As the number of blacklisted apps on Google Play continues to drop, attackers find new ways to compromise smartphones.
Mobile devices – pervasive in the workplace, heavily used, and often unregulated – present a wealth of opportunity to cybercriminals aiming to access employees’ sensitive information.
The mobile threat landscape is always shifting, says Jordan Herman, researcher at RiskIQ, which recently published its “Mobile Threat Landscape Q1 2019” report. Researchers scanned more than 120 app stores and nearly 2 billion resources to detect mobile apps in the wild. In the past four quarters, RiskIQ has categorized 8 million mobile apps, of which 217,982 were blacklisted.
A rush of apps continues to flood mobile marketplaces. In the first quarter of 2019, RiskIQ saw 2.26 million new apps, nearly 6% more than the fourth quarter of 2018. Given the sheer size, scope, and complexity of the global app ecosystem, it’s tough for organizations to monitor their mobile presence and protect customers and employees from an evolving range of threats.
“The fact that it changes from quarter to quarter goes to show how many different ways there are to attack mobile,” Herman says. “Mobile is so ubiquitous and so ingrained in our day-to-day lives that threat actors can target users in hundreds of ways and keep trying until something works.” Threats range from fake antivirus apps to phishing attempts to Magecart incidents.
As Herman points out, there are several ways to develop and distribute malicious apps. Some may sign up the user for paid subscription services without the user’s knowledge, granting the developer monetary gain. Others may steal personal data that can be used for identity theft. Some may try to disguise themselves as popular apps, while yet others may appear benign (a flashlight app, for example) but request excessive permissions to steal data stored on the phone.
Following three consecutive quarters of decline, the number of blacklisted apps rose 15% between the fourth quarter of 2018 and the first quarter of 2019. Google Play had 1.4 million apps – more than three times that of the Apple App Store – and accounted for 58% of all blacklisted apps in 2018. The next highest blacklisted store was 9Apps, which made up about 19% of the blacklist total. Feral apps (those listed on the open Web) accounted for nearly 9% of blacklisted mobile apps.
But Google Play is falling as a hot spot for malicious applications: The number of blacklisted apps in the store fell for the second consecutive quarter, down nearly 64% since Q3 2018. “Our data indicates Google is getting better at policing the Play store,” Herman says. Rogue apps still appear given Android is the world’s most popular mobile platform and the Play store is more open to developers, but new app stores are emerging with far more malicious intent.
Inside Malicious Apps
After Google Play, which had nearly 38,000 blacklisted apps between the fourth quarter of 2018 and the first quarter of 2019, 9Game was the second most blacklisted store. Most (96%) of the applications on 9Game.com and 30% of apps in “Vmallapps” were blacklisted, RiskIQ reports.
“Our data indicates that Google is getting better at policing the Play store,” Herman says. The company regularly removes blacklisted apps and does so quickly once the apps are identified.
9Game appears to be a “wholly malicious” store, with nearly every app requesting permission for the camera, location data, Wi-Fi, file system, Internet, and settings. With these permissions, any app downloaded from the store has full reign over the device that installed it. The app can install more malicious apps without the user’s knowledge and send anything it finds on the phone wherever it wants. AndroidAPKDescargar is another example of a malicious store; it targeted Spanish-speaking Android users and was the most blacklisted app store in 2017.
Whether an application is obviously malicious depends on the developer’s sophistication and user’s awareness. Some malicious apps require permissions far beyond their function – for example, a flashlight app that requires GPS or microphone access. This is seemingly obvious; however, an app with hidden code that changes settings or downloads malware may not be.
When Good Apps Go Bad
Mobile apps created with good intentions can prove harmful if they’re not properly developed. Positive Technologies explores this further in its “Vulnerabilities and Threats in Mobile Applications 2019” report, also released this week. High-risk vulnerabilities were found in 38% of iOS apps and 43% of Android apps. Insecure data storage, detected in 76% of mobile apps overall, was the most common issue. Most (89%) vulnerabilities can be exploited remotely.
Leigh-Anne Galloway, Positive Technologies’ cybersecurity resilience lead, points to top security flaws: incorrect session termination, by which an attacker can access a user’s session after they log out; insecure interprocess communication, by which user data can be accessed; and the absence of Certificate Pinning, which allows a man-in-the-middle attack with fake certificates.
Mobile device users’ data is at risk, she adds, as 71% of mobile apps leave information exposed to unauthorized access. “Most vulnerabilities appear at the design stage of the application, before writing the code, and they can be fixed only by making changes to the code,” Galloway explains, adding that unauthorized access to user data is the most common mobile app threat.
While the report often distinguishes between iOS and Android apps, it’s not worth thinking about the security of specific platforms, she adds. Most flaws (74% in iOS apps and 57% in Android apps) are related to the shortcomings of protection mechanisms that arise during the design phase.
“Developers do not provide security when planning functionality,” she explains. “So when developing an application, many security platform capabilities are simply not used or are used incorrectly.” This contributes to similar vulnerabilities appearing in an app across platforms.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio