Trend Two

All mobile malware has a purpose, it’s just not always clear

Mobile malware is a widely known, high-priority security concern for organizations around the globe. When thinking about mobile malware, it’s important to remember that malicious apps come in all shapes and sizes, and there is a lot that must be considered when assessing the riskiness of apps. If your limited definition of malware is ‘software that steals your data,’ then you might be missing the point. Malware developers are redefining their craft to evade detection, disrupt productivity, open back doors and, of course, steal data.

Evading detection

Apps with blatantly obvious malware embedded will rarely make it past the basic app store review process. However, apps that can disguise and layer malicious functionality are much more successful at making it onto the stores and into broader distribution.

Seven dropper malware apps designed to pull down adware APKs from a GitHub repository were found on the Google Play Store. This essentially opens a backdoor on the device for any new application functionality to be installed. The droppers were cleverly crafted to evade detection — the apps waited before sending the request to GitHub and the embedded GitHub URL was obfuscated to prevent the URL string from being flagged by any human analysis or app store security checks. Because the adware APKs could self-execute without user interaction, and because the video ads required manual dismissal, this adware could seriously impact device battery life and data consumption.

Blocking productivity

Data theft is perceived as the most damaging implication of a malware infection. But this doesn’t mean that other types of risky behavior should be discounted as low-severity threats. A denial of service attack can occur when a user’s device is flooded by persistent ads. For certain industries, like transportation and healthcare, having a device suddenly taken offline by malware can be devastating. Intrusive out-of-app ads interrupt users in the middle of their workflows, brick their devices, and drain their devices’ batteries. In some cases, when the adware is difficult to remove, infected devices need to be replaced altogether.

Two selfie camera apps infected with adware were found on the Google Play Store with a combined 1.5M+ downloads. Once installed, the app icons were visible in the app drawer. But when the apps were opened, they created a shortcut and then removed themselves from the app drawer. Even after the shortcuts were uninstalled, the apps stayed active and could be seen running in the background.

Malicious cryptojacking has a similar impact on user productivity, but it presents a more significant risk than adware. Cryptojacking malware doesn’t typically steal data or lock a user out, but it can render a device unusable by slowing the processor down and draining the battery. We delve deeper into cryptojacking in the next section.

Stealing data

The obvious aim of malware is to steal data. But having this functionality embedded in an app makes it more likely to be detected by app store security checks. However, apps are getting better at stealing data covertly, usually via social engineering techniques like phishing.

A horror gaming app with layers of malicious functionality was found on the Google Play Store with over 50,000 installs. Once installed, the app triggered a persistent, adware-style Google-themed phishing attack on the victim’s device. If the app was successful in capturing the victim’s Google credentials, it would log in and scrape more PII from the victim’s Google account and, silently in the background, send it to a server.

Recommendations for dealing with malware

The best way to protect your entire mobile fleet from malware is to have a security solution that continuously monitors for suspicious application behavior and characteristics present on the device while also monitoring for command-and-control communication and data exfiltration at the network level. As we have seen in the above examples, many bad apps go undetected because app store security checks do not dynamically test applications and their related network activity. The most successful malware attacks are layered, so a layered approach to security — addressing both the endpoint and the network — is required. Additionally, the best solutions for malware detection are powered by machine learning engines that enable the identification of unknown threats, rather than relying on signature-based techniques that only address known threats.