've ever downloaded, you know all the meetings that they'll ever have, all the contact details of everybody that they know," the KGB agent will, you know, likely think that this is some sort of weird dream. But it is actually true. We are kind of synonymous these days with our phones. And there's only two ways that you can do this with a researcher. Either you get super paranoid or you sort of take it for granted and you go, "Oh, I'm not getting targeted." So it's one of the two. But the mobile platform is actually very perfect for surveillanceware. It's kind of the attack. That's how wired gets so much attention in the news and other places whenever these things pop up. It's because it's the ultimate invasion of your privacy. It's everything that you own right there in your pocket. And, you know, it's your privacy's been violated in the worst way. So yeah. It is definitely a wake up call I think, but it -- and it means that, you know, as researchers we should consider our own threat model and we should consider our own risks including that of others that we protect.

Sherrod DeGrippo: So it sounds like we're in a situation where zero days, no click, on mobile are a reality much more than kind of a theory or this rarefied lightening strikes thing that happens every once in a while. So, Christine, I want to ask you as someone who I used as my go to whenever I have a mobile question, what did you think when you saw this presentation and watched this video? What were your thoughts? Because it's pretty long and it keeps getting wilder as it goes.

Christine Fossaceca: I thought it was pretty crazy, honestly. I had a lot of FOMO during CCC because a lot of my friends that know I do IOS work were sending it to me and they're like, "Are you going to see this today? Are you going to watch the live stream?" And so yeah. A lot of FOMO too because I was like, "Oh, I wish I -- wish I would have planned to go to CCC."

Sherrod DeGrippo: Well, and as far as the research that was put out, Laurie, I'll go to you. Like were you worrying about your own potential targeting? Because they don't give -- from what I can tell, and correct me if I'm wrong, there's not an attribution in the presentation. They just are really talking about the attack and the malware. There's no threat actor connection from what I can tell. So, Laurie, were you thinking, "Oh, I need to maybe update my devices?"

Laurie Kirk: Oh yeah. Definitely. So I think what primarily stuck out to me when I was watching this presentation is how stealthy the threat actor in this case was trying to be when they were performing this attack. It was really so many stages to the attack and basically the second half of the entire attack chain was just them trying to stay completely silent and not affecting the device and trying to clean up their tracks and clean up the logs and not leave any examples of the exploit on the device. So I was really thinking when I was watching this, "Wow. This is really interesting that it's specifically targeting security researchers." It's not performing anything in the foreground when you're trying to take a look at this and see if your device is infected. I remember specifically a couple of questions at the very end, one person saying, "If you're not a security researcher, how do you know your device has potentially been infected?" And basically the primary answer was you don't because this isn't giving any kind of foreground indication. You have to actually go into the logs to find traces of the exploit. So one of the only mitigations that you can really do that I found particularly interesting is reboot your phone. Because a lot of these attacks are just not able to remain persistent on devices after reboot because then they have to perform the entire attack chain again.

Sherrod DeGrippo: That's interesting, your point about persistence, because I think that was something that's really come up recently in some of the home router compromises. There is no capability for persistence even with out of date firmware on some of these residential home routers which is why over the holidays I sort of made the joke that everyone needs to go power cycle. If they -- if they're not going to update their family's routers when they go home to visit, they at least need to power cycle them because of that persistence angle has just not been achieved with a lot of hardware exploits like this that involve a hardware aspect to them. They just can't keep the persistence. And so that simple thing of a power cycle actually gives you a little bit of a bump in terms of your security posture if you can remember to do that. So I check my up time actually weirdly on my laptop a lot, and if it gets to like seven, eight, nine days, I'm like, you know, I'm going to take that up time down. I don't like it being at 10. Now obviously when you're like running servers and you have individual host type machines up time is great, but I kind of like to keep my up time low on everything that I own.

Laurie Kirk: Yeah. It's particularly good practice like if you're at a security conference and you're using an iPhone or even other devices if you just keep on rebooting your device just as extra protection mechanisms. It's pretty effective. Like even if you've gone ahead and manually jail broken your own device, a lot of these jailbreaks are not persistent if you reboot the device afterwards.

Sherrod DeGrippo: Do you recommend jail breaking your device?

Laurie Kirk: No. Just -- it depends what you're trying to do. Not the everyday user because it can be a little bit unstable, but like security research stuff kind of needs some extra capabilities. I don't jailbreak my phone that has my banking apps and email. I only jailbreak my dedicated research devices.

