The Q4 2017 Mobile Threat Landscape Report...RiskIQ The Q4 2017 Mobile Threat Landscape Report 5 •...
Transcript of The Q4 2017 Mobile Threat Landscape Report...RiskIQ The Q4 2017 Mobile Threat Landscape Report 5 •...
The Q4 2017
Mobile Threat Landscape ReportTotal Blacklisted Apps Fall, but Familiar Threats Rear Their Head
By Forrest Gueterman and
Jordan Herman
2RiskIQ: The Q4 2017 Mobile Threat Landscape Report
Introduction
The size, complexity, and dynamic nature of the global app store ecosystem makes
it increasingly difficult for brands to monitor their mobile presence and protect their
customers from fraud.
RiskIQ applies its crawling platform to monitor 120+ mobile app stores around the
world while leveraging our daily scans of nearly 2 billion resources to look for mobile
apps in the wild. With a proactive, store-first scanning mentality, we observe and
categorize the threat landscape as a user would see it while visiting or attempting to
download apps. Every app we encounter is downloaded, analyzed, and stored. RiskIQ
also records changes and new versions of apps as they evolve.
The fourth quarter of 2017 showed a 37 percent decrease in blacklisted apps over
Q3 but featured a host of familiar threats such as brand imitation, phishing, and
malware—as well as new ones such as a bankbot network preying on cryptocurrency
customers. In this report, we’ll give an overview of these mobile threats, as well as
emerging trends we anticipate will be prevalent throughout 2018, to help you protect
yourself and your customers.
RiskIQ monitors
120+ mobile app stores
Leveraging
2 billiondaily scanned resources
3RiskIQ: The Q4 2017 Mobile Threat Landscape Report
Running the Numbers
Blacklisted apps observed overall dropped from
Q3 to Q4, with 60,904 seen in Q3 and only
38,425 seen in Q4, which is in large part due
to AndroidAPKDescargar’s massive influx of
blacklisted apps in Q3 (20,907). With only 7,419
new blacklisted apps seen in Q4, the result is a
precipitous drop in apps, showing the profound effect one app store can have on the
entire mobile threat landscape.
October was the Q4 month with the highest amount of blacklisted apps seen, with
15,067. There was a dip in November, with only 9,587 seen, and December ended
the year on an uptick, with 13,771 blacklisted apps observed. Reviewing the entirety
of 2017 shows July as the busiest blacklist month, with 29,844 blacklisted apps
observed. As reported in the Q3 Mobile Threat Landscape Report, this coincided with
the arrival of the AndroidAPKDescargar store.
App Stores: Feral Apps Fall
Once again, The Google Play store led the way with the most blacklisted apps in Q4,
with 9,375 matching against at least one blacklist such as VirusTotal, which, per its
website, inspects files or web pages with over 70 antivirus products and other tools.
A blacklist hit from VirusTotal shows that at least one vendor has flagged the file
as suspicious or malicious. Only six percent of the total apps in the Google Play are
blacklisted, which is a two percent increase from last quarter.
Fig. 1: Total number of blacklisted apps per store.
Blacklisted apps
dropped from Q3 to Q4
by 22,479.
4RiskIQ: The Q4 2017 Mobile Threat Landscape Report
Feral apps, apps found outside of stores on the internet that are available for
download, have held court in the number two spot for most blacklisted apps
observed by RiskIQ for several quarters in a row. However, with 3,507 blacklisted
apps (52 percent of the total) observed in Q4, they were bumped down to fourth by
three other stores:
• ‘AndroidAPKDescargar’ had 7,419 blacklisted apps, comprising 41 percent of the
apps RiskIQ observed in their store.
• ‘9game.com’ had 4,083 blacklisted apps, accounting for 86 percent of the total
apps RiskIQ observed.
• ‘9apps’ had 3,644 blacklisted, 15 percent of the total apps.
