BY BRANDT T. HEATHERINGTON – IBM SECURITY
Are Mobile Apps Really at Risk?
Powerful and profound cyberattacks are occurring on a daily basis. They range from traditional credit card data theft to complex compromises of personal health information, intellectual property, mission-critical patents, sensitive government information and much more. The attacks are becoming more severe and more creative, and the tools are becoming more sophisticated.
But are mobile applications really part of the equation? Are they really at risk? The answer is a resounding yes. The number of new mobile malware samples jumped by 49 percent from Q4 2014 to Q1 2015, according to a “McAfee Labs Threat Report.” With the emergence of the relatively recent Wirelurker malware for iOS, it is evident that even apps we previously thought to be relatively secure are now being targeted across all platforms.
What Are Criminals Doing With Hacked Apps?
Apps that have been pirated, hacked, tampered with to bypass security controls, reverse engineered, injected with malware and re-engineered to perform malicious acts are being widely distributed, particularly via unofficial app stores. These malicious apps can be engineered to hijack sensitive data such as financial information, health and identity records, valuable intellectual property and utilized for nefarious purposes to perform a wide array of unauthorized operations.
High-value apps that transmit desirable data tend to use their fake design to fool app store users, unlike mere copycat apps like games that have the more benign purpose of generating illicit financial gain for their creators. Malware is almost always inserted for a malicious purpose rather than to be an irritant to users.
More Than Half of Fake Apps Are Malicious — Is Yours One of Them?
This is a prevalent problem with fake or copied apps. In fact, Trend Micro’s “Fake Apps Feigning Legitimacy” report found that 51 percent of fake apps had malware in them.
There are lots of reasons why the trend is increasing, including:
- The exponentially increasing number of apps makes for a target-rich environment.
- Faster release cycles mean more apps are made public more frequently, and application security tends to lag behind product release cycles.
- Use of third-party components and frameworks open a window for additional vulnerabilities.
- Increasingly robust functionality on the client-side of apps — due to competition and user demand — is creating a greater range of hacking opportunities. When more features become available, there are more features available to hack!
- Improved hacking tools now include advanced capabilities such as jailbreak detection avoidance, and many tools are diversifying to cover all platforms. For example, the previously iOS-exclusive Cydia Mobile Substrate is now available on Android. A recap of readily available hacking tools appears below.
It couldn’t be much easier for a hacker: A bogus app can be hacked, repackaged and distributed in less than an hour. The process to create a bogus app is surprisingly simple:
- Download, decrypt, open and reverse engineer the legitimate app’s contents.
- Extract and steal confidential data (if that is the motivation).
- Create a tampered, cracked or patched version of the app that contains malware.
- Distribute and encourage use of the hacked app.
A Hacker’s Last Step — Distribute and Cash In
Tampered and hacked applications are distributed in a number of ways. They can be easily placed on non-iOS or Android app stores, most of which do not follow thorough review processes. There are also hundreds of app stores globally, catering to Blackberry users, cross-platform providers, manufacturer-specific users, and operators and carriers.
Apple’s App Store has a review process, but there are potential ways for cybercriminals to circumvent it. For example, in the review process, an automated tool evaluates apps’ legitimacy. However, the owner of a hacked app can easily conceal what the app is doing or distribute it via an enterprise deployment model and avoid the review altogether.
There are even more options for Android app distribution, and none have a formal review process. These include the Google Play Store, releases via independent websites and email-based releases. Android users are usually warned that they are downloading from an unofficial store, but many miss the warning because they enable automatic downloads of software updates.
But Isn’t My App Encrypted? Yes, But…
It’s easy for cybercriminals to bypass iOS encryption to execute a mobile app attack. Some insidious new hacks don’t even leave a fingerprint.
For example, in a method swizzling hack with code substitution, actors can leverage infected code to attack critical class methods in an application, intercept API calls and execute unauthorized code. The attack leaves no trace at all and the code reverts back to its original form after the attack.
In light of what’s happening, analysts and consultants are making strong statements to drive companies to perform static and runtime application protections:
- “Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection,” Gartner said. “It should be a CISO top priority.
- 451 Research stated, “It (‘application hardening and runtime protection’) is a critical component in the strategy to secure enterprise software, embedded systems, mobile apps and the much-bandied Internet of Things.”
What Can I Do to Protect My Apps, My Customers, My Brand and My Bottom Line?
In our on-demand webinar “Think Like a Hacker! New Attacks, New Approaches,” we will address the current threat landscape and provide a range of strong countermeasures you can employ to improve security.
Watch the webinar to learn:
- How easily hackers can leverage widely available third-party tools to completely disable and compromise your mobile apps, and why standard cryptography no longer offers sufficient protection;
- The evolution of the mobile threat landscape, including a live demo of various reverse engineering and tampering attacks; and
- Best practices to stay ahead of hackers, mitigate risk and implement new approaches to protect your organization against mobile application vulnerabilities that can threaten your employees, your brand’s good name and your bottom line.