Mobile Apps: New Frontier for Cybercrime
In our 12 Security Predictions for 2012, we predicted that smartphones and tablets will continue to be targets for cybercriminal attacks. Due to the growing usage of mobile devices worldwide, web threats are no longer limited to conventional PCs. App stores now serve as the sites for software download, while mobile apps serve as programs we download onto our mobile devices.
It's a shift in platform but with the same threat scenario. Users who download from app stores may end up downloading malware instead. Because of this, mobile apps have become the new frontier for threats.
In this article, we take a look at mobile apps' immense popularity among smartphone users. Given its indispensable use in light of mobile consumerization, cybercriminals take advantage of this fad by creating malicious and Trojanized apps for distribution to users. We will also provide simple and effective tips on how to prevent these threats from affecting your mobile computing experience.
What are mobile apps and why are they so popular?
The demand for mobile applications increase with the growth in mobile device usage. Mobile applications, or mobile apps, are software created for smartphones and tablets.
Currently, consumers can choose among the thousands of apps found in the Android Market, the iTunes App Store, Nokia Ovi Store, Blackberry App World, Samsung Apps, and Windows Phone Marketplace. Mobile apps have grown popular because they are designed for various purposes to cater to mobile users' specific needs – from entertainment and education, to practical use. Apps make things more convenient and fun for the ordinary smartphone user.
How do consumers use mobile apps?
Google's Android platform and Apple segmented their apps into several categories to make downloading apps simple and easy. Apps are usually categorized into the following:
- Social Networking
Apple categorized their mobile apps into 11 categories, while the Android Market expanded their categories into 27 types. Because of its immense popularity, the "games" category has its own subcategory, which includes arcade-type games, action, puzzles, and more. Other app providers like the Blackberry App World and the Nokia Ovi Store also segmented apps into different categories.
Almost 26 percent of the downloaded apps in 2011 were games, followed by 12.2 percent of for entertainment-related apps. 11.17 percent consisted of app tools.
Where can users get mobile apps?
Mobile apps are distributed through their mobile app distribution page. Each mobile OS has its respective official website, where users may purchase and download the mobile apps. These app stores are similar to how we download software and programs from respective vendor sites.
Below are the official mobile app stores for each mobile OS.
|Mobile App Store/Provider||No. of apps currently available||No. of downloads|
|Android Market||450,000||10 billion|
|iTunes App Store||425,000||15 billion|
|Nokia's Ovi Store||116,583||13 million per day|
|Blackberry App World||60,000||2 billion|
|Samsung Apps||13,000||100 million|
|Windows Phone Marketplace||70,000||*No data available|
What are the risks of downloading from app stores?
Little do people realize, there are still some security risks despite downloading apps from their from official sites.
The Android platform, has become the target of continuous cyber attacks due to its app distribution model that makes it open to any developing parties. But this does not mean that other mobile platform users should take security issues lightly.
There are also third-party sites that provide alternative apps for users. However, downloading from these unofficial channels can be as risky as downloading programs from unverified and peer-to-peer sites. While third-party app stores are not malicious in nature, they do not have the resources to adequately curate app submissions. As a result, malicious, repackaged, and pirated applications may be found in these independent app stores. Thus, it is important to know the business model that these app stores use to understand the possible risks and threats when downloading mobile apps.
What are the business models that each app store use?
iTunes App Store
Apple users are typically limited to apps available for purchase on the iTunes App Store. This can be accessed via users' iTunes account. However, jailbreaking an iPhone, iPad, or iPod Touch enables users to install apps outside the App Store.
Android, on the other hand, is not as strict when it comes to their apps. Users may opt to download apps from sites other than the Android Market and without having to jailbreak (or root) the device. Developers only need to register and pay a $25 registration fee and submit their app for distribution on the Android Market. Users who avail of paid apps can pay via Google Wallet accounts, credit cards, or through carrier billing.
