Vulnerabilities / Threats
3/24/2016
11:30 AM
Avi Bashan
Avi Bashan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Security: Why App Stores Dont Keep Users Safe

In a preview of his Black Hat Asia Briefing next week, a security researcher offers more proof of trouble in the walled gardens of the Apple and Google App stores.

For years, users have relied on best practices to protect themselves from mobile malware. This was based on the assumption that if you download only high reputation apps from official app stores (both Google Play and the Apple App Store), you will be safe. However, this paradigm has been challenged in the passing year as more and more malicious apps infiltrate these official fortresses.

It’s a phenomenon that can no longer be ignored; malware on app stores can’t be treated as inconsequential, isolated incidents. Both Google Play and the Apple App Store have been penetrated repeatedly, exposing users to various types of malware. Even Apple advocates can no longer rely on the Apple app review process to scrutinize apps in order to protect iPhones and iPads. Let’s take a look at four apps that climbed over the Google and Apple walls and gardens.

Certifi-gate

Certifi-gate is a set of Android vulnerabilities discovered by Check Point in August 2015. These vulnerabilities enabled attackers to gain high-level privileges without the user’s consent by exploiting apps signed by OEMs. Apps which are signed by an OEM can gain privileged permissions such as screen recording and user input simulation. Check Point researchers discovered that the authentication mechanism used by these OEM signed apps can be bypassed by a malicious app, and can then be exploited in order to take control of the device.

Following the discovery, disclosure, and publication of the vulnerability, Google released a statement that Google Play doesn’t contain any malicious apps exploiting vulnerable plugins. However, two weeks after the announcement, the Check Point research team discovered a malicious app exploiting the vulnerability in order to record a device screen.

Xcodeghost

The official integrated Apple development environment is called Xcode. Cybercriminals managed to create a modified version of Xcode which was published on third-party websites. This modified Xcode version injects malicious code into every app compiled using it. These infected apps managed to bypass the Apple code review process time and again.

Though this is not the first malicious code that has managed to get into the App Store, it was one of the largest number of malicious apps to get in to date, proving that even Apple’s current review mechanism can’t secure users effectively. Just as in the Certifi-gate case, malware continued to infiltrate the App Store even after Apple knew about its existence and after it tried to block it.

BrainTest

In September 2015, Check Point researchers discovered a new malicious app on the Google Play store that managed to bypass Google Bouncer, Google’s app scanning mechanism, using two different components to get in.

The first and seemingly benign component is the dropper. Once installed, the dropper checks whether it’s being executed on Google’s servers and, if so, it will not execute malicious commands. Then, if installed on a user’s actual device, the dropper will download the second component to act on its malicious objective. The malicious app then continues to download fraudulent apps to generate revenue for attackers.

Sure enough, just like in the two previous cases, BrainTest returned to Google Play a few months later, this time embedded in 13 different applications. Google was yet again unable to prevent this known threat from infiltrating its protected app store.

Broken app security and verification.

Both the Apple App Store and Google Play have been infected by malware time after time. Clearly, Apple and Google are unable to cope with known malware and attack vectors, let alone new ones. Attackers continue to use the same techniques to bypass security measures successfully. Making matters worse, they’re finding new loopholes in app store defenses all the time.

Unsuspecting users who follow the recommended best practice of downloading only apps from the official app stores are still finding themselves under attack. And enterprises, like consumers, can’t afford to be vulnerable to mobile malware on their networks. One infection is all it takes to compromise sensitive business data enterprises strive so hard to protect.

In his Black Hat Asia presentation, Enterprise Apps: Bypassing the iOS Gatekeeper, Avi and co-presenter Ohad Bobrov take a deep dive into how enterprise-signed apps have been used to attack iOS devices, and offer examples of usages discovered in the wild. Click here for more about Black Hat Asia 2016, which begins next week.  

Related Content:

 

 

Avi Bashan is a technology leader at Check Point and former senior security researcher and CISO at Lacoon Mobile Security. With more than 10 years of experience in the mobile, networking, and security industries, Avi is one of the main figures in the research and engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeremseo
50%
50%
Jeremseo,
User Rank: Strategist
4/5/2016 | 10:54:39 AM
Security
For me I feel the same way. Like for one moment when I am searching something online and I feel like someone is tracking my life... It feels quite strange and uncomfortable. I dont have a lot of apps on my phone either.
WoW100
50%
50%
WoW100,
User Rank: Apprentice
3/26/2016 | 7:38:34 AM
Security
The security of our mobiles are important, and that's why i dont download many apps to my smartphone. I don't want to be track by a lot of companies just to sell me products. So i have the security of data users will increase.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.