Malicious apps are a scourge to smartphone users. No matter your take on iOS versus Android, we can all agree that a malware-infected app guarantees a terrible day. And while the Google Play Store is undoubtedly drowning in malicious apps, the long-standing sanctity of the Apple App Store is no more.
Why do malware purveyors want to infect your smartphone with an infected app? There are two simple reasons: money and data. There are countless apps out there that never arrive accompanied with a malicious sting. So how do they avoid infection, and how does malware get into an app in the first place?
Infected Apps Everywhere
Measuring the pervasiveness of malware infected mobile applications is difficult. In an already shifting marketplace, capturing a clear picture is difficult. One thing is clear: no single mobile operating system is free. Android users recently encountered HummingWhale, Judy, and Xavier attacks, while iOS users had to contend with XcodeGhost.
A study published in 2014 [PDF], as part of the ANDRUBIS project, examined one million Android apps (1,034,999 to be precise). The apps sampled came from a wide range of sources, including unofficial marketplaces, torrents and sites known to offer pirated apps (as well as the Google Play Store).
Of the 125,602 apps sampled from the Google Play Store, 1.6 percent were malicious (that’s 2,009).
Unfortunately, malicious app data for the App Store is rare. There are several well documented cases of malicious app activity on iOS devices. But — and this is a major iOS selling point — they are vastly minimized compared to their Android counterparts. Take these two contrasting figures. The Pulse Secure 2015 Mobile Threat Report estimated that 97 precent of all mobile malware is written for Android. The F-Secure State of Cyber Security 2017 [PDF] report raises that figure to 99 percent. Then consider that in 2013 the U.S. Department of Homeland Security estimated [PDF] just 0.7 percent of mobile malware was written for iOS.
Contrasting fortunes for the two-major mobile operating systems.
How Apps Get Infected
Who do you think infects an application? The developer? Criminal gangs? Malicious individuals? Perhaps even the government? Well, they’re all right, in some ways.
Most obvious is the rogue developer: an individual who designs apps with malicious capabilities, and publicizes them on the Play Store (or an equivalent). Luckily for you and me, there aren’t many of these individuals.
That is probably for one reason: the amount of effort required to develop, launch, and build a following for the app only to then turn it malicious is… well, too damn high. By the time the app became popular enough to truly profit from (be that via advertising clicker or data theft), the malicious developer might well be making more in advertising revenue.
Far more commonly we see malicious code inserted into an existing app, then republished. This process uses a number of different techniques.
Malvertising is a common scourge of the 21st Century. The premise is simple: you’re served a malicious advert through an official channel. You’re not expecting a malicious attack through a legitimate app, so they catch users by surprise.
The best Android malvertising example is the Svpeng banking Trojan. The Trojan was primarily installed via infected Google AdSense ads targeting Google Chrome for Android users. Here’s the thing about malvertising: you don’t actually have to click on the advert to pick up an infection. Merely viewing the ad is enough.
Legitimate apps downloaded from an official appstore are infected with malware. Then, they’re republished using their official name, to a litany of appstores (legal or otherwise).
A key feature of application republishing are slight variants in the app name. Instead of Microsoft Word (the official Microsoft release), it’ll be Micr0soft W0rd. Okay, that is a terrible example, but you get the gist.
Android ransomware, Charger, used this tactic, as did malvertising-malware, Skinner (amongst other tactics).
Sale of App
From time-to-time, a legitimate app developer will sell their valued app. Along with the app comes users. Furthermore, there is the chance to push trusted updates to the existing users.
As yet, there are no documented cases of this particular method of attack. However, it isn’t uncommon for popular app developers to receive acquisition requests. Similar occurrences take place regarding Chrome Extensions. A popular Chrome Extension, with permission to access user data, along with thousands of users, is a veritable goldmine. The developers of Honey, an auto-coupon extension, turned the malicious individual down.
Amit Agarwal had a completely different experience. He sold his Chrome Extension to an unknown individual, only to find the next app update (out of his hands) “incorporated advertising into the extension.” His work, which in his own words only took a hour to make, had become the vehicle for advertising injection.
Do Apple or Google Help?
As the owners of the largest and most popular app repositories, the technology giants have a responsibility to protect their users. For the most part, they do. It is damaging to their users, as well as their reputations for malicious apps to infest their store. But one company is leading the way.
Apple are undoubtedly streets ahead when it comes to protecting iOS users from malicious apps. The process of creating and uploading an app to the App Store is more intricate, requiring multiple checks and sign-offs before hitting the storefront. In addition, an iOS app has a smaller range of devices, over a smaller range of operating system versions to cater for. As such, standards are generally higher than Android.
Google have had to work hard to decrease the number of malicious apps featured in the Play Store. With its reputation at risk, Google introduced Play Protect, a “security blanket for your mobile device.” Play Protect actively scans your device to search for malicious apps. Furthermore, Play Protect constantly scans the Play Store itself for malicious apps, suspending developers, and removing the offending material.
While Google and Apple make concerted efforts to keep our devices malware free, malware authors attempt to evade detection. Irritating, but understandable.
There are a few common ways an attacker will conceal their malicious code:
- Download the malicious code after installation.
- Obfuscate the malicious code amongst “clean” code.
- Time delay/instruct app to wait before downloading or deploying payload.
- Rely on delivery via an external source (e.g. malvertising).
- Conceal the malicious app within another medium.
As you can see, there are numerous methods to keep a malicious app, or malicious code within an app hidden from users (let alone the app store they’re downloaded from).
Steer Clear of Mobile Malware
As you’ve seen, there are a significant number of ways that malicious code can enter an app. Furthermore, malicious actors have several methods available for keeping malicious code out of view — until it’s deployed to your smartphone.
How can you steer clear of downloading a malicious app, then?
- Only download apps from official app stores…
- …and avoid third-party stores.
- Check you’re downloading from an official or reputable app developer.
- Read app reviews. They’ll give you the information you need.
- Keep app verification tools switched on at all times.
- Don’t get fooled by offers of free apps.
- Keep your phone updated!
There are a lot of malicious apps out there, especially if you’re using an Android device. But by understanding the threats, and sticking to our quick tips, you and your device will remain in good health.
Have you experienced mobile malware? What variant did you encounter? What happened to your smartphone? Were you using an Android or an iOS device? Finally, let us know your mobile malware experiences in the comments below!
Image Credit: iluslab via Shutterstock