Blackberry App World
Similar to Android, Blackberry mobile users may also download from other app stores not limited to the Blackberry App World. App developers just need to apply for a membership account. Blackberry App World screens the app before granting membership.
Nokia's Ovi Store
Nokia curates its Ovi store and requires developers to submit their apps for testing. Their quality assurance (QA) team reviews apps before they are distributed to Nokia's Ovi Store. This process may take four to six days. Developers also need to register and pay a one-time registration fee. Other Nokia users may opt to download from other developers.
Windows Phone Marketplace
Like Apple, Windows Mobile restricts users from downloading apps outside its official app store. Developers are also required to register and pay the membership fee. Apps are subjected to a certification process that may take as long as five business days.
Since some Samsung smartphones are powered by Android OS and Windows, Samsung Apps also offers apps available to these OSes. However, 90 percent of its available apps are for Bada users. Before uploading apps to the official app store, developers undergo a certification process.
What are the threats affecting current mobile platforms?
More and more consumers are shifting to smartphones, tablets and other devices powered by the previously discussed OSes. This signifies its being a viable target for several cybercriminal attacks to infect devices and spread malicious activities.
Among all the other mobile app stores, the Android Market has been targeted with several incidents of malicious or Trojanized apps. Because of Android’s open nature policy and lax regulations for app developers, it is easier for potential attackers to upload and distribute malware disguised as apps via the Android Market. Moreover, third-party app stores expose more potential risks to users.
ANDROID OS Malware
Our 12 Security Predictions for 2012 predicted that the Android platform will be targeted with more attacks because of its open policy for app development and distribution. This statement is backed by several cases of malware specific to Android OS that we uncovered in the course of our research.
Because of the different malware targeting the Android OS, we categorized them depending on their techniques and payload:
|Data Stealer||Steals information stored in the mobile device and sends it to a remote user||Stolen information maybe used for malicious purposes|
|Premium Service Abuser||Subscribes the infected phone to premium services without user consent||Unnecessary charges for services not authorized by user|
|Click Fraudster||Mobile devices are abused via clicking online ads without users' knowledge (pay-per-click)||Cybercriminals gain profit from these clicks|
|Malicious Downloader||Downloads other malicious files and apps||Mobile device is vulnerable to more infection|
|Spying Tools||Tracks user’s location via monitoring GPS data and sends this to third party||Cybercriimnals track down location of users|
|Rooter||Gains complete control of the phone, including their functions||Users' mobile devices are exposed to more threats|
Below are some noteworthy incidents that we have noted for the past years that took advantage of third-party app stores.
- Before 2010 ended, we noted some third-party app stores distributing Trojanized apps in specific third-party stores in China. These versions (detected as ANDROIDOS_GEINIMI.A) contain malicious code, run in the background, and receive commands from a remote user.
- Malicious apps (detected as ANDROIDOS_LUVRTAP.B) disguised as a love test app, an e-book reader, and a location tracker were found in third-party app stores in China. Once installed, this malware steals information from the device. It also sends text messages to subscribe to premium services, leaving affected users with unwanted charges.
- Spying tools (detected as ANDROIDOS_NICKISPY.A) were found to be collect information like the GPS location of the affected user, messages stored in the message inbox and outbox, and records calls.
- We also found Trojanized versions of the game Coin Pirates in third-party app stores. Detected as ANDROIDOS_PIRATES.A, it gathers information related to the device and monitors specific keywords from users' text messages.
As previously mentioned, Android Market has less retrictions when it comes to registering as a developer. This is Android’s strategy to encourage future app developers, but this also makes it is easier for cybercriminals to register as developers to upload their malicious apps or their Trojanized counterparts. Below are some of noteworthy incidents that leveraged this loophole:
- We analyzed several Trojanized applications found in the Android Market detected as ANDROIDOS_LOTOOR.A. One of these apps is the game Falling Down, which renders similar to the clean version. Once installed, the Trojanized version asks for more access permissions. It also gathers device information like IMEI and IMSI numbers and roots affected devices.
