Skip to main content
Articles

Do You Know How You're Getting Hacked?

By May 12, 2016#!28Thu, 28 Feb 2019 10:46:25 -0300p2528#28Thu, 28 Feb 2019 10:46:25 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28 28am28am-28Thu, 28 Feb 2019 10:46:25 -0300p10America/Sao_Paulo2828America/Sao_Paulox282019Thu, 28 Feb 2019 10:46:25 -03004610462amThursday=904#!28Thu, 28 Feb 2019 10:46:25 -0300pAmerica/Sao_Paulo2#February 28th, 2019#!28Thu, 28 Feb 2019 10:46:25 -0300p2528#/28Thu, 28 Feb 2019 10:46:25 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28#!28Thu, 28 Feb 2019 10:46:25 -0300pAmerica/Sao_Paulo2#No Comments

BY BRANDT T. HEATHERINGTON & #8211; IBM SECURITY

Are Mobile Apps Really at Risk?

Powerful and profound cyberattacks are occurring on a daily basis. They range from traditional credit card data to the complex commitments of personal health information, intellectual property, mission-critical patents, sensitive government information and much more. The attacks are becoming more severe and more creative, and the tools are becoming more sophisticated.

But are mobile applications really part of the equation? Are they really at risk? The answer is a resounding yes. The number of new mobile malware samples jumped by 49 percent from Q4 2014 to Q1 2015, according to “McAfee Labs Threat Report.” With the emergence of the relatively recent Wirelurker malware for iOS, be relatively secure are now being targeted across all platforms.

What Are Criminals Doing With Hacked Apps?

Apps that have been hacked, hacked, tampered with bypass security controls, reverse engineered, injected with malware and re-engineered to perform malicious acts are being widely distributed, particularly via unofficial app stores. These malicious apps can be engineered to hijack sensitive data such as financial information, health and identity records, valuable intellectual property and utilized for nefarious purposes to perform a wide array of unauthorized operations.

High-value apps that transmit desirable data tend to use their fake design to fool app store users, unlike mere copycat apps like games that have the most benign purpose of generating illicit financial gain for their creators. Malware is almost always inserted for a malicious purpose rather than to be an irritant to users.

 

More Than Half of Fake Apps Are Malicious - Is Yours One of Them?

This is a prevalent problem with fake or copied apps. In fact, Trend Micro's “Fake Apps Feigning Legitimacy” report found that 51 percent of fake apps had malware in them.

 

 

think-like-a-hacker-image1

 

There are lots of reasons why the trend is increasing, including:

  • The exponentially increasing number of apps makes for a target-rich environment.
  • Faster release cycles mean more apps are made more often public, and application security tends to lag behind product release cycles.
  • Use of third-party components and frameworks open a window for additional vulnerabilities.
  • Increasingly robust functionality on the client side of apps - due to competition and user demand - is creating a wider range of hacking opportunities. When more features become available, there are more features available to hack!
  • Improved hacking tools now include advanced capabilities such as jailbreak detection avoidance, and many tools are diversifying to cover all platforms. For example, the previously iOS-exclusive Cydia Mobile Substrate is now available on Android. A recap of readily available hacking tools appears below.

think-like-a-hacker-image2

It couldn't be much easier for a hacker: A bogus app can be hacked, repackaged and distributed in less than an hour. The process to create a bogus app is surprisingly simple:

  1. Download, decrypt, open and reverse engineer the legitimate app's contents.
  2. Extract and steal confidential data (if that's the motivation).
  3. Create a tampered, cracked or patched version of the app that contains malware.
  4. Distribute and encourage use of the hacked app.                                                                                                                                                                                                                                                                                                                            

Hacker's Last Step - Distribute and Cash In

Tampered and hacked applications are distributed in a number of ways. They can be easily placed on non-iOS or Android app stores, most of which do not follow thorough review processes. There are also hundreds of app stores globally, catering to Blackberry users, cross-platform providers, manufacturer-specific users, and operators and carriers.

Apple's App Store has a review process, but there are potential ways for cybercriminals to circumvent it. For example, in the review process, an automated tool evaluates apps' legitimacy. However, the owner of a hacked app can easily conceal what the app is doing or distributing it via an enterprise deployment model and avoiding the review altogether.

There are even more options for Android app distribution, and none have a formal review process. These include the Google Play Store, releases via independent websites and email-based releases. Android users are usually warned that they are downloading from an unofficial store, but many miss the warning because they enable automatic downloads of software updates.

But Isn't My App Encrypted? Yes, But…

It's easy for cybercriminals to bypass iOS encryption to execute a mobile app attack. Some insidious new hacks don't even leave a fingerprint.

For example, in a method swizzling hack with code replacement, actors can leverage infected code to attack critical class methods in an application, intercept API calls and execute unauthorized code. The attack leaves no trace at all and the code reverts back to its original form after the attack.

In light of what's happening, analysts and consultants are making strong statements to drive companies to perform static and runtime application protections:

  • “Make self-protection a new investment priority, ahead of perimeter and infrastructure protection,” Gartner said. “It should be a CISO top priority.
  • 451 Research stated, “It ('application hardening and runtime protection') is a critical component in the strategy for secure enterprise software, embedded systems, mobile apps and the much-bandied Internet of Things.”

What Can I Do to Protect My Apps, My Customers, My Brand and My Bottom Line?

In our on-demand webinar “Think Like a Hacker! New Attacks, New Approaches, ”we will address the current threat landscape and provide a range of strong countermeasures you can employ to improve security.

Watch the webinar to learn:

  • How easily hackers can leverage widely available third-party tools to completely disable and compromise your mobile apps, and why standard cryptography no longer offers sufficient protection;
  • The evolution of the mobile threat landscape, including a live demo of various reverse engineering and tampering attacks; and
  • Best practices to stay ahead of hackers, mitigate risk and implement new approaches to protect your organization against mobile application vulnerabilities that can threaten your employees, your good name and your bottom line.

 

Leave a Reply