It seems there are endless ways in which your mobile device can be attacked. With scary mental images of devious hackers chipping away at our mobile device’s security, it’s easy to forget that the most common way for a device to be compromised is through careless action by the end-user. One such action is to sideload risky applications to the device.
What is sideloading?
Sideloading, in the context of mobile security, is the process of adding an application that has not been approved by the developer of the device’s operating system. All applications on the App Store or Google Play Store have been vetted by the respective organizations. Although there have been instances of malicious apps found in both the App and Play stores (more often the Google Play Store), official app stores act as an additional filter, blocking the vast majority of malicious apps from reaching the end-user.
Sideloading allows access to apps that are unavailable in official app stores for any of a number of reasons. Apps from other sources may not be screened for security and might have malicious intent, but often users will install them to their device, opening themselves up to threats. In the case of Apple devices, this often (though not always) requires the device to be jailbroken.
What is the difference between jailbreaking, rooting and sideloading?
The term ‘jailbreaking’ can apply to any kind of mobile device, but generally refers to Apple devices. Apple maintains a high level of device security by restricting all devices to only allow apps downloaded from its official App Store. Jailbreaking is a method of circumventing this by increasing user permissions on the device. Users can still access all the normal functions of the device, but are able to install applications from sources other than the App Store.
Google does not lock down the Android OS as much as Apple – while the default configuration does not allow sideloaded apps, it is possible to change a setting to allow apps from third-party sources. Our research shows that around 20% of devices have this setting enabled. This method seems less risky than jailbreaking, but opens up the device to threats in exactly the same way.
Rooting is often confused as the Android version of jailbreaking. While rooting is similar to jailbreaking in the sense that they are both privilege escalation, rooting provides a great deal more freedom to Android users. So-called because it provides root access to the device, rooting allows much greater, superuser privileges, so users can make drastic changes – up to and including changing the device’s operating system.
What apps are my employees sideloading?
Our research shows that there are a great variety of apps sideloaded onto corporate devices, but we were able to categorize the top five most commonly sideloaded apps:
1. Custom-built business apps
Custom-built apps offer significant benefits for organizations by allowing IT to tailor-make applications to meet the specific use cases of various departments in the business. For example, one of our customers built and deployed a custom app so care staff could update patient records and order prescriptions from the bedside, minimizing admin and increasing time spent with patients.
In order to deploy custom apps, companies usually need to bypass the official app stores since they don’t want to make their apps widely available to the public due to the sensitive information they carry. For example, an employee directory HR app contains personal information about staff, and internal company news apps contain sensitive corporate information. It’s understandable why IT would want to find another way of making these apps available to their users without adding complexity by adding user authorization.
What’s the risk?
Sideloading apps is typically a dangerous practice but in this case, it’s a common practice and the preferred method of distribution. An organization can guarantee that the app in question has been designed without malicious intent and can conform to the desired levels of security. If the organization jailbroke the devices to allow the app, risky apps could be downloaded and installed, so other methods are more likely to be used. Either by pre-installing the certificate profile which the custom app is signed, or by using an Enterprise Mobility Management (EMM) tool.
Companies that have custom apps often outsource the development to third parties. The issue with these third-party developers is they don’t enforce a robust vetting workflow to catch performance issues and security issues like insecure network connections for example. Wandera recently discovered a company’s custom-built HR training application that did not protect the usernames and passwords of users logging in which were the same credentials they used to log in to their corporate email accounts.
One more thing to consider – these custom-built apps will be optimized for the existing operating system, so when Apple or Android roll out an OS update, some of the app functionality might break. This is why using a service to control the roll out of OS updates is helpful in ensuring custom apps continue to work optimally.
Risk – 1/5
2. Third-party app stores
The Apple App Store for iOS and the Google Play Store for Android are the two largest distribution channels for mobile apps. But there’s a big bad world of third party app stores and apps that exist outside of these two major players. In fact, there are more than 300 app stores worldwide and that number continues to grow.
According to our data, one of the most popular third party apps for corporate iOS devices is Tutuapp, originally a Chinese app store that released an English version in 2017. Tutuapp is known for hosting modified or hacked versions of popular games, including a version of Pokemon Go in which the player does not need to move to find and catch Pokemon. The apps hosted on Tutuapp are not heavily vetted in the same way as those on Google Play and the App Store.
On Android, installation of third-party app stores is not as common because a user can simply visit the app’s website and download it straight from the browser, as long as the setting has been switched on to allow downloads from unknown sources.
Still, these are the two most popular third party app stores from which Android users sideload:
- Amazon Appstore
Amazon approves all apps before publishing them on the store, in much the same way as Apple – suggesting that the Amazon Appstore itself is relatively secure. Aptoide, on the other hand, is less reliable.
Aptoide does have a virus scanning function (signified by a shield symbol by the app icon), but will still publish apps that have not been scanned, opening up customers to potential threats. While there is no indication that the Aptoide app itself contains any malware, the apps it offers could pose a threat.
What’s the risk?
While the majority of third-party app store apps themselves may be free from malware and relatively safe, the behaviors that they enable are far more of a threat. It can be safely assumed that anyone sideloading a third-party app store is planning on installing one or more apps hosted by them. As the majority of these app stores don’t enforce rigorous security vetting of the apps they offer, this can make any device on which they have been installed particularly vulnerable to threats.
Risk – 5/5
After custom-built apps and third-party app stores, the most common reason for sideloading apps is the installation of games that are not available on the official app stores. According to our data, 10 percent of employees game on their corporate devices on a daily basis.
