Anyone that reads tech blogs or is following the latest industry news on social media will know that one of the most significant cyber-threats facing organizations today is mobile malware. On almost a daily basis, we are bombarded with articles and news reports detailing the latest malware strands making the rounds or the malicious apps gaining access to the app stores. So what can we do?
Defending against these attacks starts with understanding how they work. The two categories of malware, Social Engineering and Advanced Mobile Malware, are very different but equally dangerous and deserving of our attention. So let’s start with social engineering – what is it and how can we defend against it?
What is social engineering?
Social engineering is the manipulation or taking advantage of human qualities to serve the purpose of a malicious actor. In the context of cybersecurity, it is the term used to describe the broad range of malicious activities that use psychological manipulation to trick users into making security mistakes, usually by preying on human emotions. The most commonly targeted psychological traits include carelessness, curiosity, fear, desire and ignorance. Generally attacks like these occur when users believe they are downloading or accessing a legitimate service, when in fact they are being tricked into installing malware onto their device or disclosing sensitive information that can lead to further attacks.
What makes social engineering especially dangerous is the fact that it relies on human error rather than vulnerabilities in software or device operating systems. Mistakes and lapses of judgement made by users are much less predictable and harder to prevent than software-based intrusions and therefore can present some of the biggest risks to organizational security. According to InfoSecurity magazine, the FBI recorded 40,203 cases of social engineering attacks around the world between 2013 and 2016, resulting in total exposed losses of over $5 billion. So let’s have a look at some examples of how malicious mobile apps use social engineering techniques.
Abusing accessibility features
One of the most sophisticated forms of social engineering in recent years is the ‘clickjacking’ of device accessibility features. Accessibility Services are features incorporated into Android to make devices running the mobile OS easier to use for people with disabilities. For example, modified APIs for writing apps for people with limited abilities to use a smartphone, like blind users or those with limited hand movements. Unfortunately however, these features can also be abused by attackers. Ordinarily data from within mobile apps is protected by sandboxing, a system which prevents one app from accessing the content of another but by using Accessibility Services this can be circumvented, allowing apps to see content and perform actions on other apps. Once users have granted an app accessibility permissions hackers can use a technique called ‘clickjacking’ – overlaying one application on top of another so the user’s clicks can be propagated and used without their knowledge.
For example, a user downloads a legitimate looking gaming app from an app store or third party source. When installing the game, the user is asked to grant it permission to “draw over other apps”, a request that should not seem too suspicious as it is common to other legitimate apps such as Facebook Messenger. Then without the user’s knowledge or consent, as they click on the character moving around the screen in the game, clicks are passed to the device settings which enables the game’s access to the Accessibility Services. Once plugged into these Accessibility capabilities, the malware in the game is then able to do pretty much anything the owner of the phone can do – including perform banking functions, write or read emails, and create and read documents.
Earlier this year, it was discovered that several apps available in the Google Play Store appearing to be regular “call blocker” apps had been updated with malware code that once installed, used the ‘clickjacking’ technique to gain access to an estimated 10,000 users’ online banking apps.
Screenshot of Accessibility Services on an Android smartphone
Source: Google Codelabs
Another form of social engineering involves enticing users to download and install a seemingly benign app that then sends premium SMS messages or tries to sign up users to premium subscription-services (also known as toll-fraud) without their consent. Often these apps will also disguise their malicious activities by hiding disclosure agreements or SMS messages from the mobile operator notifying the user of charges or confirming subscriptions. This means that the user could potentially have the app on their phone and be charged for a long time without ever realizing the huge bills that they are accumulating.
For example, at the beginning of the year it was discovered that one of the world’s most downloaded weather apps had been collecting an unusual amount of data from smartphones and attempting to subscribe users to paid services without their permission. Developed by Chinese company TCL Communication Technology Holdings, the app “Weather Forecast – World Weather Accurate Radar” appeared to be a legitimate weather prediction app and was downloaded more than 10 million times, ranking among the top five weather apps in over 30 countries. However, security researchers Upstream Systems discovered that the app had attempted to subscribe more than 100,000 users to paid virtual-reality services and would have accumulated bills of more than $1.5 million had the attempts not been blocked.
