Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

6/21/2019
02:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cyber-Risks Hiding Inside Mobile App Stores

As the number of blacklisted apps on Google Play continues to drop, attackers find new ways to compromise smartphones.

Mobile devices – pervasive in the workplace, heavily used, and often unregulated – present a wealth of opportunity to cybercriminals aiming to access employees' sensitive information.

The mobile threat landscape is always shifting, says Jordan Herman, researcher at RiskIQ, which recently published its "Mobile Threat Landscape Q1 2019" report. Researchers scanned more than 120 app stores and nearly 2 billion resources to detect mobile apps in the wild. In the past four quarters, RiskIQ has categorized 8 million mobile apps, of which 217,982 were blacklisted.

A rush of apps continues to flood mobile marketplaces. In the first quarter of 2019, RiskIQ saw 2.26 million new apps, nearly 6% more than the fourth quarter of 2018. Given the sheer size, scope, and complexity of the global app ecosystem, it's tough for organizations to monitor their mobile presence and protect customers and employees from an evolving range of threats.

"The fact that it changes from quarter to quarter goes to show how many different ways there are to attack mobile," Herman says. "Mobile is so ubiquitous and so ingrained in our day-to-day lives that threat actors can target users in hundreds of ways and keep trying until something works." Threats range from fake antivirus apps to phishing attempts to Magecart incidents.

As Herman points out, there are several ways to develop and distribute malicious apps. Some may sign up the user for paid subscription services without the user's knowledge, granting the developer monetary gain. Others may steal personal data that can be used for identity theft. Some may try to disguise themselves as popular apps, while yet others may appear benign (a flashlight app, for example) but request excessive permissions to steal data stored on the phone.

Following three consecutive quarters of decline, the number of blacklisted apps rose 15% between the fourth quarter of 2018 and the first quarter of 2019. Google Play had 1.4 million apps – more than three times that of the Apple App Store – and accounted for 58% of all blacklisted apps in 2018. The next highest blacklisted store was 9Apps, which made up about 19% of the blacklist total. Feral apps (those listed on the open Web) accounted for nearly 9% of blacklisted mobile apps.

But Google Play is falling as a hot spot for malicious applications: The number of blacklisted apps in the store fell for the second consecutive quarter, down nearly 64% since Q3 2018. "Our data indicates Google is getting better at policing the Play store," Herman says. Rogue apps still appear given Android is the world's most popular mobile platform and the Play store is more open to developers, but new app stores are emerging with far more malicious intent.

Inside Malicious Apps  
After Google Play, which had nearly 38,000 blacklisted apps between the fourth quarter of 2018 and the first quarter of 2019, 9Game was the second most blacklisted store. Most (96%) of the applications on 9Game.com and 30% of apps in "Vmallapps" were blacklisted, RiskIQ reports.

"Our data indicates that Google is getting better at policing the Play store," Herman says. The company regularly removes blacklisted apps and does so quickly once the apps are identified.

9Game appears to be a "wholly malicious" store, with nearly every app requesting permission for the camera, location data, Wi-Fi, file system, Internet, and settings. With these permissions, any app downloaded from the store has full reign over the device that installed it. The app can install more malicious apps without the user's knowledge and send anything it finds on the phone wherever it wants. AndroidAPKDescargar is another example of a malicious store; it targeted Spanish-speaking Android users and was the most blacklisted app store in 2017.

Whether an application is obviously malicious depends on the developer's sophistication and user's awareness. Some malicious apps require permissions far beyond their function – for example, a flashlight app that requires GPS or microphone access. This is seemingly obvious; however, an app with hidden code that changes settings or downloads malware may not be.

When Good Apps Go Bad
Mobile apps created with good intentions can prove harmful if they're not properly developed. Positive Technologies explores this further in its "Vulnerabilities and Threats in Mobile Applications 2019" report, also released this week. High-risk vulnerabilities were found in 38% of iOS apps and 43% of Android apps. Insecure data storage, detected in 76% of mobile apps overall, was the most common issue. Most (89%) vulnerabilities can be exploited remotely.

Leigh-Anne Galloway, Positive Technologies' cybersecurity resilience lead, points to top security flaws: incorrect session termination, by which an attacker can access a user's session after they log out; insecure interprocess communication, by which user data can be accessed; and the absence of Certificate Pinning, which allows a man-in-the-middle attack with fake certificates.

Mobile device users' data is at risk, she adds, as 71% of mobile apps leave information exposed to unauthorized access. "Most vulnerabilities appear at the design stage of the application, before writing the code, and they can be fixed only by making changes to the code," Galloway explains, adding that unauthorized access to user data is the most common mobile app threat.

While the report often distinguishes between iOS and Android apps, it's not worth thinking about the security of specific platforms, she adds. Most flaws (74% in iOS apps and 57% in Android apps) are related to the shortcomings of protection mechanisms that arise during the design phase.

"Developers do not provide security when planning functionality," she explains. "So when developing an application, many security platform capabilities are simply not used or are used incorrectly." This contributes to similar vulnerabilities appearing in an app across platforms.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...