Last week, Part 1 of our two-part series outlined the current defense systems offered by Apple and Google, two of the world’s biggest mobile operating system developers, to protect devices from mobile malware. We found that despite strict content requirements and security scans, malicious and suspicious apps are still able to make their way onto the Google Play Store and Apple App Store, designed to hoodwink unsuspecting customers. However, malware is not just restricted to official app store downloads having found a number of other routes for infection.
Circumventing the official app stores altogether
Given that the Google Play and App Store have these security features and content restrictions in place (that, despite their flaws, do present significant obstacles for app developers), a technique to completely circumvent the official stores has been developed. As we previously reported, ‘sideloading’ is the process of downloading and installing apps onto a mobile device from a source that is not an official consumer or enterprise app store.
For Android apps, this is a relatively simple process, done by enabling the download of an app .apk file from an ‘unknown source’. Hundreds of unofficial Android apps are readily available for download using this method both online and via third-party marketplaces such as Getjar, Mobogenie and Appbrain.
For iOS the process is a little more complicated but possible nonetheless. Just this year it was discovered that malicious app developers could pose as legitimate businesses to obtain Apple Enterprise App certificates, allowing them to validate and distribute apps independently of the official App Store. Pornography, gambling and fake versions of gaming apps developed under this program have all been discovered available for download to iOS devices and simply require users to ‘trust’ the app’s publisher before installing.
Although not used exclusively by fraudulent apps, many hackers and malicious app developers have taken advantage of the process of ‘sideloading’ in order to avoid security checks and regulations. By taking advantage of users’ attempts to avoid paying for content or to overcome geographical release restrictions, sideloading provides malicious developers with the perfect vehicle to spread Trojans, spyware, adware, and click fraud malware.
Downloading an app from an unofficial app stores
Not all malware delivered via apps
Despite all of Google and Apple’s best efforts to monitor the content and validity of all their apps, the reality remains that apps are not the only platforms used by malicious actors to deliver malware to mobile devices. Given the amount we now use our mobile devices for communication, it has become increasingly common for channels such as email, SMS, social media sites, and messaging services like WhatsApp to be used to distribute these threats. More and more attackers are preying on the trust we so often put in these services and using them to send links to malicious websites or downloads in the hope that someone will unwittingly click. One of the most high profile instances of malware distribution in recent years was Trident/Pegasus, a targeted spyware attack sent via SMS that exploited three zero-day vulnerabilities causing catastrophic data loss on iOS devices. The attacks allowed hackers to jailbreak devices and gain access to messages, calls, emails, and end-to-end encrypted apps to collect information including passwords and contact lists.
While just two weeks ago it was discovered that a vulnerability in the audio call feature of the hugely popular messaging app WhatsApp could be used to inject Pegasus spyware into a device, regardless of whether the user answered the call or not. Described as “the most sophisticated” attack ever seen on an endpoint, the discovery of Trident/Pegasus has served as major wake up call and reminder that any and all platforms have vulnerabilities and that blind trust in companies like Google and Apple may not be enough to protect from them.
SMS messages that led to Trident/Pegasus attack
So how can we ensure our devices are protected?
If we cannot rely on Apple and Google’s security features, what can we do to protect ourselves from the threat of mobile malware? Firstly, education and exercising vigilance is key. Mobile device users need to be aware of the potential dangers involved in processes like sideloading, while caution should always be taken when clicking on links or downloads in messages online. Even when we trust the source, we need to be aware of suspicious behavior or any offers that may seem too good to be true.
As humans however, it is inevitable that we may be fooled by cyber threats via seemingly innocent apps or other communications. To ensure protection from all forms of mobile malware, including ransomware, spyware, and Trojans, external security is essential. Dedicated mobile security products, such as Corrata Security and Control, that block access to suspicious sources such as unofficial app stores or malicious sites, and constantly monitor devices for evidence of malware infection are becoming more and more necessary to prevent malware infection and protect our sensitive data. So if your organization is concerned about the security of your data, now is the time to consider upgrading your defenses against mobile malware as well as the other threats we face in a mobile-first world.
To find out more about how Corrata Security and Control can protect your mobile devices from the threat of malware on all platforms, visit www.corrata.com.