Sherrod DeGrippo: So you're -- so like your sandbox type device is -- how many -- how many devices do you have up and running, Christine, that you use?

Christine Fossaceca: Well, a lot of them are off right now, but I have -- I mean in my office I have like 20 iPhones currently just like -- and I have like tons of Apple IDs which when I was working on my black hat presentation with Bill Marczak from Citizen Lab we were looking at this iCalendar exploit and I actually like -- I wanted to make multiple Apple IDs because I was trying to send this exploit over iCalendar and I obviously don't want to log in on my test device with my real Apple ID and somehow mess up my iCloud account. And then it was getting like banned by Apple for abuse and I was like, "No. I am a researcher." Like yeah. It was -- and I had to message like the security research device program and I was like, "Why is my Apple ID getting banned?" Like it was a whole -- whole thing.

Sherrod DeGrippo: When I travel internationally I make a different Apple ID for each time. And I travel with a different Apple ID each time I travel internationally just because the laws are different. Their surveillance laws are different in different countries. I live in the United States and I have certain protections, but in other countries I don't. I'm going to think about that because, oh, that's an interesting threat model. I mean last episode I felt a little paranoid admitting that like, yeah, I reboot my phone a lot, but I mean it's really a way to go because the only way to establish persistence is if they're able to find a way to embed some type of exploitation mechanism upon reboot. So there are certain threat actors that will -- like this predator malware was able to create a shortcut on IOS which is just like it's kind of like an automated -- an automation feature that's supposed to automatically do something for you. So like as an example if you check your weather every morning then the -- you'll start getting suggestions from Siri when you wake up. Like, "Hey, do you want to know what the weather is?" And so they created this shortcut that any time any app was opened it would run some of this code and that was the re-exploitation code. So it was false persistence I guess because it wasn't a persistent exploit, but they were reinfecting upon reboot. So that is like, you know, very, very advanced and scary because if you do reboot your device and they have that type of feature then you will get re-exploited anyway. So let me ask then. All of you focus on IOS?

Christine Fossaceca: Android and IOS.

Laurie Kirk: Android and IOS

Apurva Kumar: Same here.

Sherrod DeGrippo: Do you two, Laurie and Apurva, do you both have a bunch of devices too? Do you have like stacks of iPhones? Laurie is showing hers on her video.

Apurva Kumar: I have them. I just -- I just bought like you know one of those stands that you can like slot in those devices. Because they were just lying everywhere and you know my daughter she's one years old. She just keeps finding them and then they go around the house. So I'm like, "No. I need to put them in one place now." But by the way she's done wonders for my opsec because she's the one who keeps restarting my phone because that's the only thing she knows how to do on the phone is restart it.

Sherrod DeGrippo: I have a drawer of old iPads and iPhones and some -- so speaking of international travel, I sometimes change phones to travel internationally. I put a different Apple ID and I use an older iPhone model just to kind of, you know, update it. But I use an older one to just kind of feel like a little bit more distance from the local infrastructure. But I think like you were all kind of talking about before, Apurva especially, your mobile device is who you are now. Not only does it have so much of your personal effects like your banking app like Christine mentioned and your photos and messages from people, but it literally is used now as, you know, your two factor. It's something you have. And that kind of means that there is this really ripe attack surface. So kind of like help me understand where we are today in mobile threat, and then let's talk about where we think mobile threat's going to go.

Christine Fossaceca: I can talk a little bit from the Android side. I focus a lot on analyzing Android banking Trojans. So I think it's really interesting for right now that there is so much focus on spyware inside of both the Android and the IOS space. Like they're just ripe for spyware basically. Pretty much every kind of crazy zero day attack from a different threat actor you'll find out the payload in the end isn't too terribly different from basically any other payload that you're seeing around. They're trying to gather device details. They're trying to spy on photos, potentially find location data, and a ton of different stuff related to just like your personal details all the time. One particularly interesting threat is banking Trojans that are really targeting a lot of different Android users currently. Basically they'll try to pretend to be a legitimate banking application and create this kind of foreground fake web view that looks just like another kind of banking or financial application that they're currently targeting. And then they use different regular expressions which basically parses and tries to find details inside of the fake web view that you're looking at to try to parse out the user's username and password from this fake banking application. And they also kind of work doubly as spyware as well and just collect a ton of different data on the device. So kind of just summarize that I just see a lot of spyware going forward both on Android and IOS. And I think that's just going to continue for the time being.

