Not all apps are created equal and it’s crucial that end users are informed when an application has a vulnerability that puts it at risk of being exploited.

The latest application to be found leaking credentials by the Wandera security team is ‘Play Riches’: a recreational app that allows users to earn funds in exchange for playing games, completing surveys and downloading further games and apps. These payouts come in the form of Bitcoin credit, Clash of Clans gems and PayPal payments.

The data leak

Part of our mission at Wandera is to conduct real-time threat research and risk identification to help organizations protect their mobile estates and valuable corporate data. The engine at the heart of our intelligence is MI:RIAM.
Using a sophisticated blend of machine learning and artificial intelligence, MI:RIAM has been created to detect new threats and vulnerabilities in real-time to protect organizational data.

On July 28 2018, MI:RIAM detected unusual activity within Wandera’s global device network. When users interacted with the Play Riches application the authentication token was being transmitted “in the clear” (unencrypted), which allows an attacker to get access to the user account without the need to have their password.
The application, which has been downloaded over 10,000 times, has been leaking user credentials in plain sight to anyone using the same connection. Perhaps more destructively, users are being encouraged to download applications to unlock prizes and receive larger rewards – some of which are riddled with adware.

The implications

Play Riches is using HTTP protocol in order to transmit user information. This means that personally identifiable information (PII), including username, password, and email addresses are being transferred over the web, completely unencrypted, and therefore unprotected.
Due to the online payment functionality of Play Riches, Bitcoin wallet details and payment information must also be shared with the company via the app, allowing a successful hacker to potentially transfer earnings from the application to their account.

Advice to ‘Play Riches’ users

  • To minimize risk, users should avoid using any mobile applications over public and potentially insecure Wi-Fi hotspots in order to reduce the chance of traffic interception
  • Users should not download third-party applications without scrutinizing the permissions requested by the application
  • Individuals should also avoid reusing sensitive information such as usernames and passwords for multiple applications and web services
  • Users should invest in a mobile security solution that affords total visibility into the traffic transmitted to and from a mobile device. This service should extend to browser activity as well as applications

The developers of the Play Riches app are advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, and other sensitive data to a backend API or web service.
To protect against critical data loss it’s imperative that individuals and enterprises have visibility into leaking applications before it’s too late. Wandera’s web gateway for mobile affords total visibility into all device traffic and therefore can flag and block risky applications in real-time.
If you’d like to learn more about securing your mobile fleet from risky applications, get in touch with one of our mobility experts today.

Responsible disclosure

Play Riches has been informed multiple times in accordance with responsible disclosure best practices. Messages have been sent that notified the developers about the nature of this vulnerability. Wandera is yet to receive a response.
[text-blocks id=”threat-advisories”]