To avoid malware, you should always get hardware and software from official, authorized and reputable sources and vendors, right? But what happens when those same sources actually contain or deliver malicious payloads?
In recent months, such bad code has appeared out of the box in mobile hardware and in reputable and seemingly legitimate apps from authorized app stores. Perhaps it’s time for a more sophisticated and nuanced policy.
Malicious code is a widespread, harmful and growing problem, and threat actors are increasingly targeting businesses and enterprises, according to Malwarebytes “2019 State of Malware” report. The report found that business detections of malware increased nearly 80 percent over the last year, with the largest increases coming from Trojans, riskware tools, backdoors and spyware.
The report also detailed a growing creativity and sophistication in delivery — including the Holy Grail of attack vectors: delivery through official, authorized and reputable sources. Let’s explore some recent examples.
Digitally Signed, Directly Delivered Malware
Hundreds of thousands of ASUS computers were recently infected by malicious code in an attack campaign known as Operation ShadowHammer. (ASUS has since removed the code with a security update.)
The infection didn’t come by way of insecure websites or email phishing attacks. Instead, it arrived via the ASUS Live Update tool and was authenticated by the company’s legitimate code-signing certificates. The CCleaner-like backdoor scanned for each victim’s media access control (MAC) address, hunting for one of 600 targeted MAC addresses. Once a target machine was identified, a malicious payload of unknown purpose was loaded from a remote server.
This entire series of events began with attackers gaining access to ASUS’ certificates, which were used to sign the code through ASUS’ supply chain, according to researchers from both Kaspersky Lab and Symantec.
Operation ShadowHammer has won instant fame as the poster child for the growing threat of supply chain attacks in which malicious items are installed during a product’s manufacturing, at some point between assembly and reception by the customer, or while being updated with signed and authorized software updates.
Can You Pick Up Some Malware From the (App) Store?
Another efficient way to deliver malware is through applications. This is easiest from unauthorized app stores because they have less sophisticated — or nonexistent — checks for bad code.
But it’s also common for malware to slip past those checks on legitimate app stores. An analysis by Check Point researchers found a particular strain of adware in 206 Android apps on the Google Play store, which were collectively downloaded around 150 million times. These apps were compromised by SimBad malware, which is embedded in a software development kit (SDK) on the apps.
According to Google, the install rate of potentially harmful applications (PHA) from Google Play was around 0.04 percent in 2018. However, that very low rate shouldn’t give comfort; it simply means a PHA install rate of one out of every 2,500 downloads. Therefore, a company with thousands of employees is likely to have at least some PHAs inside its firewall.
In another example, a compromised but otherwise legitimate weather forecast app, developed by Alcatel’s parent company, the TCL Corporation, was available as a standalone app on the Google Play store and downloaded more than 10 million times. The weather app harvested user data, such as location, email address, International Mobile Equipment Identity (IMEI) codes and other information, and sent it to a remote server. The app also subscribed victims to phone number services that incurred charges on phone bills.
What’s more, Alcatel bundled the app on its Pixi 4 and A3 Max smartphones, meaning brand-new phones purchased through legitimate channels actually contained the malware.
To date, it’s unclear how exactly the malicious code got into the weather app. The leading theory appears to be that the PC used by a TCL developer was hacked.
The Worst Thing About Bad Code From Good Sources
Matt Blaze, professor of law and computer science at Georgetown University, wrote in a New York Times opinion piece that despite attacks such as Operation ShadowHammer, it’s still more important than ever to keep software up to date.
In fact, according to Blaze, the most dangerous aspect of the ASUS supply chain attack is the risk that people might turn off automatic updates and avoid installing critical patches.
“It might be tempting to immediately disable these mechanisms … but that would be a terrible idea, one that would expose you to far more harm than it would protect against,” wrote Blaze. “In fact, now would be a fine time to check your devices and make sure the automatic system update features are turned on and running.”
It’s also worth noting that such attacks are far more likely with the prevalence of internet of things (IoT) devices. The future of IT will probably involve far more malicious payloads in legitimate products from authorized sources, but it’s still as important as ever to favor the authorized source over the unauthorized.
Lastly, organizations should always add an extra layer of security by monitoring third-party connections with a unified endpoint management (UEM) solution. The official source, the authorized source and the reputable source are only the first line of defense against increasingly aggressive and creative malware threats, and will continue to function as such. The next lines of defense are up to you.