Adware is software designed to hide on devices to serve advertisements and is also one of the most common forms of malware pushed to mobile devices via social engineering. Adware generates revenue for its developers by automatically displaying online advertisements and and encouraging users to click on links to malicious or unsavory websites. Some adware has also been found to track user activity in order to tailor ad content and target users based on their interests and browsing habits.
In early 2019 several ‘beauty camera apps’ were discovered on the Google Play Store that were capable of accessing remote ad configuration servers that can be used for malicious purposes. This allowed the apps to push full screen ads to users when they unlocked their devices, including ads with fraudulent content and pornography that redirected to phishing websites, malicious downloads, and fake competition pages if clicked. None of the apps acted unusually or gave any indication that they were the source of the ads and many users would not even suspect that there was anything amiss until they tried to delete the app and noticed that it had hidden its icon making it extremely difficult to uninstall.
Malicious ‘Beauty camera’ apps on the Google Play Store
Source: Trend Micro
Credential stealing is one of the most common consequences of social engineering attacks on mobile devices. Mobile has become our primary means for communication and therefore a valuable avenue for accessing sensitive files and data, both personal and corporate. Dozens of apps have been discovered masquerading as legitimate fitness, beauty, lifestyle, and gaming apps containing adware to trick users into giving up their credentials to gain access to this data.
Just last week a gaming app named “Scary Granny ZOMBY Mod: The Horror Game 2019” with over 50,000 installs was discovered to be launching persistent full-screen ads on users’ phones and requesting they input their login credentials. The game is fully functional but once installed, asks permission to launch itself after the device is restarted. This allows it to show full-screen phishing overlays even after the user reboots their device, presenting an extremely convincing-looking login page for trustworthy brands like Google, Amazon, Facebook or Instagram, and prompting users to input their credentials. After successfully stealing the victim’s data, the app can then start collecting account information such as email addresses, phone numbers, verification codes, birth dates, and account cookies. All the while the user is unaware and continues playing the zombie horror game as usual.
One of the credential phishing pages that appears for players of the “Scary Granny ZOMBY” game
How do we avoid social engineering attacks?
The main aim of social engineering is to take advantage of users and manipulate them into infecting their device with malware. It is such a popular tactic because it is often much easier to exploit users’ weaknesses and convince them to download an innocent-looking app than it is to find a network or software vulnerability to attack. In 2018 it was reported that human error is responsible for 95% of cyber-crime events and it is clear that employees themselves pose one of the greatest risks to the enterprise. However, security awareness training can go a long way towards preventing social engineering attacks – if people know the forms that attacks are likely to take they will be less likely to become victims. Avoiding clicking links and downloads from suspicious sources or pop-ups, double checking apps and user reviews, and being wary of tempting offers that seem too good to be true can all be extremely effective in reducing the risk of falling victim to a social engineering attack.
However as these attacks become more sophisticated, more convincing and therefore harder to recognize, human error is inevitable and even less likely to predict. This is where external mobile threat protection solutions become essential. Solutions like Corrata Security and Control can use Machine Learning technology to monitor device traffic to detect and protect from malware attacks in real time. This means that even if an employee is fooled by an app posing as the latest horror game or photo editing tool or a convincing pop-up ad to win an iPhone X and clicks on a malicious link, they will instantly be blocked from accessing the site protecting their device and the data it holds.
Check back next week for our profile on Advanced Mobile Malware – how it works and what you can do to avoid it!
To find out more about how Corrata’s solution could help protect your organization’s mobile devices from malware and social engineering attacks, visit www.corrata.com or email us at email@example.com.