Sherrod DeGrippo: How are these apps getting on your device?

Christine Fossaceca: Sometimes usually from the Android side people are downloading really sketchy applications that are hosted sometimes on legitimate -- like the Play Store and stuff like that. And occasionally they'll also side load different applications. So basically taking a third party APK or IPA file which are the main application bundles for these different platforms and loading them on to the device manually which is incredibly unsafe if you're not verifying the source that you're getting these from.

Apurva Kumar: The most prevalent and most common attack vector on mobile devices these days is phishing. So that is the thing that I would say most of the attacks start. It's not necessary that it may install malware on your device. That's the other thing. So again whenever you think about a mobile device you should think about information, that people are trying to get data from you, because that's what it's for often, what it's rich off. So what essentially all the threat actors try to do is try and grab some type of data. So phishing is perfect in that they masquerade as something maybe trustworthy or something urgent. They get you to give up some type of information whether it's your credit card details or your personal details. Or they get you to install something on their device so that their objective again just like Laurie said is to get even more data after that. So it's -- it's kind of just like everything's a hybrid of the spyware on mobile and everyone's trying to get as much data as possible. And it's not just the kind of espionage portion. You can do a lot with data these days. It's a really lucrative market. I think it's like in the billions. It can just sell people's data. And so this is -- this is a really good like a rich platform and a rich area to get that data from directly from those users. And sorry. This might be a little bit of a tangent, but on the phishing side which I'll spend a little bit of time on, I've seen attacks that happen at like specific times. Like they will target somebody in North America. Let's say the east coast. So they'll do a wide spray attack where everybody gets like a message or an SMS on their phone. But they'll do it on like a Sunday evening or a Monday evening. Essentially like on a -- during a time where you're zoned out and you're not thinking. And you might just happen to click something just by mistake and just -- you know, without thinking too much about it. And that's where they hook you. So I think -- I think both sides have kind of played this really well. And this is the biggest problem I feel like on mobile is kind of that phishing aspect which tends to be -- if it's not an exploit and a zero click and everything, it's probably phishing.

Christine Fossaceca: Yeah. I reached out to Apurva especially because of her Android expertise over the summer because my -- my grandmother was like, "Christine, I have too many apps on my phone and I don't know how these apps got on my phone and what's going on." So I --

Sherrod DeGrippo: Red flag.

Christine Fossaceca: I looked at her phone because I was -- I assumed I was like, "You must have like clicked a link." And she's like, "I didn't click anything." And so what actually happened was data's really valuable, especially for advertisers, and certain manufacturers like phone manufacturers and I forget what kind of phone she had -- it was some Android phone. But that manufacturer basically had a deal with the Temu app which is like --

Sherrod DeGrippo: Oh no. That was like a breach too.

Christine Fossaceca: So everybody with this -- I think it was maybe like some kind of Galaxy device, but everybody with that device was getting that app installed on their device with their software update. And so she had -- doing what she's supposed to do, doing the software update, and is getting like this random app that she doesn't want or need on her device. And that's how they're able to once they deploy those apps like they're able to collect ad analytic information and use that. And then data brokers can sell that information. So I, you know, was going on her phone trying to uninstall it and for this particular app I don't know if it's the way that it was installed with the software update, but it had a different install procedure. So it wasn't like my grandma not being technologically savvy couldn't figure out how to do a normal uninstall. It was like I was struggling trying to figure out how to uninstall this app because it was a different procedure. So I feel like that really speaks to what Apurva mentioned with, you know, how valuable this data is.

Sherrod DeGrippo: When you say phishing, are you talking like an email? Are you talking a text message? What is the communication vehicle that you're seeing phishing come from?

Apurva Kumar: Pretty much everything. So it could be a text message. It could be an email. But it could also be on a third party messaging system. So in certain parts of the world like India, like sort of southeast Asia, you find like a lot of spam stuff coming through things like WhatsApp and WeChat and things like that. And everybody uses those platforms to communicate so they're used to getting a lot of messages, but now it's just gotten like so out of control. And I think like, I don't know, over here I found it -- I found really weird ways. I don't know if you know, but you can like email people through messages. And then like iMessage can also get emails and it can also get normal text messages and you can also do it through short codes. So there's so many ways of like getting through the system and the attackers know all these flows or how to get their messages out. So they use what's called communication platform as a service, CPAS platforms. I think it's called Azure Services. I think one of them Microsoft runs, but things like Twilio and those sorts of things like that. And so they're able to use those things because they know exactly where they can send your messages and they use all of these weird kind of loopholes to get messages out. So it's everything. And anything could be a phishing message. It could be an ad on your phone. That's a phishing message for you.

