Vulnerabilities / Threats

3/24/2016
11:30 AM
Avi Bashan
Avi Bashan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Security: Why App Stores Dont Keep Users Safe

In a preview of his Black Hat Asia Briefing next week, a security researcher offers more proof of trouble in the walled gardens of the Apple and Google App stores.

For years, users have relied on best practices to protect themselves from mobile malware. This was based on the assumption that if you download only high reputation apps from official app stores (both Google Play and the Apple App Store), you will be safe. However, this paradigm has been challenged in the passing year as more and more malicious apps infiltrate these official fortresses.

It’s a phenomenon that can no longer be ignored; malware on app stores can’t be treated as inconsequential, isolated incidents. Both Google Play and the Apple App Store have been penetrated repeatedly, exposing users to various types of malware. Even Apple advocates can no longer rely on the Apple app review process to scrutinize apps in order to protect iPhones and iPads. Let’s take a look at four apps that climbed over the Google and Apple walls and gardens.

Certifi-gate

Certifi-gate is a set of Android vulnerabilities discovered by Check Point in August 2015. These vulnerabilities enabled attackers to gain high-level privileges without the user’s consent by exploiting apps signed by OEMs. Apps which are signed by an OEM can gain privileged permissions such as screen recording and user input simulation. Check Point researchers discovered that the authentication mechanism used by these OEM signed apps can be bypassed by a malicious app, and can then be exploited in order to take control of the device.

Following the discovery, disclosure, and publication of the vulnerability, Google released a statement that Google Play doesn’t contain any malicious apps exploiting vulnerable plugins. However, two weeks after the announcement, the Check Point research team discovered a malicious app exploiting the vulnerability in order to record a device screen.

Xcodeghost

The official integrated Apple development environment is called Xcode. Cybercriminals managed to create a modified version of Xcode which was published on third-party websites. This modified Xcode version injects malicious code into every app compiled using it. These infected apps managed to bypass the Apple code review process time and again.

Though this is not the first malicious code that has managed to get into the App Store, it was one of the largest number of malicious apps to get in to date, proving that even Apple’s current review mechanism can’t secure users effectively. Just as in the Certifi-gate case, malware continued to infiltrate the App Store even after Apple knew about its existence and after it tried to block it.

BrainTest

In September 2015, Check Point researchers discovered a new malicious app on the Google Play store that managed to bypass Google Bouncer, Google’s app scanning mechanism, using two different components to get in.

The first and seemingly benign component is the dropper. Once installed, the dropper checks whether it’s being executed on Google’s servers and, if so, it will not execute malicious commands. Then, if installed on a user’s actual device, the dropper will download the second component to act on its malicious objective. The malicious app then continues to download fraudulent apps to generate revenue for attackers.

Sure enough, just like in the two previous cases, BrainTest returned to Google Play a few months later, this time embedded in 13 different applications. Google was yet again unable to prevent this known threat from infiltrating its protected app store.

Broken app security and verification.

Both the Apple App Store and Google Play have been infected by malware time after time. Clearly, Apple and Google are unable to cope with known malware and attack vectors, let alone new ones. Attackers continue to use the same techniques to bypass security measures successfully. Making matters worse, they’re finding new loopholes in app store defenses all the time.

Unsuspecting users who follow the recommended best practice of downloading only apps from the official app stores are still finding themselves under attack. And enterprises, like consumers, can’t afford to be vulnerable to mobile malware on their networks. One infection is all it takes to compromise sensitive business data enterprises strive so hard to protect.

In his Black Hat Asia presentation, Enterprise Apps: Bypassing the iOS Gatekeeper, Avi and co-presenter Ohad Bobrov take a deep dive into how enterprise-signed apps have been used to attack iOS devices, and offer examples of usages discovered in the wild. Click here for more about Black Hat Asia 2016, which begins next week.  

Related Content:

 

 

Avi Bashan is a technology leader at Check Point and former senior security researcher and CISO at Lacoon Mobile Security. With more than 10 years of experience in the mobile, networking, and security industries, Avi is one of the main figures in the research and engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeremseo
50%
50%
Jeremseo,
User Rank: Strategist
4/5/2016 | 10:54:39 AM
Security
For me I feel the same way. Like for one moment when I am searching something online and I feel like someone is tracking my life... It feels quite strange and uncomfortable. I dont have a lot of apps on my phone either.
WoW100
50%
50%
WoW100,
User Rank: Apprentice
3/26/2016 | 7:38:34 AM
Security
The security of our mobiles are important, and that's why i dont download many apps to my smartphone. I don't want to be track by a lot of companies just to sell me products. So i have the security of data users will increase.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVE-2019-9004
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...