09:20 AM

Distributing Malware Through Future App Stores

Difficult times ahead for app markets as professional malware developers ramp their evasion techniques

As corporate networks continue to succumb to the bleating call of "bring your own device" (BYOD) gadgets, more security teams are questioning the security and integrity of the application markets that drive the adoption of these devices. While the vast majority of corporations have heard the dangers of rogue app markets and the malware plague that infests them, many organizations continue to search for confirmation that the "legitimate" app stores are safe.

Numerous antivirus vendors have found it advantageous to monitor the many fledgling app stores and markets around the world and continue to publish their findings as they relate to the unique pieces of malware being uncovered. While the numbers follow a not-unexpected exponential growth rate, it remains unclear whether there is a significant (or even noticeable) threat to corporate entities -- especially if this maliciousness is almost entirely attributed to the aforementioned rogue markets.

It is inevitable that malware authors, and the criminal organizations that profit from malware's proliferation, will continue to pursue their targets via their portable and personal devices in order to breach an organization. The first and foremost defense against these attacks is likely to continue to be the app markets themselves -- at last for the short term. However, as malicious app developers are pushed and incented to innovate beyond this first generation of mobile malware in order to be reliably distributed from the primary app markets, it is inevitable that businesses will fall prey to more malware that targets their BYOD install base.

The primary app markets are well-positioned to limit the introduction of malicious software into their application portfolio. They all employ a barrage of technologies and service conditions designed to scan new applications (and their updates) for malicious code and unwanted actions. Many of the methods employed, by necessity, remain blackbox systems to both their customers and authorized app developers. While the primary app market providers will continue to improve their inspection techniques in the yo-yo battle against malicious developers, it is inevitable that they will lose that battle. It's just a matter of time, unfortunately.

Some may argue that the blackbox inspection engines of the app market providers have the upper hand. I'd argue thatif current corporate code inspection and reviewing technologies are anything to go by, then the automated techniques used for testing the security and integrity of mobile applications will always succumb to an even marginally informed or persistent developer.

Today's commercial code analysis and inspection tools are fantastic for automatically plowing through millions of lines of code and flagging every poor coding choice that has historically been classed as a security concern. But, similar to the problems encountered with IDS and antivirus scanners, they're limited to pedantically detecting threats they've encountered before and are easily evaded when a modicum of obfuscation is employed. Even forgetting about the security angle for a moment -- speak with any experienced developer who has worked for a major software vendor about what they think of the automated build checkers and QA systems, and they'll happily tell you of the small tricks they had to employ to bypass those "hurdles to productivity."

While automated security reviews can possibly catch many of the common coding flaws and a growing list of obfuscation techniques, they are not capable of interpreting every logic jump or nestled function call for deliberate maliciousness. One recent example can be found in the paper by GA Tech researchers Tielei Wang and Billy Lau, titled "Jekyll on iOS: When Benign Apps Become Evil," in which they deliberately inserted exploitable bugs into the code that was submitted to the Apple app store. The automated analysis platform employed by Apple to identify malicious apps had no realistic chance of identifying this evasion vector and, inevitably, the malicious app was published to the store and could have been installed by a new stable of victims.

The tricks employed by malicious app developers will grow in sophistication faster than even the most advanced app inspection and approval platforms can counter them.

For the time being, you may as well make the most of the fact that the primary app stores are largely ahead of the threat -- but don't become complacent. The advantage will soon fall to the attackers, and we can expect their mobile malware to become more prevalent in the markets we trust the most. Precisely when that'll happen and when we'll feel the pain remains uncertain, but a year or so is likely to be a good guess.

Gunter Ollmann, CTO, IOActive inc.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/29/2013 | 10:54:14 PM
re: Distributing Malware Through Future App Stores
Such an important topic, especially as mobility continues to intensify and downloaded apps become a part of the organization fabric running business networks today. Beating malware is something that takes a strategy that utilizes a combination of solid tools including device protection programs, UTM appliances (i.e. Sophos, etc. as well as an education based platform to continually educate the user base of best practices.

Peter Fretty
User Rank: Ninja
10/16/2013 | 11:16:41 AM
re: Distributing Malware Through Future App Stores
this is a topic that needs some serious thought and planning . we know there are disreputable software makers out there who attempt to put malware loaded apps up on the program libraries so they are available for download

our reponse must consider as well that legitimate well-intentioned software builders can load malware just as easily and without knowing it -- when the malware originates from a software library used is assembiling a software product

software makers will need a zero-defects quality control process to fight this. remember: zero defects is not something you get -- it's something you do: you make sure what you are shipping is defect free -- and assume responsibility for that .

in Linux we have a tool known as AppArmor. Using this I can create a profile that will limit what an application can access . this is a very important concept.

remember: when you open your computer and LOGON it's then just you, and your computer. but when you open your web browser it becomes you, and the web author. not just of the page you are browsing -- but every page the active page links to .

you can use AppArmor to restrict what an app can access . this can be a game-changer . no longer does an app have all the same access you do -- it can be restricted and allowed to access only those areas that are appropriate for it.

we will probably not be able to completely eliminate malware from the software distribution system . but an infected app should not be able to compromise your entire computer . a more traditional approach to computer security, such as adding app armor, as well as generally not allowing root access -- will be a huge step in the right direction . the old approach taken in the "PC" -- is an un-mitigated disaster.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-19
libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file.
PUBLISHED: 2018-07-19
libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format.
PUBLISHED: 2018-07-19
libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attackers to upload and execute arbitrary PHP code via a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the index.php?m=member&c=index&a=register URI.
PUBLISHED: 2018-07-19
CopyData in AxmlParser.c in AXML Parser through 2018-01-04 has an out-of-bounds read.
PUBLISHED: 2018-07-19
axmldec 1.2.0 has an out-of-bounds write in the jitana::axml_parser::parse_start_namespace function in lib/jitana/util/axml_parser.cpp.