These are the most common security breaches in mobile applications in the Play Store and App Store
Table of Contents
Trojans such as Joker, Fleckpe or Autolycos, spy codes, “benign” apps that become malicious in a second phase… Security breaches in mobile applications have been growing steadily in recent years
Security breaches in mobile applications have become more than just a headache for Google and Apple. They are a source of permanent conflict at a reputational and operational level due to the difficulties in controlling the huge number of apps that inhabit the Play Store and the App Store.
According to the latest published estimates, Google’s app store currently has 3.5 million apps, compared to 1.8 million offered by the Cupertino platform. The number has reached such a magnitude that it has become a gigantic security challenge even for two of the world’s most powerful multinationals.
The consequence? Every month, new security breaches in mobile apps emerge, calling into question the ability of the Play Store and the App Store to monitor the code developers upload to production.
Apps with over 1.5 million downloads containing spyware
In the middle of last year, for example, tens of thousands of users worldwide woke up to disturbing news. One of the apps they used daily to store files securely on their phones, File Manager, was hiding spyware created in China.
The developers insisted in the download conditions that their app did not collect any data, but the reality was different. The app sent photos, audio, video files, contact information, etc., to a network of Chinese servers. At the time, File Manager and similar apps supporting the same malicious code had 1.5 million downloads globally.
The Joker and Autolycos Trojans had been running from common apps like Video Editor Easy, Translate Anywhere, or Pro Wallpaper a year earlier. The viruses embedded in the code of these apps allowed escalating privileges on the terminals to exfiltrate sensitive data or subscribe users to premium services. This operative is very similar to Fleckpe, a subscription Trojan identified in numerous apps, most of them related to video and image editors.
The question, in view of the current scenario, seems logical:
What are the top security breaches in mobile apps on both iOS and Android?
The main one is, by a significant margin, the presence of malware in the code of apps. While both the Apple Store and the Play Store have tried to implement new controls and tools to contain these practices, the truth is that hostile actors often find angles to circumvent these efforts.
Here are some of the most common:
- Use of encryption. Heavy use of encryption in code can make it difficult for automated tools used by stores to track.
- Dynamic code. It is common to find apps that are benign in origin but that incorporate processes to download malware as soon as they connect to the network and are activated.
- Updates. Another of the practices for breaching the security of iOS and Android apps has to do with updates. Examination of the platforms on the first load of the app is usually more thorough. Hostile actors know this, so the first version often needs to incorporate something anomalous. When an update occurs, taking advantage of the fact that the store already trusts this solution, the malware load is recorded.
In this regard, in recent years there have been cases of completely legitimate applications that have changed ownership and have been involved in very shady episodes and serious security breaches. In some cases, directly, the new manager was a cybercrime-related organization.
How do application security breaches affect users?
The digital (and material) impact of all these security breaches in apps takes different forms. The following are three of the most frequent:
Theft of credentials and information
Using malicious code in applications often seeks to escalate privileges within the terminal to access information of all kinds. Even private conversations are a practice that has surely reached its epitome at the public level with the IRecorder case.
Subscriptions in the background
In this case, a private user may be subscribed to websites and services without knowledge because an app loads a malicious code paid for via the mobile operator’s bill.
The Trojan connects to the terminal’s command and control server to obtain the information and monitors all subscription processes, including access to the confirmation codes of the notifications that authorize registration.
Advertising, a juicy business
Often, malware placed in apps seeks to load ads without control even when the mobile screen is at rest. This adware running in the background regularly on thousands of terminals allows hostile actors to pocket juicy sums of money.
The Goldoson case is unique because it was a frequently used third-party software library app developer.
What steps can users take to protect themselves from security breaches in already installed mobile apps?
Both Google and Apple have published some guides that provide users with recommendations and best practices to avoid these incidents. Here are some of the tips:
- Use an antivirus on mobile. There are multiple solutions on the market.
- Keep the operating system updated. Security improvements and eliminating bugs are critical to any mobile operating system update (iOS or Android).
- Downloading from trusted sites. Organizations such as Incibe strongly advise against banishing any download of an app that is not from an official store. Beyond the problems described above, the security of Android and iOS apps is more likely to be guaranteed in their store than in any other repository due to the quality and density of their monitoring tools.
- Common sense. Analogically as it may seem, using common sense when analyzing any download you make on your mobile device can be enormously useful.
What tools and methods are used to identify and mitigate security breaches in mobile applications before release?
In recent years, and in the wake of app security scandals, the abbreviation SDLC (the acronym for Software Development Life Cycle) has been given an S for Software Development Life Cycle. In an optimal development scenario, app design and development should now be SSDLC, with an extra S for security.
The development team should be very conscientious in reviewing the code before going into production. SAST-type tools such as Checkmarx can be very useful in this inspection process.
In this sense, it always helps to train programmers to create secure code. Platforms such as Secure Code Warrior can help in this process.
Once this process has been completed, it would be optimal to carry out a pentest. In this case, it is not to monitor the code but to analyze the business logic when using the app and its information flows… This is where potential vulnerabilities could emerge that could ruin the success of an app due to a security crisis.
Both Apple and Google have implemented bug bounty programs to encourage hunters to find security breaches in apps and thus improve the security of their stores.
Along the same lines, at Tarlogic Security, we have a highly specialized team to help development companies perform mobile application security audits—a uniquely useful step to ensure that the app has a bigger and better route to market.