Mobile

2/22/2019
03:15 PM
Robert Lemos
Robert Lemos
News
50%
50%

Lessons From the War on Malicious Mobile Apps

Despite the openness of the Android platform, Google has managed to keep its Play store mainly free of malware and malicious apps. Outside of the marketplace is a different matter.

In 2018, Google saw more attacks on users' privacy, continued to fight against dishonest developers, and focused on detecting the more sophisticated tactics of mobile malware and adware developers, the Internet giant stated in a recent blog post. 

Google's efforts — and those of various security firms — highlight that, despite ongoing success against mobile malware, attackers continue to improve their techniques. Malware developers continue to find news ways to hide functionality in otherwise legitimate-seeming apps. Mobile applications with potentially unwanted functionality, so-called PUAs, and applications that eventually download additional functionality or drop malicious code, known as droppers, are both significant threats, according to security firm Kaspersky Lab.

For Google, the fight against malicious mobile app developers is an unrelenting war to keep bad code off its Google Play app store, the firm said. 

"Despite our enhanced and added layers of defense against bad apps, we know bad actors will continue to try to evade our systems by changing their tactics and cloaking bad behaviors," said Andrew Ahn, product manager of Google Play, in a Feb. 13 blog post. "We will continue to enhance our capabilities to counter such adversarial behavior, and work relentlessly to provide our users with a secure and safe app store."

Data from 2018 and prior years reveals a sharp divide between those Android users who download applications exclusively from well-maintained app stores and those who expose themselves to risk by installing standalone apps — so-called sideloading — or downloading applications from third-party providers. 

For Android users who only download apps from Google Play and do not allow the sideloading of non-Play applications, mobile malware is not a major threat, affecting less than 1% of users in any given year

"Sticking with Google Play is certainly the best source to get your apps from," says Christoph Hebeisen, senior manager of security intelligence at mobile-security firm Lookout. "As we know, it hasn't been completely clean, but they've done a good job."

Yet almost 10% of US Android users — and more than 40% of users in other countries, such as Iran and Bangladesh — encountered at least one instance of malware attempting to install in 2018, according to Kaspersky Lab.

While such data suggests some simple lessons, some surprising trends have emerged from 2018.

The Security Is in the Ecosystem
Despite the occasional discovery of malicious apps on its Play store, current data indicates that Google continues to have success in its battle against malware authors and rogue developers. 

Among its ecosystem's defenses, Google's Play Protect system scans more than 50 billion apps on users' devices every day to detect malicious activity, according to the firm. In 2018, Google removed tens of thousands of apps for violating its stricter privacy policies. The company has also increased its efforts to catch malicious apps submitted to the Google Play store, rejecting 55% more app submissions and suspending 66% more apps for policy violations.

"These increases can be attributed to our continued efforts to tighten policies to reduce the number of harmful apps on the Play Store, as well as our investments in automated protections and human review processes that play critical roles in identifying and enforcing on bad apps," the company stated.

These successes, however, rely on the entire ecosystem working together. Google Play Protect, for example, does not perform as well against malware compared with bespoke applications from security firms: It detected only about two-thirds of malware in real time, compared with nearly 100% detection for mobile-security apps.

Third-Party App Stores Have High Malware Rates
Third-party app stores do not have the same level of security as Google's marketplace. Google's data shows it is eight times more likely that users download harmful apps from third-party stores than from Google Play, the company stated. A 2016 academic paper by researchers at Yokohama National University and Delft University of Technology found that about one-in-five apps in three independent app stores were malicious, and the stores took a very long time to remove the offending apps from the store.

While the Google Play store did actively seek to remove the malicious apps from its servers, a cluster of malicious apps that persisted showed that users should be wary of any app store's incentives, the researchers said.

"The fact that these apps are flagged by AV vendors point to a divergence in incentives between the vendors, the users and the market operators," the academic paper stated. "Ads, including third-party advertisement libraries and networks, are a core part of the app market and the different revenue models it supports. The market operator has an incentive to allow and even enable advertisement-related revenue for developers who operate within the terms of service."

Some Countries Have Extremely High Malware Rates
Dependence on third-party app stores and installing individual apps through sideloading means that users in a many countries are exposed to greater risk. The top-10 countries whose users are most often attacked by mobile malware all have annual encounter rates greater than 25%, meaning a quarter of users have experienced at least one incident of malicious software attempting to install itself on their devices, according to Kaspersky Lab.

The United States is in 29th place, according to the yet-to-be-published data, with a 9.9% encounter rate. While malicious apps can be uploaded to Google Play, rogue developers often use spam to direct users to download untrusted applications, says Victor Chebyshev, security expert at Kaspersky Lab. 

"The Android operating system still has possibility to install malicious applications from third parties," he says. "Tricking victims to download and install applications from elsewhere is the most widespread attack vector."

Other Attacks Pose More of a Threat for Mobile Users
While rogue developers continue to create a spectrum of malicious and unwanted apps, other techniques are often used to monetize mobile devices. In its annual report on mobile threats, mobile security firm Wandera stated that phishing attacks have become very common, with 57% of all organizations experiencing a phishing incident in 2018. Attackers are spending more time researching their targets to make the attacks more convincing, the company said.

For the most part, mobile malware is not the preferred way to attack mobile users, the firm stated.

"Malware is certainly a real threat," said Michael Covington, Wandera's vice president of product strategy, in the report. "Our cursory research shows that there are more mobile malware samples in the wild, but they aren't taking hold on the end user devices in any meaningful way."

For users who stick with a secure ecosystem, Kaspersky Lab points to a variety of other techniques that post more of a risk than mobile malware, such as unsecured Wi-Fi hotspots, phone scams, and — less common — remote exploitation of vulnerabilities.

Searching for Apps Increases the Chance to Encounter Malware
One unexpected lesson is that searching for a specific application or type of program can lead to malware. Because attackers have become experts in finding ways to increase the popularity of their malicious apps, they can often boost the visibility of their programs in the store. In the 2016 study of the Google Play store and three other third-party stores, researchers found that search results often contained malicious apps.

"When users of Google Play search with specific keywords, they may have a 50 times higher probability of encountering malware than when selecting from the popular app list," the researchers stated.

In the end, expect attackers to adapt and innovate to create better ways of mining value out of compromised devices, as people continue to increasingly use their mobile phones and track a greater part of their lives using the devices.

"Mobile devices are a large target, and they are only getting larger as we put more and more of our information on them," Lookout's Hebeisen says.

Related Content

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.
CVE-2019-9965
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlReAllocateHeap.
CVE-2019-9966
PUBLISHED: 2019-03-24
XnView Classic 2.48 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to xnview+0x38536c.