Sherrod DeGrippo: Oh, my gosh. That's very stressful. So I want to ask just really quickly before we get into some of the other topics speaking of messages do you have any background or highlights that you'd like to share on these messages? They're usually text messages and they usually say something like, "Hey, Sherrod, I have a task for you. It's very important." And then they send you to buy gift cards. Or they try to get you to buy gift cards. And so my question is what is going on with that. And two, you know the question, two, how bad is it? How bad is it to mess with these people?

Christine Fossaceca: So my friend Paige Connolly [assumed spelling] when we worked at MIT she gave a talk on this. And she -- she called it gift of fraud. And it was really interesting. I'll have to see if I can find it somewhere online. But she'd actually done research on like the mechanism of like how they -- how they're able to monetize this like weird gift card market. I actually don't know a lot about it so now I'm like, "Oh, I wish I could like find her talk." I might have to ask her.

Sherrod DeGrippo: Yeah. So I've done some research on this. I talked to "TechCrunch" about some of the gift card scamming stuff and the gift card fraud which I find fascinating, but something I don't really think about is that like gift cards are a commodity on a market. So like you can go on to websites and sell the gift cards which you also sell them for less. So like if you have a $100 gift card, you can sell it for like $95 because the platforms take a cut. They want to buy them at a discount. All these things. But so let me ask you next then does anyone have an opinion on mess with them or don't? Because I think myself and my friends, you know who I'm talking about, we love to be like, "Oh no. I went to the store to buy the gift card, but it was flooded. There's sharks." Like and just kind of waste our time. Is that super dangerous?

Laurie Kirk: There's a lot of different channels that are specifically dedicated to doing just that. And they've been around for a lot of different years. Like they go back probably five years is when I started watching them. And they're really interesting to watch, and they're working with a lot of different scammers from all over the world from a ton of different places. And they're still able to keep their channels, and I've never heard of them having crazy problems. That being said, I don't really do that stuff myself because there's a little bit of fear of like making the wrong person kind of angry. But then at the same time a lot of them are lower level threats. So they're not -- they're not like going to have a zero day that they can waste on you.

Christine Fossaceca: Okay. Yeah. I agree with that.

Apurva Kumar: I would say like if you have the time I guess if they're busy with you they're not scamming other people, and that's one way of thinking about it. But I don't have that much time to do it. I think my husband has done it a couple of times. Like I've seen him do it a couple of times and it's been people from like -- who speak the same language as us. Like our -- his mother tongue. And he got them to a point where they were just swearing at him to like get off the phone.

Sherrod DeGrippo: I love that.

Apurva Kumar: I think it's -- it can be cathartic depending on your attitude about it.

