Attackers clone malware-laden copies of popular apps

Criminal hackers have hacked/cloned most of the top 100 paid apps and top 20 free apps for Android and iOS, according to data from Arxan’s State of Mobile App Security report, 2014. These attackers use the infected apps to gain entry to the enterprise in order to compromise its most treasured information.

Don’t assume that BYOD security tools are keeping enterprise data safe from the effects of these fictitious apps. The business should not trust that perimeter security is doing the job either. It takes a combination of approaches and resources to thwart cloned mobile apps, and even then the enterprise will never be bulletproof. 

Follow CSO on a journey from the point of app innocence lost to network infiltration and data compromise, winding up with methods to defend against the mutated mobile monsters that these hoodlums hack and deploy.

App innocence lost

Cyber thugs comb the Internet looking for the most popular, most frequently downloaded, most used mobile apps, something like Angry Birds for example. Then the attackers grab their own copy of the popular app, use any of the many readily available free tools on the Internet to decompile, disassemble, and modify the app, and reconstruct it to include malware. “These tools allow the attacker to change the whole program,” says Professor Wenliang (Kevin) Du, Department of Electrical Engineering and Computer Science, Cybersecurity, Syracuse University.

Then the attackers redistribute the app from various locations on the web including any third-party app stores that will host it, making it available to consumers. Unsuspecting users download the copy, which works like the real thing while executing malicious behaviors in the background.

“Attackers use routine malware kits, which look for vulnerabilities on the phone and exploit them,” says Du. Though the user remains unaware of the infection, the attacker uses the kit to ultimately gain complete administrative, root-level control of the entire device so they can do everything on it that the user can, and then some. “This will compromise everything on the phone, including enterprise data,” says Du.

It is extremely commonplace and routine for attackers to successfully use this kind of approach. “A few years ago, attackers successfully added one of these very, very popular malware kits called Droid Dream to clones of more than 55 different apps,” says Du. This method works well on personal smartphones that companies permit employees to use for work as part of BYOD programs.

How to zap imposter apps

Whether the attacker can bypass the phone and gain permanent access inside the enterprise perimeter depends in part on how much the enterprise trusts that device. The enterprise should enforce zero-trust, least-privilege policies where these devices are concerned. Even if an attacker assumes complete control of the device, the enterprise should be able to count on multiple layers of security at and between every node and endpoint, every step of the way, from the infected mobile device in to any data stores inside the enterprise that house valuable information.

Layered security should include the best of breed in perimeter security including firewalls, IDS/IPS, and UTM gateways, which should not fall to the wayside. The enterprise should also use strong state-of-the-art user access controls, DLP, and other next-gen security tools to protect data deep inside the organization.

Professor Wenliang (Kevin) Du, Department of Electrical Engineering and Computer Science, Cybersecurity, Syracuse University

There are detection tools that model potentially malicious software mathematically, comparing it to a broad range of characteristics common to malware. There are tools that automate incident response processes based on pre-defined rule sets when they find an attack in progress.

And with the movement toward doing networking in software, the ability to enable micro-segmentation to add policy-based traffic analysis and filters between any pair of endpoints is becoming an additional security option, which enterprises should consider.

This is all in addition to making sure IT / security has really hardened all systems, patched all vulnerabilities, and managed configurations appropriately. “A technician could accidentally configure the web server to have read/write directory access, which could allow an attacker to compromise the web server’s information,” says Joe Schumacher, senior security consultant, Neohapsis, which is now part of Cisco.

To ensure protection layers are working hard, the enterprise should use pen testers to routinely search for new vulnerabilities—the ones that threaten the organization most—using attacks that are current. This will inform the business as to what is not properly patched or hardened.

[ (Free!) Security Tools you should try ]

To help the employees keep the enterprise secure, businesses should use more enterprise app stores that separate enterprise apps from general consumer app stores, says Schumacher. This will make it easier for employees to identify legitimate apps, at least on the corporate side. If the enterprise goes a step further and secures that app store, it will be more difficult for criminal hackers to retrieve, clone, and redistribute those apps. The significance of application security merits the business assigning at least one IT professional if not a department as steward over it, according to Schumacher.

User education is also critical since employees could still download cloned consumer apps to their personal device, which they now use for work thanks to the broad acceptance of BYOD. It will serve the enterprise to educate and convince employees that there are many cloned apps on the Internet that look like the real thing, especially consumer apps. Teach them how to more thoroughly investigate and confirm apps and app stores before they download and install anything. If an app asks for more permissions than it should really need, the enterprise should advise users to investigate further and think very carefully as this could be a red flag that the app is malicious or unsecure. Let employees know how much this is also to their own benefit, since the same foul apps can infiltrate accounts they have linked to the phone, such as financial accounts.

Finally, make mobile security applications, which are a must today available and easy to use. The best option is requiring that employees use a specific, supported security application or suite of applications and that the enterprise enforces that using NAC tools on those endpoints. The enterprise should opt for tools that provide security without creating latency on the device. The business does not want to invest in tools that force people to work more slowly or cause them to resent the business for adding another hurdle to their work day.

More than swift and smart

All these measures are not enough without proactive security teams. No matter how intelligent or automated these solutions get, the enterprise will always need people who can think and act outside the box, beyond the borders of intellect and predetermination.