Here at Corrata we’ve long believed that a critical step in understanding the status of a mobile security on a device is examining how it interacts with the network. The recent Igexin spyware scare on the Google Play Store is an excellent illustration as to why this is the case and highlights significant drawbacks in relying on mobile app security scanning alone. This was a significant incident leading to 500 Play Store apps with more than 100m downloads between them being removed or replaced.
A bit of background on the incident
The case arose out of the use by a wide variety of legitimate apps of a third party advertising SDK provided by the Igexin ad network. Advertising SDK’s are routinely used by app developers to help monetize their apps and the Igexin SDK had long been used without reported security incidents. Recently however, security researchers discovered that the app was exfiltrating end user data without the knowledge of the app developers using the SDK or the end users using the apps.
Among other things, it was identified that details from phone call logs (phone number, time, duration etc) were being sent to the Igexin servers. Popular games, weather apps, and other apps were impacted. Google’s response was to remove the affected apps from the Play Store pending the replacement of the library with a legitimate alternative.
How could this happen?
Google vets all apps submitted to the Play Store and uses sophisticated tools to scan the code for illegitimate practices. The Igexin SDK got around this control by waiting until the app was installed on the user device to initiate the download of the malicious code. It was this additional code which was responsible for illegally collecting end user data and transmitting it to the Igexin server.
How then was the issue discovered?
It was found by examining the network traffic of phones which had the app installed. Destination servers and IP addresses which had been implicated in other cyber security incidents were identified and it was this that alerted the researchers that something untoward was going on. Once this traffic pattern had been identified it was a relatively simple step to pinpoint the apps which had the malicious plugins incorporated. App scanning techniques failed to detect the privacy vulnerability because the malicious code was not present in the app when it was initially downloaded.
This case brought to mind another notorious spyware case related to a firmware update program running on phones made by Chinese manufacturer BLU.
In this case, a program ostensibly designed to keep the phone’s firmware updated was also being used to exfiltrate personal data such as phone number, location data, the content of text messages, calls made, and applications installed and used. Again this spyware was discovered by an examination of the traffic coming from the device. It could not have been uncovered by app scanning as the code was not an app but part of the firmware.
Mind the traffic
A mobile phone can be compromised in a range of ways. It can be due to a flaw in the underlying operating system, malicious software running outside of the operating system, a malicious app or a legitimate app running malicious code. The power of analyzing the network traffic is that it contains clues that can help to indicate the compromise.
In an environment where info security professionals have little visibility of what’s happening on the device, knowing where and with whom its communicating is invaluable. For mobile threat defense to be effective, you need to examine the traffic. As we say at Corrata, “It’s the traffic stupid”.