Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/24/2016
11:30 AM
Avi Bashan
Avi Bashan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mobile Security: Why App Stores Don’t Keep Users Safe

In a preview of his Black Hat Asia Briefing next week, a security researcher offers more proof of trouble in the walled gardens of the Apple and Google App stores.

For years, users have relied on best practices to protect themselves from mobile malware. This was based on the assumption that if you download only high reputation apps from official app stores (both Google Play and the Apple App Store), you will be safe. However, this paradigm has been challenged in the passing year as more and more malicious apps infiltrate these official fortresses.

It’s a phenomenon that can no longer be ignored; malware on app stores can’t be treated as inconsequential, isolated incidents. Both Google Play and the Apple App Store have been penetrated repeatedly, exposing users to various types of malware. Even Apple advocates can no longer rely on the Apple app review process to scrutinize apps in order to protect iPhones and iPads. Let’s take a look at four apps that climbed over the Google and Apple walls and gardens.

Certifi-gate

Certifi-gate is a set of Android vulnerabilities discovered by Check Point in August 2015. These vulnerabilities enabled attackers to gain high-level privileges without the user’s consent by exploiting apps signed by OEMs. Apps which are signed by an OEM can gain privileged permissions such as screen recording and user input simulation. Check Point researchers discovered that the authentication mechanism used by these OEM signed apps can be bypassed by a malicious app, and can then be exploited in order to take control of the device.

Following the discovery, disclosure, and publication of the vulnerability, Google released a statement that Google Play doesn’t contain any malicious apps exploiting vulnerable plugins. However, two weeks after the announcement, the Check Point research team discovered a malicious app exploiting the vulnerability in order to record a device screen.

Xcodeghost

The official integrated Apple development environment is called Xcode. Cybercriminals managed to create a modified version of Xcode which was published on third-party websites. This modified Xcode version injects malicious code into every app compiled using it. These infected apps managed to bypass the Apple code review process time and again.

Though this is not the first malicious code that has managed to get into the App Store, it was one of the largest number of malicious apps to get in to date, proving that even Apple’s current review mechanism can’t secure users effectively. Just as in the Certifi-gate case, malware continued to infiltrate the App Store even after Apple knew about its existence and after it tried to block it.

BrainTest

In September 2015, Check Point researchers discovered a new malicious app on the Google Play store that managed to bypass Google Bouncer, Google’s app scanning mechanism, using two different components to get in.

The first and seemingly benign component is the dropper. Once installed, the dropper checks whether it’s being executed on Google’s servers and, if so, it will not execute malicious commands. Then, if installed on a user’s actual device, the dropper will download the second component to act on its malicious objective. The malicious app then continues to download fraudulent apps to generate revenue for attackers.

Sure enough, just like in the two previous cases, BrainTest returned to Google Play a few months later, this time embedded in 13 different applications. Google was yet again unable to prevent this known threat from infiltrating its protected app store.

Broken app security and verification.

Both the Apple App Store and Google Play have been infected by malware time after time. Clearly, Apple and Google are unable to cope with known malware and attack vectors, let alone new ones. Attackers continue to use the same techniques to bypass security measures successfully. Making matters worse, they’re finding new loopholes in app store defenses all the time.

Unsuspecting users who follow the recommended best practice of downloading only apps from the official app stores are still finding themselves under attack. And enterprises, like consumers, can’t afford to be vulnerable to mobile malware on their networks. One infection is all it takes to compromise sensitive business data enterprises strive so hard to protect.

In his Black Hat Asia presentation, Enterprise Apps: Bypassing the iOS Gatekeeper, Avi and co-presenter Ohad Bobrov take a deep dive into how enterprise-signed apps have been used to attack iOS devices, and offer examples of usages discovered in the wild. Click here for more about Black Hat Asia 2016, which begins next week.  

Related Content:

 

 

Avi Bashan is a technology leader at Check Point and former senior security researcher and CISO at Lacoon Mobile Security. With more than 10 years of experience in the mobile, networking, and security industries, Avi is one of the main figures in the research and engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
WoW100
50%
50%
WoW100,
User Rank: Apprentice
3/26/2016 | 7:38:34 AM
Security
The security of our mobiles are important, and that's why i dont download many apps to my smartphone. I don't want to be track by a lot of companies just to sell me products. So i have the security of data users will increase.
Jeremseo
50%
50%
Jeremseo,
User Rank: Strategist
4/5/2016 | 10:54:39 AM
Security
For me I feel the same way. Like for one moment when I am searching something online and I feel like someone is tracking my life... It feels quite strange and uncomfortable. I dont have a lot of apps on my phone either.
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...