New Man-in-the-Middle attack called DoubleDirect Attack targeting Android and iPhone users
Researchers at Zimperium Mobile Security Labs have discovered that cybercriminals are using a new method of Man-in-the-Middle attack to target Android and iPhone smartphone users and quite successfully. The Zimperium researchers have named this new attack as DoubleDirect Attack.
The so-called DoubleDirect technique enables an attacker to redirect a victim’s traffic to the attacker’s device. Once redirected, the attacker can steal credentials and deliver malicious payloads to the victim’s mobile device that can not only quickly infect the device, but also spread throughout a corporate network,” according to mobile security firm Zimperium.
Zimperium also detected that the DoubleDirect technique was used against the customers of top websites like Google, Facebook, Twitter, Hotmail, Live.com, Naver.com (Korean) and others. Zimperium says that the attack method is being exploited in the wide in at least 31 countries across the world, namely, Serbia • Australia • Iraq • Kazakhstan • Poland • Indonesia • Israel • Latvia • Finland • Mexico • Egypt • United Kingdom • Austria • Colombia • Greece • Brazil • Canada • France • Algeria • Russian Federation • Switzerland • Italy • Germany • Spain • Saudi Arabia • Netherlands • India • Malta • Bahrain • United States and China.
Zimperium researchers say that the primary motive of the cybercriminals using DoubleDirect attack is to gain the victims confidential information, email ids and credentials, banking information and credentials and other passwords.
How does DoubleDirect work
Attackers using DoubleDirect method use ICMP Redirect packets (type 5) to modify routing tables of a host. This method is legitimately used by routers to notify the hosts on the network that a better route is available for a particular destination. However in the case of DoubleDirect attack, the attacker uses ICMP Redirect packets to alter the routing tables on the victim host, causing the traffic to flow via an arbitrary network path for a particular IP. As a result, the attacker can launch a MITM attack, redirecting the victim’s traffic to his device. Once redirected, the attacker can compromise the mobile device by chaining the attack with additional Client Side vulnerability (e.g: browser vulnerability), and in turn, provide an attacker with access to the corporate network.
Zimperium researchers found that in the case of DoubleDirect attack the hackers are using a previously unknown implementation to achieve full-duplex MITMs using ICMP Redirect. Traditional ICMP Redirect attacks has limitations and known to be half-duplex MITM.
Zimperium Mobile Security Labs researched the threats and determined that the attackers are able to predict the IPs being accessed by the victim. Zimperium has uploaded a complete Proof of Concept for the DoubleDirect Attack which can be downloaded here.
Who is at risk?
iOS : Zimperium researchers noted that the DoubleDirect attack works on latest versions of iOS including iOS 8.1.1 so all iPhones are vulnerable to this attack
Android: Zimperium researchers stated that the DobuleDirect attack worked on most Android devices including Nexus 5 with the latest Android OS 5.0 lollipop.
Mac OS X Yosemite : Zimperium researchers say that Mac OS X Yosemite users are also potentially vulnerable but Windows and Linux users would appear to be immune because both Windows OS and Linux dont accept ICMP redirection packets that carry malicious traffic by default.
Neither Google or Apple has officially commented on the Zimperium researchers findings as of yet.