November 13, 2018 By Mike Elgan 4 min read

Smartphones are motivating targets for cybercriminals. Mobile devices today hold personal and monetizable data such as login credentials, financial information and company secrets — not to mention spy-friendly sensors such as microphones, cameras and location electronics.

Unsavory actors gain access to phones through breaches, physical access to the device or, increasingly, by hiding code in mobile apps that “phones home” and sends target data back to the perpetrator. This method is especially attractive for criminals because users are in control of app installations and physically carry phones right inside company firewalls.

How to Recognize App Fraud

Malicious exfiltration often originates in fraudulent apps. The Slovakian cybersecurity company ESET recently discovered six fake banking apps on the Google Play store, according to Reuters. The developers spoofed banking apps from financial institutions across multiple countries and stole credit card details and login credentials.

Trustlook Labs also discovered an Android Trojan hidden inside an app called Cloud Module, which obfuscates its existence to evade detection. The app stealthily steals data from mobile messaging apps, including Facebook Messenger, Twitter, Viber and Skype.

Fraudulent apps are often found in legitimate app stores, but an entire fraudulent app store recently emerged, according to Talos Intelligence. Called Google Play Market, the app was designed to mimic the actual Google Play Store. It tries to trick users into asking permission to gain administrator privileges and access settings, passwords and contacts.

Second-Guess the Popular Mobile Apps

According to GuardianApp, researchers discovered a series of legitimate and even popular apps extracting data. The No. 1 mapping app for finding gas prices, which claims 70 million users, and the No. 2 weather app were among the apps that contained the exfiltration code.

At least two dozen of these iOS apps were sharing location data (GPS, Wi-Fi and Bluetooth location) with companies that sell location information without the knowledge or permission of users. Some apps also shared other data, including browser histories, accelerometer data, cellular network name, GPS altitude and speed, and other data.

The firms selling the data are reportedly paying developers to install code that collects information, which they often say is used in an aggregated and anonymized form for market research services. To the app developers, it’s a way to monetize their apps. Many of these apps have even explicitly said location data will not be shared.

Understand the Threat

Far too often, these apps escape scrutiny because they sound so harmless, but it could be dangerous to underestimate their damage. Let’s say, for example, that an exfiltration app harvests only anonymized location data. What could be the harm in that?

A popular app could be used by dozens, hundreds or even thousands of users within one organization. By analyzing the location data, it would be easy to discover that some number of victims work at a specific company, because many of them spend their days in the company building.

All those users could fall victim to phishing attacks designed to target employees of that company. Further, those anonymous users at that company could be scrutinized based on where they live, which employees spend time together, what their hobbies are, whether they have children, where they shop and other data, based purely on where they go and when.

When personal information is used to construct victim profiles, phishing attacks can be far more effective. For example, let’s say 20 people at a company are found to be the parents of kids at a specific school. Scammers could blast the entire company email roster with an urgent message that sounds personalized because it specifically mentions both the company and the school, and maybe even the principle of the school. Although a generic phishing attack will likely have a relatively low success rate, a small number of those parents are sure to be duped, if only for a second. But that’s all it takes; once clicked, the payload is delivered and the damage begins.

Why You Should Invest in UEM and User Education

Although all of the malicious apps mentioned above have been removed from their app stores, as with most security threats, they were discovered only long after the damage was done. Two key actions are required to head off future risk from exfiltration apps.

First, adopt a unified endpoint management (UEM) solution that leverages artificial intelligence to spot anomalous and potentially malicious patterns. This should provide a safety net when human judgment fails.

Next, educate employees on how to spot apps that may contain exfiltration code to get ahead of human error. Data thieves are counting on user ignorance. In your training, be sure to include the following mobile security tips:

  • Discourage anyone in the organization from installing obscure apps, since they are more likely to escape app store scrutiny.
  • Avoid apps that are highly rated but have a small number of downloads, since fake accounts and bots can be used to inflate ratings.
  • Fake apps often have similar logos to the ones they’re imitating, but can contain typos in the descriptions and other telltale signs.
  • Always check the “Details” under app permissions before installation to see what permissions will be requested.
  • User agreements can sometimes reveal nefarious intent. If the end user license agreement (EULA) for a flashlight app asserts the right to use location and other irrelevant data, be suspicious.
  • Finally, do a search on the web for the name of the app to you intend download to see what other users and organizations are saying about it.

The arms race between threat actors and enterprise security professionals will continue, and it’s an uneven playing field. A malicious actor only needs to find one innovative way inside the organization. A security professional needs to guard against all possible attacks.

We can’t know exactly where the next attack will come from — but we do know that smartphone apps are among the best ways to smuggle payloads into an organization. As these threats proliferate, organizations will need to learn how to recognize app fraud on the fly and proactively defend against malicious applications to keep their data, employees and customers safe.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today