The Q4 2017

Mobile Threat Landscape ReportTotal Blacklisted Apps Fall, but Familiar Threats Rear Their Head

By Forrest Gueterman and

Jordan Herman

2RiskIQ: The Q4 2017 Mobile Threat Landscape Report

Introduction

The size, complexity, and dynamic nature of the global app store ecosystem makes

it increasingly difficult for brands to monitor their mobile presence and protect their

customers from fraud.

RiskIQ applies its crawling platform to monitor 120+ mobile app stores around the

world while leveraging our daily scans of nearly 2 billion resources to look for mobile

apps in the wild. With a proactive, store-first scanning mentality, we observe and

categorize the threat landscape as a user would see it while visiting or attempting to

download apps. Every app we encounter is downloaded, analyzed, and stored. RiskIQ

also records changes and new versions of apps as they evolve.

The fourth quarter of 2017 showed a 37 percent decrease in blacklisted apps over

Q3 but featured a host of familiar threats such as brand imitation, phishing, and

malware—as well as new ones such as a bankbot network preying on cryptocurrency

customers. In this report, we’ll give an overview of these mobile threats, as well as

emerging trends we anticipate will be prevalent throughout 2018, to help you protect

yourself and your customers.

RiskIQ monitors

120+ mobile app stores

Leveraging

2 billiondaily scanned resources

3RiskIQ: The Q4 2017 Mobile Threat Landscape Report

Running the Numbers

Blacklisted apps observed overall dropped from

Q3 to Q4, with 60,904 seen in Q3 and only

38,425 seen in Q4, which is in large part due

to AndroidAPKDescargar’s massive influx of

blacklisted apps in Q3 (20,907). With only 7,419

new blacklisted apps seen in Q4, the result is a

precipitous drop in apps, showing the profound effect one app store can have on the

entire mobile threat landscape.

October was the Q4 month with the highest amount of blacklisted apps seen, with

15,067. There was a dip in November, with only 9,587 seen, and December ended

the year on an uptick, with 13,771 blacklisted apps observed. Reviewing the entirety

of 2017 shows July as the busiest blacklist month, with 29,844 blacklisted apps

observed. As reported in the Q3 Mobile Threat Landscape Report, this coincided with

the arrival of the AndroidAPKDescargar store.

App Stores: Feral Apps Fall

Once again, The Google Play store led the way with the most blacklisted apps in Q4,

with 9,375 matching against at least one blacklist such as VirusTotal, which, per its

website, inspects files or web pages with over 70 antivirus products and other tools.

A blacklist hit from VirusTotal shows that at least one vendor has flagged the file

as suspicious or malicious. Only six percent of the total apps in the Google Play are

blacklisted, which is a two percent increase from last quarter.

Fig. 1: Total number of blacklisted apps per store.

Blacklisted apps

dropped from Q3 to Q4

by 22,479.

4RiskIQ: The Q4 2017 Mobile Threat Landscape Report

Feral apps, apps found outside of stores on the internet that are available for

download, have held court in the number two spot for most blacklisted apps

observed by RiskIQ for several quarters in a row. However, with 3,507 blacklisted

apps (52 percent of the total) observed in Q4, they were bumped down to fourth by

three other stores:

• ‘AndroidAPKDescargar’ had 7,419 blacklisted apps, comprising 41 percent of the

apps RiskIQ observed in their store.

• ‘9game.com’ had 4,083 blacklisted apps, accounting for 86 percent of the total

apps RiskIQ observed.

• ‘9apps’ had 3,644 blacklisted, 15 percent of the total apps.

Included in our blacklisted apps are a large number that were flagged for

adware—14,758 in total, 11,656 of which were also flagged for malicious behaviors

such as acting as a Trojan or spyware leaving 3,102 apps (eight percent of all

blacklisted apps) solely acting as adware. Adware may seem benign, but it is often

packaged with malicious behaviors and can itself be an avenue of infection through

malware-laced ads.

• In all, 1,787 Google Play apps were flagged solely as adware, making up 19 percent

of Google Play’s blacklisted apps, and 1,313 Google Play apps were flagged as

adware and Trojan behavior.

Fig. 2: Percentage of blacklisted apps vs total apps in store.

5RiskIQ: The Q4 2017 Mobile Threat Landscape Report

• One percent of blacklisted ‘AndroidAPKDescargar’ apps were flagged as adware

alone, with the other 99 percent flagged as adware and Trojans.

• Rounding out the rest, feral apps were four percent adware, 403 (17 percent)

of AppChina blacklisted apps were solely adware, Brothersoft was made up of

12 percent adware, NearmeMobile was five percent adware, and Tencent was,

coincidentally, 10 percent adware.

Fig. 4: Total blacklisted apps observed per store all-time.