Christine Fossaceca: Yeah. I think I would be nervous if it was like a really large operation because, like Laurie said, like there's smaller actors and bigger threat actors. So some of these channels that really like on YouTube they'll dig into it and they do this big investigation and they get law enforcement involved and they take down these like giant operations. And so those people, they have a lot of time and energy to like annoy me. So I think I maybe don't want to annoy them. But that being said, I have helped a few people before at a very small scale. There was someone -- Taylor Swift. I'm a huge fan. Her Eras tour tickets came out. A lot of people were buying them and scalping them. But on top of that a lot of people were pretending they had tickets on Twitter, using Twitter to scam people into sending them money on Venmo. And if you pay Venmo, that's like PayPal friends and family. There's no recourse unless you use like goods and services which is a new feature they had added later. So there was a couple of people that got money stolen. And so I saw this. I got, you know, mad for them, and kind of unprompted did a little bit of an OSINT dive. And I was like, "Hey. Here's their Facebook. Here's their like -- " Here's all this information just like from their Venmo username. Because the person would give a post saying like, "So and so on Venmo scammed me for $600." So I did a deep dive and I was like, "Here's all their information." All of the information you would need to get recourse which would be contacting law enforcement because law enforcement normally won't help unless you know who the person is and if they're not in your state you need to know what law enforcement to contact because like New Jersey law enforcement won't help you if the person in California scammed you because they're going to be like, "Not our jurisdiction." Or whatever. So I've helped that for a couple people. And so for one of the other people so she did pay with Venmo goods and services, but it was a new feature and we didn't know she was going to get paid back. So I was having trouble finding their other social media platforms so I started charging them money on Venmo with a Venmo account that I made specifically for this purpose with like a Taylor Swift reference. But I started requesting money saying, "Pay so and so back. Pay so and so back." And then when they weren't responding I requested their contacts and I was like, "So and so owes $500." I was -- I was being a jerk and kind of harassing them because I was like they stole money from somebody. That's wrong. But I was like harassing them. And they actually sent her -- well, they sent me like $1 and they were like, "Please stop." Or whatever because they were like don't -- because I think I contacted their mom. I don't know. I was just kind of like so and so stole money. And so then they sent me $1. I guess they could have just commented on the message, but the -- a lot of these low level people, they're not super smart. They're just kind of like on the internet trolling stealing money. So they sent me $1 being like, "Please don't contact my mom." Like, "I'll give back the money later." Or something. And then they didn't. So they sent me like $4 and so I sent it to the person whose money was stolen. I was like, "Hey, all I have is this $4. Like I don't know if we can get your money back, but we can continue looking into this so that you can at least contact law enforcement." And then Venmo goods and services actually refunded her the entire amount so I was like, "Oh. You should keep the $4. It's like interest on your stolen money."

Sherrod DeGrippo: I will make my one and only -- the only Taylor Swift reference I know which is vigilante to stuff. So you were -

Christine Fossaceca: It's the username on the account.

Sherrod DeGrippo: I love it. I love it. You are a troll and a criminal. But it's okay. Yeah. I agree. Psychotic, but it's okay. Okay. So mobile sounds really wild. Like the other thing that it's done is unlike traditional big time malware that we've seen with threat actors over the past decade or so that takes a big operation. That takes infrastructure and, you know, cloud accounts, and the ability to figure out a target list. It sounds like with a lot of mobile fraud like the Taylor Swift stuff, like the gift card stuff, there's really no barrier to entry. Everybody has the weapon in their pocket and everyone also has a target in their pocket. So I guess like what should we think for example when we download something from an app store? Is an app store safe? If it's in the app store, does that mean it's okay? Laurie, I'll start with you. Like what's the reality when something comes from an app store?

Laurie Kirk: I mean people like to think that if you're downloading from any official app store that you are beyond a doubt safe, and how could an app store actually host malware? But this has happened quite a bit in the past, particularly on the Android Play Stores. They host so many different applications and there's a lot of these tiny applications that only have a few downloads that if you dig into the code and you start seeing what kind of network communication this is having you'll actually realize that a lot of them are basically masquerading and there's spyware underneath. And this is not just safe for IOS devices either. I mean in the past if you look at one example application this was a malicious application that targeted actual IOS developers. Now this is called XcodeGhost. So it's a fake version of Xcode. So this is used to develop IOS and Mac OS applications. And so legitimate developers were developing on this malicious version of Xcode and accidentally uploading their applications with a little bit of malware that was slipped inside of these applications. And so these were hosted on the legitimate Apple store as well. So a lot of applications can slip through the cracks because at the end of the day it's just humans and a lot of automation processes that are trying to analyze these applications, but nothing's ever going to be perfect in the end.

Sherrod DeGrippo: So that leads me to the next question which I want to ask Apurva. How do I know if I have malware on my phone? Because I'm paranoid now.

Apurva Kumar: Okay. So it should be noted that although we do spend a lot of time talking about, you know, really advanced attacks and those are the ones that get our attention, the vast majority of malware is abuse essentially. Like click fraud. They're, you know, trying to crypto miners and things like that. So detecting that type of malware -- I guess the point I was making was how do you know you have malware? Which kind of malware are you looking for? So if you're looking for things that are doing click fraud, ad fraud, crypto miners, things like that, maybe your phone is getting a little hot when you're not doing anything. Maybe it's like --

Sherrod DeGrippo: Like literally it's physically heating up? Like physically the temperature's going -- wow. Okay.

