Mobile malware can take many different forms. Spyware, adware, ransomware, and Trojans are commonly hidden in seemingly innocent apps and communications designed to fool users to take over, damage, and steal information from mobile devices. And with 42 million mobile malware attacks occurring every year, the problem only seems to be getting worse. In this two-part series, we take a look at what two of the biggest mobile operating system developers, Apple and Google, are doing in response to this growing problem and ask, is this enough?
Google and Apple’s security features
Google Play Protect (GPP) is Google’s built-in security feature for Android devices. Describing itself as “the most widely deployed mobile threat protection in the world”, GPP combines new and existing security technology to scan over 50 billion apps across 2 billion devices every day ensuring that the official Google Play Store is free from any malicious software or “Potentially Harmful Apps” (PHAs). According to Google, all apps are rigorously analysed by security systems and Android experts before publishing to the Play Store, while all devices are regularly scanned to ensure that apps behave as they should. Any apps found to be exhibiting signs of malicious or improper behavior are promptly flagged to the user or removed from the device. In their 2018 Year in Review, Google reported an overall reduction of 15% in Android PHAs following the release of GPP, with the number of PHAs installed from inside the Google Play Store decreased to only 0.04%.
Meanwhile, since the release of the App Store in 2008, Apple have sought to differentiate the iPhone as an impenetrable, safe device available only to content that has been approved in accordance with the company’s strict policies and standards. Apple state that they “review all apps and app updates submitted to the App Store in an effort to determine whether they are reliable, perform as expected, and are free of offensive material”. Apps are examined under strict technical, content, and design criteria including performance, functionality, permissions required, description accuracy, and user interface to determine whether apps are legitimate and safe for iOS users.
Google Play Protect
Google’s protection not what it seems
Despite Google’s positive findings in their 2018 Year in Review, we continue to see reports of fraudulent or malicious apps discovered on the Google Play Store. In March, a Motherboard investigation found more than 20 Android apps available in the Play Store advertised as offering promotions from cell phone providers but actually installing malware to steal data and leave devices vulnerable to additional hacking. Similarly, Trend Micro recently discovered several supposed ‘beauty camera’ apps redirecting users to pornographic content and phishing websites while also collecting private data from the device. One of the most high profile of these discoveries occurred in 2018 when 12 apps on the Google Play Store designed to look like race-car driving games were discovered being used to install malware with full access to device network traffic. The apps had been downloaded by more than half a million Android users, with two even Trending on the Play Store, before the discovery was made further highlighting the limits of Google’s security capabilities from Google Play Protect.
Screenshots of the malicious beauty camera apps on Google Play
Source: Trend Micro
iOS apps misbehaving
Despite its image as a secure and trustworthy source for apps and content, the Apple App Store has also fallen victim to potentially malicious apps evading its vetting standards. In January 2019, researchers discovered more than a dozen iPhone apps covertly communicating with the same command and control server previously used by known Android malware. ‘Goldluck’ was a strand of mobile malware previously known to infect classic and retro games on the Google Play Store and affecting over 10 million Android users. By embedding backdoor code into the device, Goldluck allowed hackers to access high-level device privileges and run malicious commands like sending premium SMS messages without the victim’s knowledge. Last year researchers were surprised to discover 14 iOS ‘retro game’ apps (that made it through Apple’s strict vetting process) communicating with the same server used by the Goldluck malware, a historically Android-focused threat. Although found to be mainly benign, the communications did present some evidence of sending IP address information and user location data back to the server. While the apps themselves were not technically compromised and did not contain any malicious code, the link to this server presented a serious risk for data exposure and highlighted the potential for hackers to gain access to iOS devices via seemingly innocent apps from the App Store.
Some of the game apps on the App Store found communicating with the Goldluck server
So despite their efforts to ensure the legitimacy of the content and the behavior of apps on their official app stores, Apple and Google’s security processes have continuously proven to be flawed and unreliable, leaving users potentially vulnerable to malicious or untrustworthy apps.
Click here for Part 2 of our two-part series, where we will examine other ways in which mobile malware can circumvent these defenses, as well as the alternative measures we can take to protect ourselves and our mobile devices.