The most notable example of a popular game that needs to be sideloaded is Fortnite for Android. When Epic Games made the decision to bypass the Google Play store and offer the highly anticipated game only via its own website, we (and other security experts) were quick to communicate the risks, which include the normalization of risky configuration, the distribution of spoof Fortnite games and Fortnite-based phishing attacks.
Shortly afterwards, Google’s security team discovered a vulnerability in the Fortnite Installer. This could be exploited by other apps on the device to hijack the request to download Fortnite from Epic Games to secretly download anything else, including malware or spyware. To Epic’s credit, the vulnerability was patched quickly.
What’s the risk?
Employers may feel that installing games on corporate devices is damaging enough to productivity. However, the potential threat that comes with sideloaded games is substantial. Without the extra security layer of Apple’s or Google’s app screening, vulnerabilities and malicious content can go undetected, exposing the device to a multitude of threats. Even a major game publisher, Epic Games, was unable to guarantee the safety of their flagship mobile release – and with ‘early releases’, modded versions and false ‘guides’, gaming is a ripe target for those with malicious intent.
Risk – 4/5
4. “Free” movie viewers
As data transfer speeds and mobile internet coverage have increased in the past few years, so has the use of mobile devices for streaming films and TV. It is common for mobile users to stream films entirely on their devices, and so the number of apps to provide content has risen.
Alongside legitimate services, like Netflix or Amazon Prime Video (an app that used to be regularly sideloaded, until it was added to the Google Play Store in 2017), a number of applications that offer free movie viewing are regularly sideloaded to corporate devices. The most popular of these for iOS are MovieBox and CotoMovies (formerly Bobby Movie or Bobby HD), with 50% of companies having at least one of the two apps installed. CotoMovies is an example of a sideloaded app that doesn’t require the iPhone to be jailbroken – but the user needs to change the profile settings on the device, which can make it particularly vulnerable to attack.
Unfortunately, there are a number of issues with these apps – foremost among them is that these apps are illegally pirating the films that they advertise. Apps approved by Apple or Google do not allow any illegal activity, but with sideloaded apps there is no guarantee.
Video streaming is particularly data intensive, which could lead to potential data overage charges if not monitored. This is a danger with all streaming apps including legitimate ones. However, some illicit streaming apps can bring another data problem. Moviebox is a peer-to-peer service, which means that while a user is downloading a file, they’ll be uploading it as well – likely without knowing it.
What’s the risk?
Free movie viewers have a number of issues at first glance. They are definitely risky from a mobile security point of view, but also present difficulties for data usage and productivity. Even worse, using them to watch films is participating in piracy – not exactly the kind of thing you want happening on a corporate device.
Risk – 3/5
5. The Cryptocurrency market
In the past few years, cryptocurrencies like bitcoin have taken off. With people becoming millionaires practically overnight, everyone is searching for the next success. This has created a market primed for abuse – not least because of the mercurial nature of cryptocurrency and how it is traded.
There are a substantial number of cryptocurrency trading apps in existence, and they make up the fifth most common category of app that is sideloaded to devices. The most common cryptocurrency app sideloaded to iOS devices is Binance.
Unverified financial trading apps are incredibly valuable targets for malicious actors – there is a great deal of financial information being transferred, and there is the potential for substantial gain (and substantial personal loss for a careless user). Threats for these apps can take the form of vulnerabilities that are missed by negligent developers or fake versions of the app that will steal all information entered therein.
Another app that raises suspicion is Kucoin. It is on the Google Play Store, but not the App Store. For iOS, it can be sideloaded but requires a profile to be installed, and was created by “Meridian Medical Network Corp.” – unusual requests like this can often be a warning sign. There has also been at least one instance of a fake Kucoin app being created.
What’s the risk?
As with all the other most common categories of sideloaded apps, there is an inherent risk due to there being a lack of oversight on the security of the individual apps. Any accidental exploits will be hunted down and exposed, and there will be deliberately malicious apps out there that the incautious user may install putting them at risk of personal financial damage.
Risk – 2/5 for the organization – 4/5 for the end-user of the app
We have covered just the top five most common types of sideloaded apps – there are plenty of others that users may install to get extra access to their device, or to circumvent policy that Google and Apple uphold in their respective app stores. Rooting aids, adult content, even pdf readers have been shown to contain malicious content, and when sideloaded, there is very little guarantee that an app is safe. It all reinforces the point that proper oversight and visibility is vital to ensure full mobile security.
What can I do?
Firstly we have collected all the AppIDs of the apps mentioned in this article (found at the bottom of this page), so you can keep an eye out for them on your devices – you should be able to view all installed AppIDs if you use an EMM solution.
Secondly, you should consider investing in a security solution that can continually monitor and block emerging threats across your fleet, wherever they may be triggered on the device. With regards to sideloaded apps, you should be looking for a solution that will flag dangerous settings on the device (such as allowing downloads from unknown sources or being jailbroken), allow blacklisting of apps you’ve highlighted as undesirable, and notify you of applications that display dangerous activity like exfiltration of data.
If you’d like to learn more about protecting your organization’s from mobile threats, get in touch with one of our mobility experts today.
3rd Party App Stores
iOS: com.tutuapp.tutuapphwenterprise, com.wjxhw.yhyy
Free Film Apps
iOS: com.sull.videofun, com.vshare.move, com.tweakbox.moviebox
iOS: bobb.bcc.com, com.tweakbox.bobbymovie, bobby.bcc.movie, bobby.movie.bcc
iOS: com.binanceInternational.app, com.bijie.Binance, com.forbnbsignedinternational.app, com.NATELOOO20180329.internalApp, com.InternaluseSignbnbCloud.bnbapp, com.internalUseSign180322.app
iOS: Com.koins.nb, com.kucoin.KuCoin.App