Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/24/2019
11:30 AM
50%
50%

Mobile Users Targeted With Malware, Tracked by Advertisers

Cybercriminals continue to seed app stores with malicious apps, advanced attackers successfully compromise mobile devices, and advertisers continue to track users, new reports show.

The ubiquity of mobile devices continues to attract attackers as malicious apps have surged 20% across third-party app stores, advertisers and tracking firms account for nine of 10 API calls for top mobile applications, and nation-state actors increasingly target mobile devices, according to a trio of reports released this week.

In one measure of the threat, the number of malicious apps blacklisted by RiskIQ increased 20% over the previous quarter and accounted for 2.1% of all apps tracked by RiskIQ - up from 1.95%, the company stated in its quarterly mobile threat report released on Oct. 24.

In a separate report, security-solutions provider Blackberry Cylance found that a collection of nation-state actors — including China, Iran, and North Korea — have honed their ability to develop and deploy Android and iOS malware over more than a decade. The strong security of mobile platforms has increased gray-market prices for "zero-click exploits" — attacks that can automatically infect devices — to jump to $1 million for Android and $2.5 million for iOS devices, but the platforms still are not immune to attack, says Brian Robison, chief security evangelist at BlackBerry Cylance.

"This preconceived notion that app-store apps are actually safe is a fallacy," he says. "The motivation behind the app stores have very little to do with security, and much more with protecting the app store's profit margins as well as protecting the ways developers make money."

Because so much user activity is conducted on mobile devices, they have naturally become a focus for third parties. While cybercriminals continue to strive to convince users to download and install malicious mobile apps, developers' reliance on third-party advertising frameworks and other software development kits means that a host of companies have a detailed view into what consumers are doing on their devices.  

In a study of the ten most popular apps in the shopping and food-and-drink categories, The Media Trust, a security and privacy firm, found that 9 out of every 10 times an application reached out to the Internet, the software was contacting a third-party provider. On average, 13 third parties were privy to information during the installation of the software, while 23 vendors tracked purchases. About 70% of the cookies dropped by third parties were advertisers or ad-server networks. Another 18% of the cookies belonged to firms that tracked user behavior.

Often, even the app developers do not know all the third-party activity going on behind the scenes, The Media Trust said.

"App publishers should work with experts on monitoring their apps for unauthorized actors and activities," the company stated in the report. "These third parties collect user information in real-time, ranging from data users enter to screenshots. Policing these third and nth parties' activities is both time- and resource-intensive because of the digital supply chain's lack of transparency, dynamism, and complexity."

Advanced-threat groups, primarily nation-state actors, have also targeted mobile applications. Driven by two main goals, economic and political espionage and surveillance of dissidents and perceived threats, nation-state actors are targeting mobile devices because of their ubiquity. The assumption that the mobile ecosystem can protect mobile users from such a class of attackers is spurious, says Blackberry Cylance's Robison.

"Definitely the attackers are getting far more sophisticated," he says. "The mobile devices are getting far more complex, and it is easier to hide code in different areas and trick users to install the attacker's code."

Some Good News

Not all news is bad for mobile security. While advanced attackers have been able to circumvent the security of devices, the app stores are getting better are finding malicious applications and much of the increase in malicious applications is due to a few app stores, where "you're almost guaranteed to download a malicious app if you choose to patronize it," according to RiskIQ's report.

Google for years has focused on cleaning up bad actors on its Play store, and as a result, users have less chance of encountering malicious applications on the store, according to security firm RiskIQ. The number of blacklisted apps in Google's Play store decreased by 59%, the company's report stated.

"I doubt that the problem will ever fully be resolved just due to the nature and complexity of the Android ecosystem," says Jordan Herman, a threat researcher at RiskIQ. "However, we've seen steady declines in both the actual numbers of malicious apps in their store and in the percentage of newly blacklisted apps versus the total newly added apps. It seems that their efforts are paying off."

For the average person who is not a dissident and who does not shop third-party app stores, the most significant threat is the surveilling and profiling conducted by third-party advertising firms. Consumers should focus on reviewing the privacy practices and statement of third party firms and look out for apps the require too many permissions, he says.

"Regardless of what store an app comes from, check the permissions the app is asking for," says Herman. "If the permissions are unnecessary for the app's purpose, or the permissions seem numerous, closer scrutiny of the app is not a bad thing."

Related Content

 

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10766
PUBLISHED: 2019-11-19
Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.
CVE-2019-11289
PUBLISHED: 2019-11-19
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthorized malicious user could forge a route service request using an invalid nonce that will cause the Gorouter to crash.
CVE-2011-2922
PUBLISHED: 2019-11-19
ktsuss versions 1.4 and prior spawns the GTK interface to run as root. This can allow a local attacker to escalate privileges to root and use the "GTK_MODULES" environment variable to possibly execute arbitrary code.
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.