Distributing Malware Through Future App StoresDifficult times ahead for app markets as professional malware developers ramp their evasion techniques
As corporate networks continue to succumb to the bleating call of "bring your own device" (BYOD) gadgets, more security teams are questioning the security and integrity of the application markets that drive the adoption of these devices. While the vast majority of corporations have heard the dangers of rogue app markets and the malware plague that infests them, many organizations continue to search for confirmation that the "legitimate" app stores are safe.
Numerous antivirus vendors have found it advantageous to monitor the many fledgling app stores and markets around the world and continue to publish their findings as they relate to the unique pieces of malware being uncovered. While the numbers follow a not-unexpected exponential growth rate, it remains unclear whether there is a significant (or even noticeable) threat to corporate entities -- especially if this maliciousness is almost entirely attributed to the aforementioned rogue markets.
It is inevitable that malware authors, and the criminal organizations that profit from malware's proliferation, will continue to pursue their targets via their portable and personal devices in order to breach an organization.
The first and foremost defense against these attacks is likely to continue to be the app markets themselves -- at last for the short term. However, as malicious app developers are pushed and incented to innovate beyond this first generation of mobile malware in order to be reliably distributed from the primary app markets, it is inevitable that businesses will fall prey to more malware that targets their BYOD install base.
The primary app markets are well-positioned to limit the introduction of malicious software into their application portfolio. They all employ a barrage of technologies and service conditions designed to scan new applications (and their updates) for malicious code and unwanted actions. Many of the methods employed, by necessity, remain blackbox systems to both their customers and authorized app developers. While the primary app market providers will continue to improve their inspection techniques in the yo-yo battle against malicious developers, it is inevitable that they will lose that battle. It's just a matter of time, unfortunately.
Some may argue that the blackbox inspection engines of the app market providers have the upper hand. I'd argue thatif current corporate code inspection and reviewing technologies are anything to go by, then the automated techniques used for testing the security and integrity of mobile applications will always succumb to an even marginally informed or persistent developer.
Today's commercial code analysis and inspection tools are fantastic for automatically plowing through millions of lines of code and flagging every poor coding choice that has historically been classed as a security concern. But, similar to the problems encountered with IDS and antivirus scanners, they're limited to pedantically detecting threats they've encountered before and are easily evaded when a modicum of obfuscation is employed. Even forgetting about the security angle for a moment -- speak with any experienced developer who has worked for a major software vendor about what they think of the automated build checkers and QA systems, and they'll happily tell you of the small tricks they had to employ to bypass those "hurdles to productivity."
While automated security reviews can possibly catch many of the common coding flaws and a growing list of obfuscation techniques, they are not capable of interpreting every logic jump or nestled function call for deliberate maliciousness. One recent example can be found in the paper by GA Tech researchers Tielei Wang and Billy Lau, titled "Jekyll on iOS: When Benign Apps Become Evil," in which they deliberately inserted exploitable bugs into the code that was submitted to the Apple app store. The automated analysis platform employed by Apple to identify malicious apps had no realistic chance of identifying this evasion vector and, inevitably, the malicious app was published to the store and could have been installed by a new stable of victims.
The tricks employed by malicious app developers will grow in sophistication faster than even the most advanced app inspection and approval platforms can counter them.
For the time being, you may as well make the most of the fact that the primary app stores are largely ahead of the threat -- but don't become complacent. The advantage will soon fall to the attackers, and we can expect their mobile malware to become more prevalent in the markets we trust the most. Precisely when that'll happen and when we'll feel the pain remains uncertain, but a year or so is likely to be a good guess.
Gunter Ollmann, CTO, IOActive inc.