Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/24/2019
11:30 AM
50%
50%

Mobile Users Targeted With Malware, Tracked by Advertisers

Cybercriminals continue to seed app stores with malicious apps, advanced attackers successfully compromise mobile devices, and advertisers continue to track users, new reports show.

The ubiquity of mobile devices continues to attract attackers as malicious apps have surged 20% across third-party app stores, advertisers and tracking firms account for nine of 10 API calls for top mobile applications, and nation-state actors increasingly target mobile devices, according to a trio of reports released this week.

In one measure of the threat, the number of malicious apps blacklisted by RiskIQ increased 20% over the previous quarter and accounted for 2.1% of all apps tracked by RiskIQ - up from 1.95%, the company stated in its quarterly mobile threat report released on Oct. 24.

In a separate report, security-solutions provider Blackberry Cylance found that a collection of nation-state actors — including China, Iran, and North Korea — have honed their ability to develop and deploy Android and iOS malware over more than a decade. The strong security of mobile platforms has increased gray-market prices for "zero-click exploits" — attacks that can automatically infect devices — to jump to $1 million for Android and $2.5 million for iOS devices, but the platforms still are not immune to attack, says Brian Robison, chief security evangelist at BlackBerry Cylance.

"This preconceived notion that app-store apps are actually safe is a fallacy," he says. "The motivation behind the app stores have very little to do with security, and much more with protecting the app store's profit margins as well as protecting the ways developers make money."

Because so much user activity is conducted on mobile devices, they have naturally become a focus for third parties. While cybercriminals continue to strive to convince users to download and install malicious mobile apps, developers' reliance on third-party advertising frameworks and other software development kits means that a host of companies have a detailed view into what consumers are doing on their devices.  

In a study of the ten most popular apps in the shopping and food-and-drink categories, The Media Trust, a security and privacy firm, found that 9 out of every 10 times an application reached out to the Internet, the software was contacting a third-party provider. On average, 13 third parties were privy to information during the installation of the software, while 23 vendors tracked purchases. About 70% of the cookies dropped by third parties were advertisers or ad-server networks. Another 18% of the cookies belonged to firms that tracked user behavior.

Often, even the app developers do not know all the third-party activity going on behind the scenes, The Media Trust said.

"App publishers should work with experts on monitoring their apps for unauthorized actors and activities," the company stated in the report. "These third parties collect user information in real-time, ranging from data users enter to screenshots. Policing these third and nth parties' activities is both time- and resource-intensive because of the digital supply chain's lack of transparency, dynamism, and complexity."

Advanced-threat groups, primarily nation-state actors, have also targeted mobile applications. Driven by two main goals, economic and political espionage and surveillance of dissidents and perceived threats, nation-state actors are targeting mobile devices because of their ubiquity. The assumption that the mobile ecosystem can protect mobile users from such a class of attackers is spurious, says Blackberry Cylance's Robison.

"Definitely the attackers are getting far more sophisticated," he says. "The mobile devices are getting far more complex, and it is easier to hide code in different areas and trick users to install the attacker's code."

Some Good News

Not all news is bad for mobile security. While advanced attackers have been able to circumvent the security of devices, the app stores are getting better are finding malicious applications and much of the increase in malicious applications is due to a few app stores, where "you're almost guaranteed to download a malicious app if you choose to patronize it," according to RiskIQ's report.

Google for years has focused on cleaning up bad actors on its Play store, and as a result, users have less chance of encountering malicious applications on the store, according to security firm RiskIQ. The number of blacklisted apps in Google's Play store decreased by 59%, the company's report stated.

"I doubt that the problem will ever fully be resolved just due to the nature and complexity of the Android ecosystem," says Jordan Herman, a threat researcher at RiskIQ. "However, we've seen steady declines in both the actual numbers of malicious apps in their store and in the percentage of newly blacklisted apps versus the total newly added apps. It seems that their efforts are paying off."

For the average person who is not a dissident and who does not shop third-party app stores, the most significant threat is the surveilling and profiling conducted by third-party advertising firms. Consumers should focus on reviewing the privacy practices and statement of third party firms and look out for apps the require too many permissions, he says.

"Regardless of what store an app comes from, check the permissions the app is asking for," says Herman. "If the permissions are unnecessary for the app's purpose, or the permissions seem numerous, closer scrutiny of the app is not a bad thing."

Related Content

 

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.