Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/21/2019
02:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cyber-Risks Hiding Inside Mobile App Stores

As the number of blacklisted apps on Google Play continues to drop, attackers find new ways to compromise smartphones.

Mobile devices – pervasive in the workplace, heavily used, and often unregulated – present a wealth of opportunity to cybercriminals aiming to access employees' sensitive information.

The mobile threat landscape is always shifting, says Jordan Herman, researcher at RiskIQ, which recently published its "Mobile Threat Landscape Q1 2019" report. Researchers scanned more than 120 app stores and nearly 2 billion resources to detect mobile apps in the wild. In the past four quarters, RiskIQ has categorized 8 million mobile apps, of which 217,982 were blacklisted.

A rush of apps continues to flood mobile marketplaces. In the first quarter of 2019, RiskIQ saw 2.26 million new apps, nearly 6% more than the fourth quarter of 2018. Given the sheer size, scope, and complexity of the global app ecosystem, it's tough for organizations to monitor their mobile presence and protect customers and employees from an evolving range of threats.

"The fact that it changes from quarter to quarter goes to show how many different ways there are to attack mobile," Herman says. "Mobile is so ubiquitous and so ingrained in our day-to-day lives that threat actors can target users in hundreds of ways and keep trying until something works." Threats range from fake antivirus apps to phishing attempts to Magecart incidents.

As Herman points out, there are several ways to develop and distribute malicious apps. Some may sign up the user for paid subscription services without the user's knowledge, granting the developer monetary gain. Others may steal personal data that can be used for identity theft. Some may try to disguise themselves as popular apps, while yet others may appear benign (a flashlight app, for example) but request excessive permissions to steal data stored on the phone.

Following three consecutive quarters of decline, the number of blacklisted apps rose 15% between the fourth quarter of 2018 and the first quarter of 2019. Google Play had 1.4 million apps – more than three times that of the Apple App Store – and accounted for 58% of all blacklisted apps in 2018. The next highest blacklisted store was 9Apps, which made up about 19% of the blacklist total. Feral apps (those listed on the open Web) accounted for nearly 9% of blacklisted mobile apps.

But Google Play is falling as a hot spot for malicious applications: The number of blacklisted apps in the store fell for the second consecutive quarter, down nearly 64% since Q3 2018. "Our data indicates Google is getting better at policing the Play store," Herman says. Rogue apps still appear given Android is the world's most popular mobile platform and the Play store is more open to developers, but new app stores are emerging with far more malicious intent.

Inside Malicious Apps  
After Google Play, which had nearly 38,000 blacklisted apps between the fourth quarter of 2018 and the first quarter of 2019, 9Game was the second most blacklisted store. Most (96%) of the applications on 9Game.com and 30% of apps in "Vmallapps" were blacklisted, RiskIQ reports.

"Our data indicates that Google is getting better at policing the Play store," Herman says. The company regularly removes blacklisted apps and does so quickly once the apps are identified.

9Game appears to be a "wholly malicious" store, with nearly every app requesting permission for the camera, location data, Wi-Fi, file system, Internet, and settings. With these permissions, any app downloaded from the store has full reign over the device that installed it. The app can install more malicious apps without the user's knowledge and send anything it finds on the phone wherever it wants. AndroidAPKDescargar is another example of a malicious store; it targeted Spanish-speaking Android users and was the most blacklisted app store in 2017.

Whether an application is obviously malicious depends on the developer's sophistication and user's awareness. Some malicious apps require permissions far beyond their function – for example, a flashlight app that requires GPS or microphone access. This is seemingly obvious; however, an app with hidden code that changes settings or downloads malware may not be.

When Good Apps Go Bad
Mobile apps created with good intentions can prove harmful if they're not properly developed. Positive Technologies explores this further in its "Vulnerabilities and Threats in Mobile Applications 2019" report, also released this week. High-risk vulnerabilities were found in 38% of iOS apps and 43% of Android apps. Insecure data storage, detected in 76% of mobile apps overall, was the most common issue. Most (89%) vulnerabilities can be exploited remotely.

Leigh-Anne Galloway, Positive Technologies' cybersecurity resilience lead, points to top security flaws: incorrect session termination, by which an attacker can access a user's session after they log out; insecure interprocess communication, by which user data can be accessed; and the absence of Certificate Pinning, which allows a man-in-the-middle attack with fake certificates.

Mobile device users' data is at risk, she adds, as 71% of mobile apps leave information exposed to unauthorized access. "Most vulnerabilities appear at the design stage of the application, before writing the code, and they can be fixed only by making changes to the code," Galloway explains, adding that unauthorized access to user data is the most common mobile app threat.

While the report often distinguishes between iOS and Android apps, it's not worth thinking about the security of specific platforms, she adds. Most flaws (74% in iOS apps and 57% in Android apps) are related to the shortcomings of protection mechanisms that arise during the design phase.

"Developers do not provide security when planning functionality," she explains. "So when developing an application, many security platform capabilities are simply not used or are used incorrectly." This contributes to similar vulnerabilities appearing in an app across platforms.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...