Skip to main content

App stores could give bad actors a one-way ticket to your mobile

(Image credit: Image Credit: Carballo / Shutterstock)

It’s no shocking statement that mobile phones are completely integrated into our everyday lives, both personally and professionally. The larger issue lies in the evaluation of the applications we rely on daily. Consumer evaluation of apps affects not only our personal data but often the companies who employ us.

There has been a constant stream of jaw-dropping news stories lately highlighting the potential security risks we have in our pockets, but how are these bad actors infiltrating our mobile devices and what tactics are they using? In 2018 alone, it was reported that 194 billion apps were downloaded by consumers - showing the virality an infected application could have if made available to the public. In this article, we will uncover how app stores give a one-way, all-access ticket to mobile devices, which the public tends to download without the proper vetting.

The unknown marketplace

Mobile malware primarily tends to be distributed from third-party sources that are not from vetted application stores. It’s critical to always download applications only from well monitored and vetted apps stores, There is a plethora of app stores available that do not have a strict approach to investigating the apps being uploaded, leaving eager app downloaders open to a world of threats.

The most dangerous stores only rely on user reviews to verify whether the apps are safe or not. This leaves a lot to be desired from a security perspective, as reviews can easily be manipulated. Unexpecting consumers are left stranded and at the will of bad actors who are spamming stores with malicious applications aimed at pilfering your sensitive information and financial data.

Free doesn’t equal secure

A common tactic which bad actors deploy is offering an array of free apps to consumers. With different descriptions and images, they can many times give an illusion of choice that is not in actuality true. When looking to download an app it can be easy to be swept up in the hundreds or thousands of free ones on offer - but it is important to look for key indicators that can help you identify a malicious app before it is too late.

Mobile ransomware is another popular and common attack vector used by cybercriminals to infect apps. This allows bad actors to hold victims’ mobile devices and personal information for hostage. Malicious software can stop victims from being able to access their device and data, and is usually easily achieved by encrypting data files on the devices hard drive, essentially shutting out the victim from their media files.

Like most malware, ransomware attacks have the potential to disable mobile devices, however, the classic file encryption technique often fails. The widespread use of cloud storage combined with the limitations of mobile battery life and mobile CPUs means file encryption is not the most effective approach for these criminals anymore. Today’s ransomware has been developed to “lock” devices and display a message which will not accept any other activity unless the correct code is inputted. Once the victim pays up to the ransomware engineer the device is (hopefully) unlocked, creating a fruitful system for bad actors to quickly gain funds. The apparently fun, free and convenient app quickly turns into an expensive, invasive nightmare.

Properly vetting app developer info is a critical step when checking if an app is secure. Malicious actors often imitate well-known and trusted app developers’ names to fool app seekers into downloading. It is vital to double-check the spelling of the developers as a common tactic for bad actors is to slightly change spellings to try and trick unexpecting app fanatics.

Distributive malware and spying RATs

Bad actors can spam app stores with a simple Trojan distribution technique by taking advantage of popular, legitimate applications as carriers of malware. Bad actors upload these infected apps into huge numbers to take advantage of volume distribution. This is a similar tactic to phishing emails as spammers only need to rely on a small percentage of respondents to actually click on the email to achieve success.

Trojan code is typically hidden in otherwise valid looking applications. While simple Trojan distribution techniques use the offer of free tools or popular, legitimate applications as carriers for the malware. As found in CrowdStrike’s Mobile Threat Landscape Report, a key example of this type of activity is in the case of developer “Luiz O Pinto” who released 13 apps on the Google Play store which were downloaded a whopping 560,000 times. These applications, when opened, directed the user to an additional Android package which displayed advertisements each time the mobile device was unlocked. This is not only an extremely frustrating type of malware but it could easily decompile certified apps and modify the code to perform malicious activity as well as its expected, ‘normal’ functions. These give bad actors an effective way to achieve financial gain.

The breadth and variety of mobile malware readily available for bad actors can be boiled down to five main ‘families’:

  • Remote Access Tools
  • Banking Trojans
  • Mobile Ransomware
  • Cryptomining Malware
  • Advertising Click Fraud

These five main categories help define and understand what the hackers are trying to achieve when taking over mobile devices. All but one have a primary use of financial gain - Remote Access Tools (RATs) are an extremely comprehensive threat which can retrieve an enormous amount of data in comparison to the ‘traditional’ desktop RATs parent.

Mobile RATs have a whole host of features which completely breaches the security of the device, including listing all the device information, installed apps, retrieval of call history, address book, browsing history, collection of SMS data, GPS logging, ability to screenshot, and enabling the cameras and microphone. This deadly combination means it's the ideal weapon for targeted adversary groups to gather intelligence on handpicked influential victims.

The huge amount of mobile malware in the wild means that app stores have an extremely challenging task to try to keep them off the platform. This, coupled with the huge amount of infected apps which adversaries release means mobile users cannot depend on app stores alone to be secure.

Enforcing best practices to secure your device

We should all practice more proactive security strategies when it comes to treating our mobile devices as our other personal computing devices, considering they’re a window into our lives. At the most basic, individuals must be more conscious of what they are downloading onto devices.

By sticking to well-vetted apps stores there is a lessened chance of malicious malware making its way on to the device. The next step is to ensure that the most up-to-date security patches are installed. Vendors regularly release patches to defend against any weak points within an application software, by not having the most up-to-date patches devices are left to endure elevated risks from canny adversaries looking to capitalise on this tardiness.

As there is always a lot of focus on what patches and software can be installed to ensure a high level of security, an element which can be easily be forgotten is the physical security of the actual device. It’s critical to know where your device is at all times to ensure adequate security. Leaving a mobile device unattended is a huge risk as a malicious actor can manually install malware on to the device. Another best practice is to ensure passwords and other authentication measures like facial recognition or multifactor-authentication are implemented to harden your next line of defense.

Mobile device management (MDM) processes are a good way of protecting devices by restricting what apps can be downloaded onto a device, and automatically installing security patches. However, due to the supply chain of MDM servers they, themselves, could be breached - meaning an attacker could be already functioning within the device. Organisations should lockdown any communication with untrusted MDM servers and ensure all users are trained to recognise phishing techniques to ‘inoculate’ themselves.

It is vital to take further precautions when downloading gaming or mobile banking applications as they have been recognised as the most common vector of attack. Monitoring the spelling of applications and the developers' name is an essential check before downloading.

Putting these protocols into place can stop your device becoming a risk factor in the security ecosystem. You should also take onboard the corporate advice which business security teams provide, as this can help make your mobile device more bulletproof to cyberthreat actors.

Zeki Turedi, Technology Strategist EMEA, CrowdStrike

Zeki Turedi is an influential, tenacious and highly sought cybersecurity commentator, consultant and presenter. Zeki has extensive incident response & forensic knowledge within law enforcement, government and private sector. His specialties include incident response, malware analysis, threat intelligence, digital forensics, network forensics, digital investigations, data loss prevention, and advanced threat modelling.