On Dec. 4, users of a simple Android program — a barcode scanner — started witnessing odd behavior when their smartphones suddenly began opening up their browser to display unwanted advertisements.
While the devices exhibited the hallmarks of a malware or adware infection, the compromises puzzled most users since they had not recently downloaded new software, according to an analysis by endpoint security firm Malwarebytes. Instead, the malicious behaviors came from a software update to a popular application — the generically named "Barcode Scanner," with millions of downloads. An enterprising group bought the code and then pushed a malicious update to every user of the application.
The supply chain attack is a new technique — buying applications, along with their software base, and then pushing out updates with malicious code — that will likely grow in popularity among cybercriminals, says Nathan Collier, senior malware intelligence analyst at Malwarebytes.
"Now that this has been done, I can definitely see it happening more in the future," he says. "Honestly, for malware developers it's kind of genius that they can just do this — let someone else build something, have it on Google Play for years. You are buying the ability to update all of the users to a new version of the app."
Already, a second group used a similar tactic to infect millions of users with malicious code through a popular Google Chrome extension. In early February, Google removed the Great Suspender utility for Chrome, which reduces the memory consumed by the browser through shutting down old tab processes, after the original maintainer of the open source project sold the code to an unknown group. Users of the extension noticed in October 2020 that new owners had installed updated code on users' systems without notification — code that appeared to behave similar to adware.
The technique for distributing malicious code comes as developers and security firms are trying to detect attackers who compromise code bases and insert malicious modifications. Skipping the initial requirements of compromising the code base makes the attack simpler, Bishop Fox CEO Vinnie Liu told Dark Reading earlier this month.
"The secure development life cycle has for 15 years been focused on preventing the inadvertent introduction of vulnerabilities by developers, and not against identifying and preventing the purposeful insertion of malicious code or behavior into an existing application," he said. "Developers are unprepared for this. Most enterprise security programs are unprepared for this."
Paying for access to a vulnerable system is not necessarily new, however. Cybercriminals services that sell access to already compromised systems have evolved over the past decade; such services now account for a large number of ransomware infections. In 2016, cybersecurity experts were already warning of the emergence of access-as-a-service sites used by cybercriminals.
Other gray-market groups use a more subtle approach, creating advertising software development kits (SDKs) used by developers to monetize their applications, but then adding aggressive advertising or even malicious code to the third-party component. In August, for example, researchers at security firm Snyk revealed that an SDK used by more than 1,200 iOS applications had adopted code to spy on millions of users.
Compromising the supply chain directly is also becoming more common. Many cybercriminals and nation-state operators have targeted popular software and vendors — such as the software compromise that allowed NotPetya to spread and the attack on SolarWinds — as a way to eventually infect companies using the software.
By targeting struggling but popular software projects, however, cybercriminals have added another door into the supply chain for their code.
The Barcode Scanner app behind the latest case appeared on the Google Play store in 2017 as a legitimate, ad-driven application with tens of thousands of users, according to Malwarebytes. At the time of its sale to an organization named LavaBird LLC, the application had about 10 million downloads and an extensive user base, according to Malwarebytes. LavaBird says the company then sold it to another third party, who made the malicious modifications, Collier says.
"The clean version was on there for a long, long time ... so it was growing and growing and growing before it got taken up by LavaBird," he says. "They bought it with the intention of selling it as quickly as they can, but the problem is they did zero verification on who they were selling it to."
Should developers be required to do due diligence on buyers? Collier says he is not so sure. Instead, the company behind the ecosystem — whether Apple, Google, Microsoft, or another — should ensure that security checks on updates are as rigorous as on the original application, especially if the maintainer has changed.
"Google really only looks in depth when the code is first uploaded," he says. "Looking at the code, this would have been an easy one to detect. I downloaded the app, and within five minutes it was opening up Google Chrome and doing redirects."
Yet he acknowledged the security firms have to adapt to the new strategy as well.
"To be fair, in Google's defense, the [mobile security] vendors were not even detecting it right off the bat either," Collier says. "It was sly, slipped in, and it worked."