Digital storefronts can be vandalized and stolen from just the same as physical ones can. Your firm’s online presence and that of your employees is an attack surface which is often targeted by attackers. We’ve decided to dedicate this post to one of their most common weapons, malicious mobile apps, and explain why digital businesses, need to be especially careful and aware of the prevalence of malicious apps.
Malicious apps are threats that hide “behind” apps that appear “safe”. The malicious component is often well hidden by sophisticated techniques used by malware authors. The Shedun family of adware is a prime example of this.
Breaking and Entering: How Malicious Apps Steal Info
The answer: money. Financial gain is the primary motivation for malicious apps. “Clickfraud” - fooling device users into clicking on online ads - is one of the ways hackers compromise mobile devices. Since digital advertisers pay publishers based on how many clicks their ads get, more clicks means more money for the publisher. Clickfraud malware deceptively displays ads on the device screen so that users click or tap on the ad without even knowing it. HummingBad is a recent example of a malicious clickfraud app, which infected an estimated 10 million Android devices worldwide.
HummingBad was able to pull off its attack by utilizing a “rootkit” module which gains complete administrator-level (root) access to a device. A device compromised at the root level could do far more damage than mere clickfraud, including stealing online banking login credentials, siphoning off personal data for identity theft or even utilizing the phone as part of a botnet.
Furthermore, the rooted device could be used as a stepping stone to attacking any network it connects to, including your corporate LAN. This is one of the ways a business’ Wi-Fi can become an attack vector in the age of BYOD and demonstrates one of the vulnerabilities of traditional network security perimeters.
We should note that the HummingBad malware wasn’t found on any apps hosted on Google Play, which is a good reason to generally avoid third party app stores or other sources. In fact, one common attack method is promoting links that refer to these dodgy sites via tweet, email, LinkedIn messages, or Facebook comments.
Google Play Gets Played
Avoiding shady app stores offers only partial protection, as other malicious apps have appeared even on Google Play. As a reminder that you can get mugged even in the best online neighborhoods, early last month Google removed 60 malicious gaming apps - many of them targeting children - which contained adware code that served pornographic ads.
Google removed the ads and terminated the app store publishing privileges of its developers, but the apps had already been downloaded between 3 and 7 million times.
Those 60 apps are a rounding error compared to the 700,000+ malicious apps Google scrubbed from its app store last year, resulting in revoking Google Play store access to more than 100k developers. Whatever safeguards Google has in place aren’t just leaking, they’re pouring.
How You Can Avoid Malicious Apps
Since malicious apps generally try to mimic legitimate ones, your defense mainly boils down to spotting counterfeits. Look closely at the listed name of the developer. Try to notice a slight misspelling or slight variant of a reputable brand, the same goes for the app’s icon. Is the number of reviews and installs noticeably low for what appears to be a legitimate app of a well-known brand? Are the few reviews available overwhelmingly positive? All these are red flags indicating the app might be a malicious one.
Source: CyberInt's 'Lookapp'
The Spectre of a Widespread Meltdown in Mobile Security
The pervasive threat of malicious apps is further amplified by the discoveries of vulnerabilities such as Spectre and Meltdown. Both of these security flaws affect processing chips built on ARM’s architecture, which are used in smartphones, tablets, and laptops . ARM’s advises its users , “to practice good security hygiene by keeping their software up-to-date and avoiding suspicious links or downloads”
As we’ve seen, these questionable links or downloads from unknown websites can unload a wide range of problems on to your device and expose your company’s digital assets to innumerable risks.
A Question of Accountability
Accountability is a pressing issue, one that tends to be a major setback in organizations when setting security protocols. So who is to be held accountable for malicious apps infections? For example, if a user were to download a Walmart app that seems legitimate to the naked eye, but that ends up stealing their customers’ PII, is the user, who downloaded the infected app, to blame, or rather Walmart?
Source: CyberInt's 'Lookapp'
Vigilance must extend beyond the perimeter and it’s a two way street. Every employee, contractor, customer, or business partner with access to your network, even guest WiFi, must be careful about what apps they install on their devices. On the organizational front, app security hygiene best practice must be set in place to protect your app from being exploited by malicious apps. In addition to the organizational digital assets being compromised, you’re risking great brand reputation damage.