Mobile Malware: There's an App with That

Mobile Malware: There's an App with That
featured image

Guest column: Chris Olson, CEO of The Media Trust, says that as a ‘result of the modern world’s dependency on mobile apps, criminals have adapted hacking techniques to mine this burgeoning market for their own reward’

[Article originally appeared in Talking New Media, September 6, 2017.]

Smartphones have become the ultimate multitool for convenience. Encapsulated in the coveted small rectangle of plastic, users can access and store messages (text, voice and video), music, calculators, calendars, voice recorders, GPS, email, weather forecasts, games, news and a myriad of other useful apps. This ever-present desire to have the world at our fingertips (literally, so!) continues to drive both mobile use and app creation.

The already skyrocketing mobile application (app) economy is expected to surge to $6.3T by 2021. The surging growth in revenue (5X), users (2X), and in-app time (2X) can only mean one thing: apps are a fertile ground for cybercrime. And, as the recent WireX scenario demonstrates, mobile apps can be dangerous.

So here’s a question to ponder: Do you know if that app you are downloading is trustworthy? Or to put it another way: Do you know if the app creator is continuously monitoring all the app code for malware and other vulnerabilities?

More than you signed up for

Compared to a mobile website, apps generally offer an optimized and more personalized viewing experience for the consumer. This optimization, however, comes at the cost of security as many apps rely on unmonitored (and frequently untested) third-party code to help deliver this necessary functionality. Unmonitored owned and third-party code present significant security vulnerabilities for websites and mobile apps alike.

As a direct result of the modern world’s dependency on mobile apps, criminals have adapted hacking techniques to mine this burgeoning market for their own reward. These once seemingly untouchable targets are now exceptionally vulnerable. When contemplating mobile vulnerabilities there are three key areas where criminals focus their efforts:

Look-a-like: Imitating a popular app is one tactic with one well-known example being Pokemon GO. When first launched, it wasn’t immediately available in some regions, which led to fake apps appearing in stores. Consumers, desperate to join the hunt, downloaded these programs, many of which contained rogue code.

Users must remain alert and check carefully that they’re not inadvertently downloading a malicious app – subtle changes in app name and spellings are red flags. For instance, Pokemon GO was mimicked by fake apps named Pokemongo and Pokemon Go Ultimate, which were found in legitimate app stores, tricking users into paying for bogus services.

Abusive permissions: A common misperception is that apps only perform user-intended functions. However, a quick check of the terms and conditions of popular apps dispels this myth. Many, if not all, require permissions, thus opening up access to the mobile device more so than with a desktop application. The reasons for these permissions are not always readily apparent, yet users quickly agree to them because they want the app. Unfortunately, this rush to instant gratification runs counter to typical everyday actions: Would you give someone unlimited access to your bank account when you purchase a coffee?

Complicating the issue, permission notices in iOS are on the main iStore privacy page, not on each app’s install page like Android. Because they can be difficult to locate, many users are unsure as to what exactly they have agreed to execute in the course of the app’s install life on the device.

Granting internet access to an app might not cause a huge amount of damage; you want to keep abreast of versions and possibly offers. The real danger is when the app requires seemingly random permissions that don’t make sense for the app’s function. For example, if an app requested permission to access both the storage and the internet, what’s preventing the posting of the device’s storage data (including notes, camera photos, recordings, etc.) to the internet? Everyone has heard about the risks of smart TVs recording conversations or baby monitors sharing videos of sleeping children. Unauthorized release of personal and/or sensitive data can and does happen. If it is unclear how the permissions will be used, then it’s impossible to identify the vulnerabilities.

Network trafficking calls: Apps frequently communicate externally, resulting in data usage to execute certain functions that may include hidden threats. Some examples of apps that require frequent external communication are:

  • News: While the app may be packaged as a recognized brand, responsibility for delivering the content is typically outsourced to a third party or proxy server that has the expertise to host and deliver the content quickly and efficiently.
  • Shopping: Offers of in-app purchases are likely provided by a third party as the app developer is unlikely to build their own paywall due to coding complexity and industry regulations and standards that need to be satisfied.

In-app Ads: Criminals exploit the digital advertising ecosystem, and they thrive in the mobile environment. In-app ads, too, need to communicate externally to render an advertisement on screen, leaving the supporting code wide open for malicious code to be injected. Rather than being delivered by the original provider, the app will often call out to a third-party provider.

In a mobile environment, advertising can easily be leveraged to cause harm, with or without the user’s action or knowledge. One practice that has netted significant funds is the execution of click fraud. After recent phishing incidents and malware-infected apps, Google had to address security challenges within its product suite. Criminals exploit ad networks, demand-side platforms (DSPs), and ad exchanges, to deliver malicious app store redirections and nonhuman click-throughs.

How to stay safe

True, the onus is on the app creator to secure both the owned code and third-party code, however, this does not eliminate due diligence on the buyer’s part. While it may seem an impossible battle, there are a number of practices that can help users remain secure:

  • Access legitimate app stores: Users should double check an app’s legitimacy by looking at the developer/author. A quick review of the logo and grammar usage is a good first check as illegitimate apps frequently use old logo versions or poor grammar, misspelling etc.
  • Don’t grant permission blindly: Users should review permissions and not accept any that do not make sense. Do Solitare or Dictionary need geolocation? No, but several social networks and fitness apps do!
  • Question legitimacy: Frequently, lookalikes will sponsor their app placement in the store to get priority listing. Double (and triple) check that the app is the one you want. Try and navigate to the app from the official app/ product website rather than searching for an app directly in the store.

But it’s [insert brand name here]!

Technology is the great enabler, but in order to be completely safe there is an argument to only use a physical phone line for communication, and an abacus for computation, and a paper map to get from A to B. Of course, for those that prefer to utilize the flexibility afforded by mobile communications, users must fully comprehend the risks and take the necessary steps to protect their mobile activity. And no, that super expensive and feature-rich brand smartphone isn’t going to guard you against in-app malware.