Vulnerabilities / Threats

3/24/2016
11:30 AM
Avi Bashan
Avi Bashan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Security: Why App Stores Dont Keep Users Safe

In a preview of his Black Hat Asia Briefing next week, a security researcher offers more proof of trouble in the walled gardens of the Apple and Google App stores.

For years, users have relied on best practices to protect themselves from mobile malware. This was based on the assumption that if you download only high reputation apps from official app stores (both Google Play and the Apple App Store), you will be safe. However, this paradigm has been challenged in the passing year as more and more malicious apps infiltrate these official fortresses.

It’s a phenomenon that can no longer be ignored; malware on app stores can’t be treated as inconsequential, isolated incidents. Both Google Play and the Apple App Store have been penetrated repeatedly, exposing users to various types of malware. Even Apple advocates can no longer rely on the Apple app review process to scrutinize apps in order to protect iPhones and iPads. Let’s take a look at four apps that climbed over the Google and Apple walls and gardens.

Certifi-gate

Certifi-gate is a set of Android vulnerabilities discovered by Check Point in August 2015. These vulnerabilities enabled attackers to gain high-level privileges without the user’s consent by exploiting apps signed by OEMs. Apps which are signed by an OEM can gain privileged permissions such as screen recording and user input simulation. Check Point researchers discovered that the authentication mechanism used by these OEM signed apps can be bypassed by a malicious app, and can then be exploited in order to take control of the device.

Following the discovery, disclosure, and publication of the vulnerability, Google released a statement that Google Play doesn’t contain any malicious apps exploiting vulnerable plugins. However, two weeks after the announcement, the Check Point research team discovered a malicious app exploiting the vulnerability in order to record a device screen.

Xcodeghost

The official integrated Apple development environment is called Xcode. Cybercriminals managed to create a modified version of Xcode which was published on third-party websites. This modified Xcode version injects malicious code into every app compiled using it. These infected apps managed to bypass the Apple code review process time and again.

Though this is not the first malicious code that has managed to get into the App Store, it was one of the largest number of malicious apps to get in to date, proving that even Apple’s current review mechanism can’t secure users effectively. Just as in the Certifi-gate case, malware continued to infiltrate the App Store even after Apple knew about its existence and after it tried to block it.

BrainTest

In September 2015, Check Point researchers discovered a new malicious app on the Google Play store that managed to bypass Google Bouncer, Google’s app scanning mechanism, using two different components to get in.

The first and seemingly benign component is the dropper. Once installed, the dropper checks whether it’s being executed on Google’s servers and, if so, it will not execute malicious commands. Then, if installed on a user’s actual device, the dropper will download the second component to act on its malicious objective. The malicious app then continues to download fraudulent apps to generate revenue for attackers.

Sure enough, just like in the two previous cases, BrainTest returned to Google Play a few months later, this time embedded in 13 different applications. Google was yet again unable to prevent this known threat from infiltrating its protected app store.

Broken app security and verification.

Both the Apple App Store and Google Play have been infected by malware time after time. Clearly, Apple and Google are unable to cope with known malware and attack vectors, let alone new ones. Attackers continue to use the same techniques to bypass security measures successfully. Making matters worse, they’re finding new loopholes in app store defenses all the time.

Unsuspecting users who follow the recommended best practice of downloading only apps from the official app stores are still finding themselves under attack. And enterprises, like consumers, can’t afford to be vulnerable to mobile malware on their networks. One infection is all it takes to compromise sensitive business data enterprises strive so hard to protect.

In his Black Hat Asia presentation, Enterprise Apps: Bypassing the iOS Gatekeeper, Avi and co-presenter Ohad Bobrov take a deep dive into how enterprise-signed apps have been used to attack iOS devices, and offer examples of usages discovered in the wild. Click here for more about Black Hat Asia 2016, which begins next week.  

Related Content:

 

 

Avi Bashan is a technology leader at Check Point and former senior security researcher and CISO at Lacoon Mobile Security. With more than 10 years of experience in the mobile, networking, and security industries, Avi is one of the main figures in the research and engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeremseo
50%
50%
Jeremseo,
User Rank: Strategist
4/5/2016 | 10:54:39 AM
Security
For me I feel the same way. Like for one moment when I am searching something online and I feel like someone is tracking my life... It feels quite strange and uncomfortable. I dont have a lot of apps on my phone either.
WoW100
50%
50%
WoW100,
User Rank: Apprentice
3/26/2016 | 7:38:34 AM
Security
The security of our mobiles are important, and that's why i dont download many apps to my smartphone. I don't want to be track by a lot of companies just to sell me products. So i have the security of data users will increase.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.