Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/24/2016
11:30 AM
Avi Bashan
Avi Bashan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Security: Why App Stores Dont Keep Users Safe

In a preview of his Black Hat Asia Briefing next week, a security researcher offers more proof of trouble in the walled gardens of the Apple and Google App stores.

For years, users have relied on best practices to protect themselves from mobile malware. This was based on the assumption that if you download only high reputation apps from official app stores (both Google Play and the Apple App Store), you will be safe. However, this paradigm has been challenged in the passing year as more and more malicious apps infiltrate these official fortresses.

It’s a phenomenon that can no longer be ignored; malware on app stores can’t be treated as inconsequential, isolated incidents. Both Google Play and the Apple App Store have been penetrated repeatedly, exposing users to various types of malware. Even Apple advocates can no longer rely on the Apple app review process to scrutinize apps in order to protect iPhones and iPads. Let’s take a look at four apps that climbed over the Google and Apple walls and gardens.

Certifi-gate

Certifi-gate is a set of Android vulnerabilities discovered by Check Point in August 2015. These vulnerabilities enabled attackers to gain high-level privileges without the user’s consent by exploiting apps signed by OEMs. Apps which are signed by an OEM can gain privileged permissions such as screen recording and user input simulation. Check Point researchers discovered that the authentication mechanism used by these OEM signed apps can be bypassed by a malicious app, and can then be exploited in order to take control of the device.

Following the discovery, disclosure, and publication of the vulnerability, Google released a statement that Google Play doesn’t contain any malicious apps exploiting vulnerable plugins. However, two weeks after the announcement, the Check Point research team discovered a malicious app exploiting the vulnerability in order to record a device screen.

Xcodeghost

The official integrated Apple development environment is called Xcode. Cybercriminals managed to create a modified version of Xcode which was published on third-party websites. This modified Xcode version injects malicious code into every app compiled using it. These infected apps managed to bypass the Apple code review process time and again.

Though this is not the first malicious code that has managed to get into the App Store, it was one of the largest number of malicious apps to get in to date, proving that even Apple’s current review mechanism can’t secure users effectively. Just as in the Certifi-gate case, malware continued to infiltrate the App Store even after Apple knew about its existence and after it tried to block it.

BrainTest

In September 2015, Check Point researchers discovered a new malicious app on the Google Play store that managed to bypass Google Bouncer, Google’s app scanning mechanism, using two different components to get in.

The first and seemingly benign component is the dropper. Once installed, the dropper checks whether it’s being executed on Google’s servers and, if so, it will not execute malicious commands. Then, if installed on a user’s actual device, the dropper will download the second component to act on its malicious objective. The malicious app then continues to download fraudulent apps to generate revenue for attackers.

Sure enough, just like in the two previous cases, BrainTest returned to Google Play a few months later, this time embedded in 13 different applications. Google was yet again unable to prevent this known threat from infiltrating its protected app store.

Broken app security and verification.

Both the Apple App Store and Google Play have been infected by malware time after time. Clearly, Apple and Google are unable to cope with known malware and attack vectors, let alone new ones. Attackers continue to use the same techniques to bypass security measures successfully. Making matters worse, they’re finding new loopholes in app store defenses all the time.

Unsuspecting users who follow the recommended best practice of downloading only apps from the official app stores are still finding themselves under attack. And enterprises, like consumers, can’t afford to be vulnerable to mobile malware on their networks. One infection is all it takes to compromise sensitive business data enterprises strive so hard to protect.

In his Black Hat Asia presentation, Enterprise Apps: Bypassing the iOS Gatekeeper, Avi and co-presenter Ohad Bobrov take a deep dive into how enterprise-signed apps have been used to attack iOS devices, and offer examples of usages discovered in the wild. Click here for more about Black Hat Asia 2016, which begins next week.  

Related Content:

 

 

Avi Bashan is a technology leader at Check Point and former senior security researcher and CISO at Lacoon Mobile Security. With more than 10 years of experience in the mobile, networking, and security industries, Avi is one of the main figures in the research and engineering ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WoW100
50%
50%
WoW100,
User Rank: Apprentice
3/26/2016 | 7:38:34 AM
Security
The security of our mobiles are important, and that's why i dont download many apps to my smartphone. I don't want to be track by a lot of companies just to sell me products. So i have the security of data users will increase.
Jeremseo
50%
50%
Jeremseo,
User Rank: Strategist
4/5/2016 | 10:54:39 AM
Security
For me I feel the same way. Like for one moment when I am searching something online and I feel like someone is tracking my life... It feels quite strange and uncomfortable. I dont have a lot of apps on my phone either.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...