Smartphones are motivating targets for cybercriminals. Mobile devices today hold personal and monetizable data such as login credentials, financial information and company secrets — not to mention spy-friendly sensors such as microphones, cameras and location electronics.
Unsavory actors gain access to phones through breaches, physical access to the device or, increasingly, by hiding code in mobile apps that “phones home” and sends target data back to the perpetrator. This method is especially attractive for criminals because users are in control of app installations and physically carry phones right inside company firewalls.
How to Recognize App Fraud
Malicious exfiltration often originates in fraudulent apps. The Slovakian cybersecurity company ESET recently discovered six fake banking apps on the Google Play store, according to Reuters. The developers spoofed banking apps from financial institutions across multiple countries and stole credit card details and login credentials.
Trustlook Labs also discovered an Android Trojan hidden inside an app called Cloud Module, which obfuscates its existence to evade detection. The app stealthily steals data from mobile messaging apps, including Facebook Messenger, Twitter, Viber and Skype.
Fraudulent apps are often found in legitimate app stores, but an entire fraudulent app store recently emerged, according to Talos Intelligence. Called Google Play Market, the app was designed to mimic the actual Google Play Store. It tries to trick users into asking permission to gain administrator privileges and access settings, passwords and contacts.
Second-Guess the Popular Mobile Apps
According to GuardianApp, researchers discovered a series of legitimate and even popular apps extracting data. The No. 1 mapping app for finding gas prices, which claims 70 million users, and the No. 2 weather app were among the apps that contained the exfiltration code.
At least two dozen of these iOS apps were sharing location data (GPS, Wi-Fi and Bluetooth location) with companies that sell location information without the knowledge or permission of users. Some apps also shared other data, including browser histories, accelerometer data, cellular network name, GPS altitude and speed, and other data.
The firms selling the data are reportedly paying developers to install code that collects information, which they often say is used in an aggregated and anonymized form for market research services. To the app developers, it’s a way to monetize their apps. Many of these apps have even explicitly said location data will not be shared.
Understand the Threat
Far too often, these apps escape scrutiny because they sound so harmless, but it could be dangerous to underestimate their damage. Let’s say, for example, that an exfiltration app harvests only anonymized location data. What could be the harm in that?
A popular app could be used by dozens, hundreds or even thousands of users within one organization. By analyzing the location data, it would be easy to discover that some number of victims work at a specific company, because many of them spend their days in the company building.
All those users could fall victim to phishing attacks designed to target employees of that company. Further, those anonymous users at that company could be scrutinized based on where they live, which employees spend time together, what their hobbies are, whether they have children, where they shop and other data, based purely on where they go and when.
When personal information is used to construct victim profiles, phishing attacks can be far more effective. For example, let’s say 20 people at a company are found to be the parents of kids at a specific school. Scammers could blast the entire company email roster with an urgent message that sounds personalized because it specifically mentions both the company and the school, and maybe even the principle of the school. Although a generic phishing attack will likely have a relatively low success rate, a small number of those parents are sure to be duped, if only for a second. But that’s all it takes; once clicked, the payload is delivered and the damage begins.
Why You Should Invest in UEM and User Education
Although all of the malicious apps mentioned above have been removed from their app stores, as with most security threats, they were discovered only long after the damage was done. Two key actions are required to head off future risk from exfiltration apps.
First, adopt a unified endpoint management (UEM) solution that leverages artificial intelligence to spot anomalous and potentially malicious patterns. This should provide a safety net when human judgment fails.
Next, educate employees on how to spot apps that may contain exfiltration code to get ahead of human error. Data thieves are counting on user ignorance. In your training, be sure to include the following mobile security tips:
- Discourage anyone in the organization from installing obscure apps, since they are more likely to escape app store scrutiny.
- Avoid apps that are highly rated but have a small number of downloads, since fake accounts and bots can be used to inflate ratings.
- Fake apps often have similar logos to the ones they’re imitating, but can contain typos in the descriptions and other telltale signs.
- Always check the “Details” under app permissions before installation to see what permissions will be requested.
- User agreements can sometimes reveal nefarious intent. If the end user license agreement (EULA) for a flashlight app asserts the right to use location and other irrelevant data, be suspicious.
- Finally, do a search on the web for the name of the app to you intend download to see what other users and organizations are saying about it.
The arms race between threat actors and enterprise security professionals will continue, and it’s an uneven playing field. A malicious actor only needs to find one innovative way inside the organization. A security professional needs to guard against all possible attacks.
We can’t know exactly where the next attack will come from — but we do know that smartphone apps are among the best ways to smuggle payloads into an organization. As these threats proliferate, organizations will need to learn how to recognize app fraud on the fly and proactively defend against malicious applications to keep their data, employees and customers safe.