Are Mobile Apps Really at Risk?

Powerful and profound cyberattacks are occurring on a daily basis. They range from traditional credit card data theft to complex compromises of personal health information, intellectual property, mission-critical patents, sensitive government information and much more. The attacks are becoming more severe and more creative, and the tools are becoming more sophisticated.

But are mobile applications really part of the equation? Are they really at risk? The answer is a resounding yes. The number of new mobile malware samples jumped by 49 percent from Q4 2014 to Q1 2015, according to a “McAfee Labs Threat Report.” With the emergence of the relatively recent Wirelurker malware for iOS, it is evident that even apps we previously thought to be relatively secure are now being targeted across all platforms.

What Are Criminals Doing With Hacked Apps?

Apps that have been pirated, hacked, tampered with to bypass security controls, reverse engineered, injected with malware and re-engineered to perform malicious acts are being widely distributed, particularly via unofficial app stores. These malicious apps can be engineered to hijack sensitive data such as financial information, health and identity records, valuable intellectual property and utilized for nefarious purposes to perform a wide array of unauthorized operations.

High-value apps that transmit desirable data tend to use their fake design to fool app store users, unlike mere copycat apps like games that have the more benign purpose of generating illicit financial gain for their creators. Malware is almost always inserted for a malicious purpose rather than to be an irritant to users.

Watch the on-demand webinar: Think Like a Hacker

More Than Half of Fake Apps Are Malicious — Is Yours One of Them?

This is a prevalent problem with fake or copied apps. In fact, Trend Micro’s “Fake Apps Feigning Legitimacy” report found that 51 percent of fake apps had malware in them.

There are lots of reasons why the trend is increasing, including:

  • The exponentially increasing number of apps makes for a target-rich environment.
  • Faster release cycles mean more apps are made public more frequently, and application security tends to lag behind product release cycles.
  • Use of third-party components and frameworks open a window for additional vulnerabilities.
  • Increasingly robust functionality on the client-side of apps — due to competition and user demand — is creating a greater range of hacking opportunities. When more features become available, there are more features available to hack!
  • Improved hacking tools now include advanced capabilities such as jailbreak detection avoidance, and many tools are diversifying to cover all platforms. For example, the previously iOS-exclusive Cydia Mobile Substrate is now available on Android. A recap of readily available hacking tools appears below.

It couldn’t be much easier for a hacker: A bogus app can be hacked, repackaged and distributed in less than an hour. The process to create a bogus app is surprisingly simple:

  1. Download, decrypt, open and reverse engineer the legitimate app’s contents.
  2. Extract and steal confidential data (if that is the motivation).
  3. Create a tampered, cracked or patched version of the app that contains malware.
  4. Distribute and encourage use of the hacked app.

A Hacker’s Last Step — Distribute and Cash In

Tampered and hacked applications are distributed in a number of ways. They can be easily placed on non-iOS or Android app stores, most of which do not follow thorough review processes. There are also hundreds of app stores globally, catering to Blackberry users, cross-platform providers, manufacturer-specific users, and operators and carriers.

Apple’s App Store has a review process, but there are potential ways for cybercriminals to circumvent it. For example, in the review process, an automated tool evaluates apps’ legitimacy. However, the owner of a hacked app can easily conceal what the app is doing or distribute it via an enterprise deployment model and avoid the review altogether.

There are even more options for Android app distribution, and none have a formal review process. These include the Google Play Store, releases via independent websites and email-based releases. Android users are usually warned that they are downloading from an unofficial store, but many miss the warning because they enable automatic downloads of software updates.

But Isn’t My App Encrypted? Yes, But…

It’s easy for cybercriminals to bypass iOS encryption to execute a mobile app attack. Some insidious new hacks don’t even leave a fingerprint.

For example, in a method swizzling hack with code substitution, actors can leverage infected code to attack critical class methods in an application, intercept API calls and execute unauthorized code. The attack leaves no trace at all and the code reverts back to its original form after the attack.

In light of what’s happening, analysts and consultants are making strong statements to drive companies to perform static and runtime application protections:

  • “Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection,” Gartner said. “It should be a CISO top priority.”
  • 451 Research stated, “It (‘application hardening and runtime protection’) is a critical component in the strategy to secure enterprise software, embedded systems, mobile apps and the much-bandied Internet of Things.”

What Can I Do to Protect My Apps, My Customers, My Brand and My Bottom Line?

In our on-demand webinar “Think Like a Hacker! New Attacks, New Approaches,” we address the current threat landscape and provide a range of strong countermeasures you can employ to improve security.

Watch the webinar to learn:

  • How easily hackers can leverage widely available third-party tools to completely disable and compromise your mobile apps, and why standard cryptography no longer offers sufficient protection;
  • The evolution of the mobile threat landscape, including a live demo of various reverse engineering and tampering attacks; and
  • Best practices to stay ahead of hackers, mitigate risk and implement new approaches to protect your organization against mobile application vulnerabilities that can threaten your employees, your brand’s good name and your bottom line.

Since you are interested in this topic, please register today for our upcoming webinar “Uncover What’s Inside the Mind of a Hacker”.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today