Imagine that your preferred shopping or banking apps, ones you’ve used and trusted for years, are stealing your banking credentials or spying on your private activities, including taking over your microphone and camera.
Imagine that it also buys subscriptions without your consent and knowledge. You get charged for these subscriptions on your phone bill or from your prepaid deposit.
All this can even happen when you don’t use the phone. Even when when you are sleeping.
This happens to Android users every day, but why?
Google is a trusted company with huge resources, why aren’t they taking care of their App Ecosystem “Google Play”?
Do not trust an app just because it’s on the official Google Play Store.
Research has shown that relying on Google being an effective gatekeeper for the Play Store isn’t always the best idea. The company is making great efforts in finding apps that are malicious or have serious security vulnerabilities, however the results are unfortunately not bullet proof. Analysts are bringing our attention to a new point of attack that can even be used with some of the most popular apps.
Most people use their smartphones without worrying about the security of the standard well-known apps we use every day. Google routinely removes apps with malware or those containing adware, as well as apps that have been specifically designed to dupe you into to paying subscriptions. And most of us believe that updating our apps and mobile operating systems to the latest versions will minimize potential security holes.
It turns out this is not always the case, not even for known big-name apps. According to a report by cyber security company Check Point, there are dozens of vulnerabilities arising every day. Some are part of the apps themselves and others use external shared code libraries that these malicious apps use to activate certain features. Last major finding by them was on TikTok, an app very popular with teenagers.
Being fully up-to-date and keeping up with the latest security threats is a monumental task and requires time and resources to complete. App developers at Google must therefore prioritize which problems they fix first.
Companies affected by these fraudulent methods such as content service providers and advertisers cannot rely on app developers fixing their issues and need to protect themselves pro-actively with comprehensive anti-fraud solutions.
5 billion downloads of infected apps
To be able to show accurate stats, researchers looked at how many apps in the Google Play Store are currently using vulnerable libraries. They specifically searched for three vulnerabilities that were considered critical and already became known in 2014, 2015 and 2016. This will not surprise the Infosec community. However, the resulting list contains over 800 popular Android apps and games that have been downloaded a total of 5 times, billions of times.
Currently among the affected apps are some that are used very frequently, such as Facebook, WeChat, Messenger, Instagram, AliExpress, TuneIn and SHAREit. The shared libraries have all been updated since the vulnerabilities were discovered, but new versions of these popular apps continue to use outdated libraries.
According to Facebook, that’s not a problem because of the way its apps are coded, those vulnerabilities are useless for potential attackers. Google is currently investigating and trying its best to push app developers to work on fixes. But again, the company wanted to flood its app store with apps with permissive policies, which ultimately led to a situation where new apps aren’t vetted properly and popular apps don’t get fixed unless there is public pressure to do so.
Check Point researchers note that while these apps might not use old libraries frequently, that still doesn’t count as good security. The vulnerabilities selected for this analysis are probably not the only ones and are open to determined attackers who are more likely to attempt to exploit a known vulnerability, which is quite easy with the latest technology.
App developers may dismiss the new findings as insignificant. But you only need to look at Google’s bug bounty programs to see why keeping track of all external components of mobile apps is worth it.
In January 2020 over 1,000 Android apps have been found to collect personal information, even if you denied all relevant permissions after installation. The apps themselves were relatively secure but used third-party libraries that were littered with code that could be misused for data collection.
“Strandhogg”, the latest big thread that also concerns mobile payments
Cybersecurity researchers have discovered a new unpatched security hole in the Android operating system that is already being exploited by dozens of malicious mobile apps.
This vulnerability, called Strandhogg, is due to the multitasking feature of Android that can be exploited by a malicious app installed on a device. It masks itself like any other app, including all Android system apps.
In other words, if a user taps the icon of a legitimate app, such as your favorite social network, messaging or shopping app, the malware that exploits the Strandhogg vulnerability can intercept and take over this task to display a fake interface to the user instead of launching the legitimate application.
The vulnerability causes users to believe that they are using a legitimate app and allows malicious apps to steal users’ credentials using fake login screens.
During the tests, the researchers from the security company Promon found that all 500 of the most popular apps (by the app intel company 42 Matters) are vulnerable to StrandHogg.
“The vulnerability allows an attacker to masquerade as nearly any app in a highly believable manner,” the researchers said.
The “Strandhogg” facts in short
What is the impact?
- All versions of Android are affected, incl. Android 10
- All 500 of the most popular apps are at risk
- Real malware is exploiting the vulnerability
- 36 malicious apps exploiting the vulnerability where identified to date
- The vulnerability could be exploited without root access
What can fraudsters do with it?
- Create mobile subscriptions with additional tactics
- Can make expensive premium calls
- Can listen to the user through the microphone
- Look through the camera
- Read and send SMS messages
- Make and / or record phone calls
- Phish Credentials
- Get access to all private photos and files on the device
- Get access to the contact list
- Access to phone logs
- Get location and GPS information
How is the malware installed on the device?
The malware sample analyzed by Promon was not in Google Play, but was installed via several dropper apps / hostile downloaders that were distributed via Google Play.
The dropper apps are used to download and install APKs from a GitHub repository. This essentially opens a back door on the device through which new application functions can be installed. For the apps, the installed APKs contain adware, a form of malware that violates Google Play Store policies.
These apps have since been removed, but despite Google’s Play Protect security suite, dropper apps continue to be released and often appear under the radar. Some are downloaded millions of times before they are discovered and deleted.
Researchers recently reported that the malicious CamScanner app, a PDF creator that contains a malicious module, has been downloaded more than 100 million times.
Remediation and Protection
The facts are worrying but there are still ways users and companies can protect themselves and their customers from these fraud attacks:
- App developers and providers of shared code libraries need to take actions and update their software.
- Considering the monumental amount of work, they must prioritize which problems they will fix first. Google needs to act and close Androids security gaps.
- End users, especially on Android, should keep their Android OS and apps up to date and use anti-virus software on their phones to protect themselves from dropper apps and side loaded code. Apps not used frequently should be removed.
- Companies affected by these hacks like mobile carriers, payment provider and advertiser should use a robust antifraud software from specialized vendors
Solving the specific problems in the mobile payment ecosystem
Heavily affected by the fraud from this article are companies in the mobile payment ecosystem since these hacks lead to illegit purchases and payments.
- Namely mobile network operators / carriers, billing aggregators and mobile content providers and its customers are affected.
- Especially mobile carrier’s reputation and their customer’s loyalty are at risk. Hacked users attribute the fraud to the carriers (not the fraudsters) since the fraud surfaces by wrong and high mobile phone bills.
- These companies need to actively protect themselves and their customers by using specialized anti-fraud solutions like Vene Overwatch from the German Company Vene International.
Good anti-fraud solutions prevent from malicious code to take advantage of the payment’s check-out processes and billing interfaces. Sophisticated mechanisms work regardless of how the malicious code works, how it infects the phone and how it is executed. They only identify and block very specifically within the checkout process.