Are Mobile Apps Really at Risk?

Powerful and profound cyberattacks are occurring on a daily basis. They range from traditional credit card data theft to complex compromises of personal health information, intellectual property, mission-critical patents, sensitive government information and much more. The attacks are becoming more severe and more creative, and the tools are becoming more sophisticated.

But are mobile applications really part of the equation? Are they really at risk? The answer is a resounding yes. The number of new mobile malware samples jumped by 49 percent from Q4 2014 to Q1 2015, according to a “McAfee Labs Threat Report.” With the emergence of the relatively recent Wirelurker malware for iOS, it is evident that even apps we previously thought to be relatively secure are now being targeted across all platforms.

What Are Criminals Doing With Hacked Apps?

Apps that have been pirated, hacked, tampered with to bypass security controls, reverse engineered, injected with malware and re-engineered to perform malicious acts are being widely distributed, particularly via unofficial app stores. These malicious apps can be engineered to hijack sensitive data such as financial information, health and identity records, valuable intellectual property and utilized for nefarious purposes to perform a wide array of unauthorized operations.

High-value apps that transmit desirable data tend to use their fake design to fool app store users, unlike mere copycat apps like games that have the more benign purpose of generating illicit financial gain for their creators. Malware is almost always inserted for a malicious purpose rather than to be an irritant to users.

Watch the on-demand webinar: Think Like a Hacker

More Than Half of Fake Apps Are Malicious — Is Yours One of Them?

This is a prevalent problem with fake or copied apps. In fact, Trend Micro’s “Fake Apps Feigning Legitimacy” report found that 51 percent of fake apps had malware in them.

There are lots of reasons why the trend is increasing, including:

  • The exponentially increasing number of apps makes for a target-rich environment.
  • Faster release cycles mean more apps are made public more frequently, and application security tends to lag behind product release cycles.
  • Use of third-party components and frameworks open a window for additional vulnerabilities.
  • Increasingly robust functionality on the client-side of apps — due to competition and user demand — is creating a greater range of hacking opportunities. When more features become available, there are more features available to hack!
  • Improved hacking tools now include advanced capabilities such as jailbreak detection avoidance, and many tools are diversifying to cover all platforms. For example, the previously iOS-exclusive Cydia Mobile Substrate is now available on Android. A recap of readily available hacking tools appears below.

It couldn’t be much easier for a hacker: A bogus app can be hacked, repackaged and distributed in less than an hour. The process to create a bogus app is surprisingly simple:

  1. Download, decrypt, open and reverse engineer the legitimate app’s contents.
  2. Extract and steal confidential data (if that is the motivation).
  3. Create a tampered, cracked or patched version of the app that contains malware.
  4. Distribute and encourage use of the hacked app.

A Hacker’s Last Step — Distribute and Cash In

Tampered and hacked applications are distributed in a number of ways. They can be easily placed on non-iOS or Android app stores, most of which do not follow thorough review processes. There are also hundreds of app stores globally, catering to Blackberry users, cross-platform providers, manufacturer-specific users, and operators and carriers.

Apple’s App Store has a review process, but there are potential ways for cybercriminals to circumvent it. For example, in the review process, an automated tool evaluates apps’ legitimacy. However, the owner of a hacked app can easily conceal what the app is doing or distribute it via an enterprise deployment model and avoid the review altogether.

There are even more options for Android app distribution, and none have a formal review process. These include the Google Play Store, releases via independent websites and email-based releases. Android users are usually warned that they are downloading from an unofficial store, but many miss the warning because they enable automatic downloads of software updates.

But Isn’t My App Encrypted? Yes, But…

It’s easy for cybercriminals to bypass iOS encryption to execute a mobile app attack. Some insidious new hacks don’t even leave a fingerprint.

For example, in a method swizzling hack with code substitution, actors can leverage infected code to attack critical class methods in an application, intercept API calls and execute unauthorized code. The attack leaves no trace at all and the code reverts back to its original form after the attack.

In light of what’s happening, analysts and consultants are making strong statements to drive companies to perform static and runtime application protections:

  • “Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection,” Gartner said. “It should be a CISO top priority.”
  • 451 Research stated, “It (‘application hardening and runtime protection’) is a critical component in the strategy to secure enterprise software, embedded systems, mobile apps and the much-bandied Internet of Things.”

What Can I Do to Protect My Apps, My Customers, My Brand and My Bottom Line?

In our on-demand webinar “Think Like a Hacker! New Attacks, New Approaches,” we address the current threat landscape and provide a range of strong countermeasures you can employ to improve security.

Watch the webinar to learn:

  • How easily hackers can leverage widely available third-party tools to completely disable and compromise your mobile apps, and why standard cryptography no longer offers sufficient protection;
  • The evolution of the mobile threat landscape, including a live demo of various reverse engineering and tampering attacks; and
  • Best practices to stay ahead of hackers, mitigate risk and implement new approaches to protect your organization against mobile application vulnerabilities that can threaten your employees, your brand’s good name and your bottom line.

Since you are interested in this topic, please register today for our upcoming webinar “Uncover What’s Inside the Mind of a Hacker”.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read