- One of the malware variants found in the Android Market is the notorious DroidDreamLight variant. Trend Micro researchers found an app that promotes itself as a .APK file management tool. However, instead of helping users, this app (detected as ANDROIDOS_DORDRAE.M) collects device-related information and uploads it to remote servers. It was immediately taken off the Android Market.
- Google released the Android Market Security Tool in the Android Market. Cybercriminals, on the other hand, were not deterred by this tool and even released a Trojanized version. Detected as ANDROIDOS_BGSERV.A, it acts as a backdoor that gathers information from the device and sends these to a remote URL.
Cybercriminals have also created and distributed malware using the names of popular apps that are not yet available on the Android Market. Android users anticipating these games are the likely victims of this ruse. A recent example is a fake version of Temple Run we found in the Android Market.
Jailbreaking Tool for iOS Exploits Vulnerabilities
Unlike Android, iOS is limited to apps available in the iTunes App Store. This grants iTunes complete control of the apps available to users. However, this does not guarantee that iOs is without its share of threats.
We have noted a jailbreaking tool called JailBreakMe, which poses as a tool to jailbreak Apple devices. We found that this tool exploits two separate vulnerabilities that may result in execution of arbitrary code. This tool, detected as TROJ_PIDIEF.HLA, also enables a remote user to gain unauthorized control of the affected device. Cybercriminals may use the same technique to push malware onto iOS-based device. Apple has already released security patches to address these vulnerabilities.
What makes Android Market the most targeted mobile app store?
One main reason for the Android Market's vulnerability toward threats is its openness with distributing apps and ease of enlisting as a developer. It's easy for cybercriminals to register as a developer, download apps (or create one), insert malicious code, and re-upload it to the Android Market.
Google is constantly developing and updating the Android OS, but the Android Market’s security is designed differently. The Android Market relies mainly on its community of developers and users to review and report any possible malicious or Trojanized versions of an app.
What can users do to prevent threats from entering their devices?
Maximize the security features installed on your mobile devices. Users should properly configure their smartphones location and security settings. For added protection, use the PIN (numeric) and password lock features of your smartphones. Other devices have fingerprint lock, which is also a great option, as it ensures that you are the only one who can access your smartphone.
Think before you download. Consider downloading exclusively from official app stores like the Android Market. Not all the apps are guaranteed as secure but the Android Market is still your best bet, security-wise.
Scrutinize permissions asked by apps. Based on several malicious apps we have analyzed in the past, we noted that malicious apps ask for access to a long list of information stored in your device. Requesting that much access may be a signal that it's really acting as a backdoor. Be careful in accepting requests for personal or device information. To know more about permissions, you may read our e-Guide, When Android Apps Want More Than They Need.
Treat your mobile device like your PC. Today’s smartphones act like mini-PCs. They are designed to handle multiple tasks, like web browsing. Just the same, they are also open to the same threats. Think twice before browsing the Internet via smartphones.
Invest and install an effective mobile security app. Cybercriminals are crafty. They are in constant search for security loopholes to exploit.
Are Trend Micro users protected from this threat?
Trend Micro users are protected from mobile threats via Trend Micro Mobile Security, which blocks access to malicious URLs and apps on your smartphones and tablets.
FROM THE FIELD: EXPERT INSIGHTS
"One big reason for the popularity of apps is their ease of use. Browsing the net on your mobile phone is not the same experience as doing it on a laptop. In most cases, apps are specially crafted browsers for a particular site. The key thing to remember is think before you give an app access to your data. Does a game really need your social network login details just so it can contact your friends? If you have any doubts about giving over sensitive information – just don’t do it." – Robert McArdle, Senior Security Threat Researcher
"Everyone should be concerned about installing any app on their phones. Your phone stores data, and depending on the level of which you’ve patched it, the best defense anyone has is to be aware of the sort of information you put out". - Jamz Yaneza, Threat Research Manager