To avoid malware, you should always get hardware and software from official, authorized and reputable sources and vendors, right? But what happens when those same sources actually contain or deliver malicious payloads?

In recent months, such bad code has appeared out of the box in mobile hardware and in reputable and seemingly legitimate apps from authorized app stores. Perhaps it’s time for a more sophisticated and nuanced policy.

Malicious code is a widespread, harmful and growing problem, and threat actors are increasingly targeting businesses and enterprises, according to Malwarebytes “2019 State of Malware” report. The report found that business detections of malware increased nearly 80 percent over the last year, with the largest increases coming from Trojans, riskware tools, backdoors and spyware.

The report also detailed a growing creativity and sophistication in delivery — including the Holy Grail of attack vectors: delivery through official, authorized and reputable sources. Let’s explore some recent examples.

Digitally Signed, Directly Delivered Malware

Hundreds of thousands of ASUS computers were recently infected by malicious code in an attack campaign known as Operation ShadowHammer. (ASUS has since removed the code with a security update.)

The infection didn’t come by way of insecure websites or email phishing attacks. Instead, it arrived via the ASUS Live Update tool and was authenticated by the company’s legitimate code-signing certificates. The CCleaner-like backdoor scanned for each victim’s media access control (MAC) address, hunting for one of 600 targeted MAC addresses. Once a target machine was identified, a malicious payload of unknown purpose was loaded from a remote server.

This entire series of events began with attackers gaining access to ASUS’ certificates, which were used to sign the code through ASUS’ supply chain, according to researchers from both Kaspersky Lab and Symantec.

Operation ShadowHammer has won instant fame as the poster child for the growing threat of supply chain attacks in which malicious items are installed during a product’s manufacturing, at some point between assembly and reception by the customer, or while being updated with signed and authorized software updates.

Can You Pick Up Some Malware From the (App) Store?

Another efficient way to deliver malware is through applications. This is easiest from unauthorized app stores because they have less sophisticated — or nonexistent — checks for bad code.

But it’s also common for malware to slip past those checks on legitimate app stores. An analysis by Check Point researchers found a particular strain of adware in 206 Android apps on the Google Play store, which were collectively downloaded around 150 million times. These apps were compromised by SimBad malware, which is embedded in a software development kit (SDK) on the apps.

According to Google, the install rate of potentially harmful applications (PHA) from Google Play was around 0.04 percent in 2018. However, that very low rate shouldn’t give comfort; it simply means a PHA install rate of one out of every 2,500 downloads. Therefore, a company with thousands of employees is likely to have at least some PHAs inside its firewall.

In another example, a compromised but otherwise legitimate weather forecast app, developed by Alcatel’s parent company, the TCL Corporation, was available as a standalone app on the Google Play store and downloaded more than 10 million times. The weather app harvested user data, such as location, email address, International Mobile Equipment Identity (IMEI) codes and other information, and sent it to a remote server. The app also subscribed victims to phone number services that incurred charges on phone bills.

What’s more, Alcatel bundled the app on its Pixi 4 and A3 Max smartphones, meaning brand-new phones purchased through legitimate channels actually contained the malware.

To date, it’s unclear how exactly the malicious code got into the weather app. The leading theory appears to be that the PC used by a TCL developer was hacked.

The Worst Thing About Bad Code From Good Sources

Matt Blaze, professor of law and computer science at Georgetown University, wrote in a New York Times opinion piece that despite attacks such as Operation ShadowHammer, it’s still more important than ever to keep software up to date.

In fact, according to Blaze, the most dangerous aspect of the ASUS supply chain attack is the risk that people might turn off automatic updates and avoid installing critical patches.

“It might be tempting to immediately disable these mechanisms … but that would be a terrible idea, one that would expose you to far more harm than it would protect against,” wrote Blaze. “In fact, now would be a fine time to check your devices and make sure the automatic system update features are turned on and running.”

It’s also worth noting that such attacks are far more likely with the prevalence of internet of things (IoT) devices. The future of IT will probably involve far more malicious payloads in legitimate products from authorized sources, but it’s still as important as ever to favor the authorized source over the unauthorized.

Lastly, organizations should always add an extra layer of security by monitoring third-party connections with a unified endpoint management (UEM) solution. The official source, the authorized source and the reputable source are only the first line of defense against increasingly aggressive and creative malware threats, and will continue to function as such. The next lines of defense are up to you.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read