Included in our blacklisted apps are a large number that were flagged for
adware—14,758 in total, 11,656 of which were also flagged for malicious behaviors
such as acting as a Trojan or spyware leaving 3,102 apps (eight percent of all
blacklisted apps) solely acting as adware. Adware may seem benign, but it is often
packaged with malicious behaviors and can itself be an avenue of infection through
malware-laced ads.
• In all, 1,787 Google Play apps were flagged solely as adware, making up 19 percent
of Google Play’s blacklisted apps, and 1,313 Google Play apps were flagged as
adware and Trojan behavior.
Fig. 2: Percentage of blacklisted apps vs total apps in store.
5RiskIQ: The Q4 2017 Mobile Threat Landscape Report
• One percent of blacklisted ‘AndroidAPKDescargar’ apps were flagged as adware
alone, with the other 99 percent flagged as adware and Trojans.
• Rounding out the rest, feral apps were four percent adware, 403 (17 percent)
of AppChina blacklisted apps were solely adware, Brothersoft was made up of
12 percent adware, NearmeMobile was five percent adware, and Tencent was,
coincidentally, 10 percent adware.
Fig. 4: Total blacklisted apps observed per store all-time.
Fig. 3: Total number of blacklisted apps in each store for all of 2017 through Q4.
6RiskIQ: The Q4 2017 Mobile Threat Landscape Report
The percentages of blacklisted apps in each store is important to note. A store
like Google Play may have the highest number of blacklisted apps, but because of
their massive volume, it’s clear that the store is generally safe, but bad apps slip by
their controls from time to time. However, stores like 9game deserve more critical
attention. 9game’s density of blacklisted apps is extraordinary for a store, especially
one trying to be legitimate.
Developers and Contacts: KitApps Makes Another Appearance and there’s More to
‘AndroidAPKDescargar’ than Meets the Eye
There is little overlap from the top developers for blacklisted apps from quarter to
quarter, with the exception of the “None” category.
However, one consistent developer we see
is ‘KitApps, Inc.’ with 26 blacklisted apps
observed in Q4, 56 in Q3, and 24 in Q2 for a
total of 147 blacklisted apps in 2017. What’s
interesting is that all of the blacklisted apps
from KitApps Inc., except six, were found in the
AndroidAPKDescargar store. This developer
has 5,797 total observed apps this year, so
the overall percentage of blacklisted versions is very small, but 96 percent of the
blacklisted versions are in one store. Of these blacklisted apps, 137 contain Trojans
and 133 have adware (note that there is overlap as our system allows multiple
antivirus types for each app).
Fig. 5: Graphing out monthly numbers of malicious apps observed.
KitApps, Inc. has a total
of 26 blacklisted apps
in Q4, 147 blacklisted
apps in 2017.
7RiskIQ: The Q4 2017 Mobile Threat Landscape Report
This is a trend that holds true across the AndroidAPKDescargar store, with 51,987
Trojan types observed, and 49,609 adware types. This leads us to believe that the
AndroidAPKDescargar store is being used to coordinate a campaign where an actor,
or a group of actors, is repackaging apps with Trojans and adware. As mentioned
in the Q3 report, this store appears to be targeting Spanish-speaking users, with
the top categories of blacklisted apps showing “entretenimiento, estilo de vida,
educación, finanzas, and la empresa.”
Fig. 6: Number of blacklisted apps by developer in Q4
Fig. 7: Number of blacklisted apps by developer in 2017
8RiskIQ: The Q4 2017 Mobile Threat Landscape Report
Developers
Playing the imitation game
One of the tried and true methods for threat
actors to ensnare victims is disguising the
malicious apps as something they are not. In Q3,
we covered how antivirus, dating, messaging,
and social networking apps are favorite targets
for this game. In November, RiskIQ researchers
found a mobile app that was trying to pass itself
off as a cryptocurrency market price app. This
app was found to be part of the bankbot family
of mobile Trojans and would monitor the device
that installed it for a list of target apps.
