Think anti-malware apps offer full protection against malware? Think again.

On Monday 18 September, Cisco’s Talos Intelligence research team revealed that hackers had successfully breached popular antivirus app, CCleaner, which boasts a monstrous two billion downloads. Users of the Avast-owned app have been urged to update their software immediately to secure their devices, with the company estimating the incident could have affected up to 2.27 million users.
So what went wrong and what can we learn from it?

The attack

The exploit was made public when security experts at Cisco discovered a concealed backdoor in the official downloads of CCleaner 5.33 and CCleaner Cloud 1.07.3191, released on August 15 this year.
The app developers at Piriform, confirmed that the official version contained a malicious payload featuring a “Domain Generation Algorithm as well as hardcoded Command and Control functionality”. This means that a hacker, or hackers, infiltrated the official development of the software and concealed malware before it was launched to the public.
The security patch wasn’t released until September 12, leaving a sizeable window for the perpetrators to get their hands on valuable user data. This type of malware is usually targeted at administrator accounts within organizations – where important company information can be quickly obtained and sent back to the command and control server.
Piriform has remained relatively quiet over the implications of the breach, choosing not to discuss how the vulnerability could have been exploited. Paul Yung, VP of product, stated: “we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it”.

Praying on security

It’s not the first time security apps have been targeted. Back in March, researchers at the Israeli cybersecurity firm Cybellum discovered a “DoubleAgent attack” that took advantage of Microsoft Application Verifier. MAV is a widely used security tool, that assists in finding subtle programming errors which are difficult to identify with normal application testing.
Hackers have historically avoided security software for obvious reasons. However, the extensive scanning permissions they are granted make them an increasingly appealing target. Once installed onto the device, the software acts as the perfect middle agent as it doesn’t need to be controlled. The attacker can compromise the software and let it seamlessly run in the background, as that’s what it’s designed to do.
It’s a double whammy. The user feels safe in knowing they’ve taken the appropriate measures to protect their device, while the hacker is able to conceal their work within a reputable source without raising suspicion.
Although the CCleaner incident is reportedly confined to the 32-bit version of the software, we are seeing more instances of security apps being compromised on mobile. Check Point’s mobile threat team recently discovered that a free antivirus developed by the DU group has been collecting user data without the device owner’s’ consent. Google Play figures show that over 10 million people have downloaded the app in question, raising valid cause for concern.

The solution

So if antivirus isn’t the answer, how can you secure your device? Quite the conundrum, we hear you. You’ve installed the software to protect and prevent against attacks, but instead you’ve opened the floodgates. What you need is a more robust method of identifying and blocking potential threats.
With gateway infrastructure, Wandera is the only technology that can detect and intercept malware before it reaches the device. The intuitive technology uses cloud intelligence from millions of scanned devices to surface new threats and flag unusual activity. Malicious apps can then be scrutinized in real-time, providing zero-day threat detection that you can rely on. If a vulnerability is detected within an application, you can disable the software across a fleet of devices to secure your data within seconds. Simple
[text-blocks id=”mobile-data-leak-report”]