Apurva Kumar: I think that used to happen in the past. I think it depends on where you are and what your phone is and what context you're [inaudible 00:34:23] but I feel like in general if your phone is doing things that should not be happening, right, like if something's going wrong with your phone, you should be suspicious. So if it's -- if it seems all of a sudden super slow if you open a particular application, something's going on in the background. If you've, you know, browsed to a website and then you do something else with your phone, you move to YouTube or something, and then your phone after that starts to respond really slowly, something's going wrong. Like so these are the ways that you can kind of pick up that there's -- there's something -- there should be like your -- you should try to use your intuition as much as possible with mobile devices. If something's off, you should probably try and investigate it. Now there's -- this is a very slippery slope because you can get into the paranoia realm very quickly. Yeah.

Sherrod DeGrippo: I'm in the paranoia. I'm living in that realm.

Apurva Kumar: So there's lots of open source tools. One of them released by Amnesty International called MVT toolkit. It's a little bit technical, but with that data you can tell whether a device like your IOS device is compromised based on a backup that you can provide it. So there are ways to tell. There's also an antivirus solution which is a good recommendation for security in general. You know, install an antivirus solution like Defender.

Sherrod DeGrippo: What's -- what -- okay. What's the best mobile antivirus solution? Microsoft Defender.

Apurva Kumar: I guess that's where I plug Microsoft Defender and I say Microsoft Defender. Yeah.

Sherrod DeGrippo: I mean I would hope. You guys all work on it. Right?

Apurva Kumar: We're doing our best. We're doing our best. But yeah. Perfection never gets achieved. Right?

Sherrod DeGrippo: So I think it's a combination of like paying attention to your surroundings, AKA what's happening on your device, and then having some kind of security solution capability. And not doing dumb dumb clicky clicky stuff. I don't like blaming users, but at the same time mobile is just such a wild west kind of platform. It's not like with -- like a regular host laptop or something.

Apurva Kumar: But it's not blaming. So I really want to change like the thinking around the way that we treat our devices and the way that we kind of like say, "Oh, if you click a link, it's your fault you got infected." Or something like that. But it's not. It's human nature. Like let's just kind of try to normalize that. So that like I'm a security researcher. I've been one for eight years. And I still fall prey to some of these things sometimes. Like the spidey senses kick in maybe at the right time and sometimes they don't, but everybody falls prey to these types of things. It's just the way that the world works. And it's just it's better to be educated on it and talk about it and say that like these threats are out there. The universal advice is if you get a link on your phone, try not to click on it. If there's some other way to get to it like on your desktop computer or you know go to the actual website and then navigate to that place, that's a better bet for you than actually clicking that link because there's no way to tell where that link actually goes on a mobile device. So that's -- that's generally the universal kind of advice for links. Don't click links. Just don't.

Sherrod DeGrippo: Okay. That's really good.

Christine Fossaceca: Yeah. One thing I love about our team is that any time any of us gets like a malicious link on our phone we send it to our group chat and we all, you know, have different detonation devices. So we'll send it to each other, look at the link, and navigate and send screenshots. So like one time I got some weird USPS link and it was just an info stealer. So they were hoping that you would click through and upload all your information. Like here's my address and my phone number, my social security number, and all these things. So I obviously filled all of that out with fake information, but I thought I was being hilarious because they wanted a picture of your ID so I uploaded a picture of like SpongeBob SquarePants' driver's license.

Sherrod DeGrippo: He's a licensed driver? They let him drive?

Christine Fossaceca: He passed.

Sherrod DeGrippo: He lives in the ocean.

Christine Fossaceca: Boating school.

Sherrod DeGrippo: Oh boy. Information security, everyone. Here it is. It's -- it's dependent upon SpongeBob's license. I want to wrap up with thanking all of you for coming and being on the podcast. This was really awesome. I wish we had more time. I love hearing about mobile threats. Thanks for joining us Laurie, Apurva, Christine. I really appreciate it. And go check out their -- Laurie's YouTube, Christine's podcast. Apurva, should they check you out anywhere?

Apurva Kumar: I don't want to say X, do I? I want to say Twitter.

Sherrod DeGrippo: Okay. Okay. So we'll check you out on the platform usually known as Twitter. Okay. Thank you so much for joining me, guys. Have a great one.

Laurie Kirk: Thank you.

Christine Fossaceca: Thank you.

Apurva Kumar: Thank you.

Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. for more. And subscribe on your favorite podcast app.