by Guangdong Bai, Zhang Qing,

Summary : Traditionally, organizing trusted computers within a firewall-equipped intranet which is accessible only to the insiders is an ideal way to exclude attackers outside. However, this is not the case in 3G/4G internal network. Due to the openness of the 3G/4G intranets, an attacker is able to join a 3G/4G intranet and conduct scanning over other mobile devices connected to the same intranet using existing tools and techniques like ping sweeps and port scans. This in turn allows the attacker to reach the mobile apps which are listening for inbound network traffic. Therefore, the 3G/4G intranet scanning significantly augments the threat of vulnerable apps. For example, the attacker can exploit the WormHole vulnerability to remotely tamper the contact information, pull local files, and install malware.
In this work, we demonstrate the feasibility of the large-scale scanning over the 3G/4G intranet. First, we adapt the Nmap scanner for 3G/4G intranets. We use it to scan more than 16 million mobile users of the three main ISPs in China, including China Mobile, China Telecom and China Unicom. During our scanning, we find that 2% of the scanned devices are installed with apps containing the WormHole vulnerability. We also find a previously-unreported WormHole vulnerability from an app which has accumulated 11 million installs. Second, in order to investigate whether the 3G/4G intranet scanning has been used in the real world, we build up a small honey pot to capture the scanning. Simply deploying 4 devices over two cities, we are able to catch scanning activities. This implies that the 3G/4G intranet has been taken into usage by current security professionals. Overall, our work should raise the awareness of the app developers about this attack vector.