Apple and Google both have a review process for apps that are to be listed in their respective app stores. Because both vendors consider the mobile application to be part of the overall platform “experience”, there are a series of checks that apps must pass in order to be approved. Generally, apps are vetted to ensure that they will perform reliably, that they won’t provide a negative user experience and that they are free of offensive material. But what about risky apps that aren’t malware?

Because these app review processes are in place, there’s a belief that all apps are safe to use and respect the privacy of the mobile user. In reality, just because an app has passed the performance checks Apple or Google put in place, it won’t necessarily pass the sniff test for security and privacy.

What makes an app risky?

Malware is traditionally defined as software designed to infiltrate and damage computers without the users’ consent. But if this is your restricted definition of malware, you might be missing something.

How do you know if an app is risky?

These are the key things that should be taken into account when vetting the security of risky apps and analyzing their risk profile.

Some further traits that aren’t definitively risky but we’d flag as suspicious are developer reputation and app reviews. If the developer has a suspect profile, and the app has a lot of negative reviews, these are good reasons to further investigate the riskiness of it.

Case study: suspicious apps on the App Store

Wandera’s Threat Research team recently discovered a number of iOS applications which communicate with the same Command & Control (C&C) server used by Golduck malware.

Golduck malware, initially reported by Appthority, infects the device with adware and may also lead to complete device compromise. The reported Golduck web server is responsible for supplying applications with the malicious payloads needed for the malware to operate on Android mobile devices.

The iOS apps discovered by Wandera are innocent-looking retro games. They are not malware themselves, but they do offer hackers access into a victim’s iOS device. The first suspicious retro game application discovered by Wandera is called Block Game. Here are the clues that gave it away.

Clue Number 1: Bad reviews, inconsistencies, and poor user experience

The suspicious application has received a number of bad reviews for its poor user experience. Users posting comments on the App Store point out several irritations such as:

  • The pause button does not save the game
  • “Annoying” background music
  • The settings button – which is partly concealed by an ad in the main menu – does not work at all
  • The only working button is the central ‘play’ button

Some developers are devious when it comes to submitting false reviews to make an app look more popular, so overall ratings shouldn’t be your only indicator.

There are also inconsistencies in the app icon and the game splash page. On the iPhone main screen the app appears to be called Block Game, but when the app is opened you can see that the name of the game is Block Puzzle.

Clue Number 2: Overzealous advertising

The Block Game constantly displays embedded advertisements within the app. App assessment reports, such as Wandera’s App Insights, reveal that the app is using ad network Google Admob to display advertisements on the device, allowing the developer to monetize the game. Admob provides ads that are displayed in the app based on certain characteristics that are shared with the framework. In this case, the pause button was triggering an advertisement each time it was pressed.

Clue Number 3: Command & Control network activity

One of the more significant indicators of riskiness cannot be seen by the game player. Wandera researchers identified regular communication between the various apps and a Golduck Command & Control server. Our security researchers discovered a secondary area being used to display ads that are not powered by Admob and instead, present content from a known malicious server.

Other than controlling the ad space, the C&C communication is gathering information from the device such as its current IP address and associated location information.

The C&C establishes what is essentially a ‘backdoor’ that a hacker could use in the future to directly communicate with the device and its user. For example, a hacker could easily use the secondary advertisement space to display a link that redirects the user and dupes them into installing a provisioning profile or a new certificate that ultimately allows for a more malicious app to be installed.

Clue Number 4: Suspect app distribution

Once the victim clicks on one of these retro game ads that were delivered by the Golduck C&C server, they get a list of additional retro game applications, which they can install (see below). Those applications also communicate with the Golduck C&C server. The developer seems to be creating multiple applications of the same nature (retro games), which display ads for other games in the portfolio. Effectively this is a way of distributing apps from untrusted sources. We discovered 14 retro game apps in total, all of which communicate with the Golduck C&C server. Here’s the list:

Clue Number 5: Suspect developer information

The developer of the app has created two other iOS applications, both of which are advertised on the top right corner of the Block Game application. One of those applications, Classic Bomber, looks similar to the Bomber Game app screenshot from the Google Play Store which Appthority reported as Golduck Malware.

At the time of research, we actually discovered Classic Bomber is still available on Google Play but with C&C functionality removed.

Interestingly, the support page of the Classic Bomber application points to another game’s support page. Most, if not all, of the support pages of those retro game applications, also point to Google sites. That’s an extra indication of the poor implementation of those games, with emphasis solely on monetization rather than user experience or gameplay.

Below is a list of developers associated with these risky apps.

Why are risky apps such an issue?

What is your corporate policy regarding risky apps? Do you allow users to download any app of their choosing? Do you restrict them to a curated set of apps that have been vetted by your security team?

If you haven’t considered these things you’re missing a key component of mobile security: app vetting. There’s a big gray area between known good apps and known bad apps. Looking for malware isn’t enough. Your employees might be subject to risks if they are freely downloading apps from the app store without any further security checks.

Here are some of the implications of having risky apps in your fleet:

  • App permissions that are excessive – Apps don’t often operate under the principle of least privilege which means they might have access to more on the device than they need to function properly
  • In-app purchases that could be fraudulent – Your employees might be handing over credit card information to malicious actors
  • Redirections via ad networks to illegal or adult content – Users might click on links that lead to pages that house content that falls outside of the company’s acceptable use policy
  • Alternative distribution of blocked third-party apps – If you’ve blocked third-party apps stores, the user might still be able to download third-party apps via in-app distribution networks
  • Sharing user data with third-parties such as advertisers – Sensitive information like office and client locations, web pages visited, purchases made, etc., might be shared with untrusted entities

The tricky thing about managing risky apps is that the vetting of individual apps installed on corporate devices simply isn’t scalable. The best way to manage the problem is to put a mobile security solution in place that includes an app vetting component. This way the software pulls information from large external and internal databases of app reputation and risk metrics to help you identify a risk score of each app in your fleet while maintaining that information dynamically as apps come and go.

What can you do?

Wandera identifies those risky apps as ‘potentially unwanted’ or for all the above reasons. What makes them so dangerous is the trust implications by association. The apps are available on the App Store and therefore the user doesn’t expect to be infected. But as we can see with this example, hackers can use a ‘backdoor’ to infect trusted apps with malicious links.  

We advise users to refrain from installing or using the listed risky apps because they still communicate with the Golduck server, therefore leaving a ‘backdoor’ for the attacker to place potentially malicious functionality.

Learn more about threat prevention

You might hear about the dangerous leaks and mobile attacks that make the news. But your organization might just be vulnerable to other threats right now.

FIND OUT MORE