If such an app were launched while the Trojan was installed, the Trojan would put
an overlay over the legitimate app and collect sensitive information, such as login
credentials from the banking customer. RiskIQ researchers were able to find the IP
address for the command and control (C2) server as well as a list of the monitored
apps from the sample of the malicious app that was analyzed.
RiskIQ has observed other bankbot Trojans that prompt users for administrative
access so it can install its software. Once the user relinquishes administrative rights
to the Trojan, the threat actor can send and receive commands to the mobile device
via a C2 infrastructure set-up for the malware to beacon back and send its harvested
information.
To harvest a user’s credentials, the Trojan will lie dormant until it detects a banking
application in use on the device. When a banking application starts, the Trojan will
open a phishing overlay on top of the banking app forcing the user to enter their
login credentials, which are then sent back to the C&C for the actor to utilize.
Some Trojans can silence notifications on the device, enabling the actor to send and
receive SMS messages behind the scenes. It will even delete any messages the actor
wants to keep out of sight from the user, which allows it to bypass any two-step
verification that may be in place to keep accounts safe. In some cases, the Trojan
even allows authorization for transfers of money from the compromised accounts of
the victim.
Mobile Threat Actors are “Well Connected”
In October, RiskIQ researchers were able to take malware hashes associated with
the Red Alert 2 Android Trojan and find samples that contained data that was used
to uncover infrastructure used by the malware. Pivoting off of a host found in the
APK, researchers discovered an IP address and registrant address, both of which
Some Trojans can
silence notifications
on the device, enabling
the actor to send and
receive SMS messages
behind the scenes.
9
lead to further infrastructure. Two additional domains were found to be hosting
more malicious apps claiming to be Adobe Flash Player updates. The ability to pivot
around in multiple datasets provided by RiskIQ is invaluable for uncovering more
potential threats.
Conclusions
It pays to be careful what is loaded onto your
mobile device. Some simple guidelines to follow
are to only download from official stores, like
the Google Play store. Google is proactive in
removing malicious applications, and while some
may slip through from time to time, it is far safer
to download from there than third-party stores
which may be used for malicious campaigns.
Logos for malicious apps will often closely resemble that of the app they are
imitating. There may also be only subtle differences in the developer name, such
as a slight misspelling or the use of a comma or other punctuation in place of
or in addition to a period (e.g., ‘WhatsApp Inc.,’). Other apps will pretend to be
innocuous and perform a useful function such as a flashlight app, but will try to steal
information or perform other nefarious activities without the awareness of the user.
Just because it is in an official store does not mean you can trust it. Regardless
of what store an app comes from, check the permissions the app is asking for. If
the permissions are unnecessary for the app’s purpose, or the permissions seem
numerous, closer scrutiny of the app is not a bad thing. If you must side-load,
scan the app through a service like VirusTotal. Those services are not perfect as
there may be both false positives and false negatives, but they are a good starting
point. Awareness and scrutiny remain the user’s best defense against malicious
applications.
It is far safer to
download from the
Google Play store
than third-party stores.
RiskIQ provides comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. RiskIQ’s platform delivers unified insight and control over external web, social, and mobile exposures. Thousands of security analysts use RiskIQ to expedite investigations, monitor their attack surface, assess risk, and remediate threats.
Learn more at riskiq.com
Copyright © 2018 RiskIQ, Inc. RiskIQ, the RiskIQ logo and RiskIQ family of marks are registered trademarks or trademarks of RiskIQ, Inc. in the United States and other countries. Other trademarks mentioned herein may be trademarks of RiskIQ or other companies. 03_18
The only warranties for RiskIQ products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. RiskIQ shall not be liable for technical or editorial errors or omissions contained herein.
22 Battery Street, 10th Floor San Francisco, CA. 94111
[email protected] RiskIQ.com
1 888.415.4447 @RiskIQ
9