Fig. 3: Total number of blacklisted apps in each store for all of 2017 through Q4.

6RiskIQ: The Q4 2017 Mobile Threat Landscape Report

The percentages of blacklisted apps in each store is important to note. A store

like Google Play may have the highest number of blacklisted apps, but because of

their massive volume, it’s clear that the store is generally safe, but bad apps slip by

their controls from time to time. However, stores like 9game deserve more critical

attention. 9game’s density of blacklisted apps is extraordinary for a store, especially

one trying to be legitimate.

Developers and Contacts: KitApps Makes Another Appearance and there’s More to

‘AndroidAPKDescargar’ than Meets the Eye

There is little overlap from the top developers for blacklisted apps from quarter to

quarter, with the exception of the “None” category.

However, one consistent developer we see

is ‘KitApps, Inc.’ with 26 blacklisted apps

observed in Q4, 56 in Q3, and 24 in Q2 for a

total of 147 blacklisted apps in 2017. What’s

interesting is that all of the blacklisted apps

from KitApps Inc., except six, were found in the

AndroidAPKDescargar store. This developer

has 5,797 total observed apps this year, so

the overall percentage of blacklisted versions is very small, but 96 percent of the

blacklisted versions are in one store. Of these blacklisted apps, 137 contain Trojans

and 133 have adware (note that there is overlap as our system allows multiple

antivirus types for each app).

Fig. 5: Graphing out monthly numbers of malicious apps observed.

KitApps, Inc. has a total

of 26 blacklisted apps

in Q4, 147 blacklisted

apps in 2017.

7RiskIQ: The Q4 2017 Mobile Threat Landscape Report

This is a trend that holds true across the AndroidAPKDescargar store, with 51,987

Trojan types observed, and 49,609 adware types. This leads us to believe that the

AndroidAPKDescargar store is being used to coordinate a campaign where an actor,

or a group of actors, is repackaging apps with Trojans and adware. As mentioned

in the Q3 report, this store appears to be targeting Spanish-speaking users, with

the top categories of blacklisted apps showing “entretenimiento, estilo de vida,

educación, finanzas, and la empresa.”

Fig. 6: Number of blacklisted apps by developer in Q4

Fig. 7: Number of blacklisted apps by developer in 2017

8RiskIQ: The Q4 2017 Mobile Threat Landscape Report

Developers

Playing the imitation game

One of the tried and true methods for threat

actors to ensnare victims is disguising the

malicious apps as something they are not. In Q3,

we covered how antivirus, dating, messaging,

and social networking apps are favorite targets

for this game. In November, RiskIQ researchers

found a mobile app that was trying to pass itself

off as a cryptocurrency market price app. This

app was found to be part of the bankbot family

of mobile Trojans and would monitor the device

that installed it for a list of target apps.

If such an app were launched while the Trojan was installed, the Trojan would put

an overlay over the legitimate app and collect sensitive information, such as login

credentials from the banking customer. RiskIQ researchers were able to find the IP

address for the command and control (C2) server as well as a list of the monitored

apps from the sample of the malicious app that was analyzed.

RiskIQ has observed other bankbot Trojans that prompt users for administrative

access so it can install its software. Once the user relinquishes administrative rights

to the Trojan, the threat actor can send and receive commands to the mobile device

via a C2 infrastructure set-up for the malware to beacon back and send its harvested

information.

To harvest a user’s credentials, the Trojan will lie dormant until it detects a banking

application in use on the device. When a banking application starts, the Trojan will

open a phishing overlay on top of the banking app forcing the user to enter their

login credentials, which are then sent back to the C&C for the actor to utilize.

Some Trojans can silence notifications on the device, enabling the actor to send and

receive SMS messages behind the scenes. It will even delete any messages the actor

wants to keep out of sight from the user, which allows it to bypass any two-step

verification that may be in place to keep accounts safe. In some cases, the Trojan

even allows authorization for transfers of money from the compromised accounts of

the victim.

Mobile Threat Actors are “Well Connected”

In October, RiskIQ researchers were able to take malware hashes associated with

the Red Alert 2 Android Trojan and find samples that contained data that was used

to uncover infrastructure used by the malware. Pivoting off of a host found in the

APK, researchers discovered an IP address and registrant address, both of which

Some Trojans can

silence notifications

on the device, enabling

the actor to send and

receive SMS messages

behind the scenes.

9

lead to further infrastructure. Two additional domains were found to be hosting

more malicious apps claiming to be Adobe Flash Player updates. The ability to pivot

around in multiple datasets provided by RiskIQ is invaluable for uncovering more

potential threats.

Conclusions

It pays to be careful what is loaded onto your

mobile device. Some simple guidelines to follow

are to only download from official stores, like

the Google Play store. Google is proactive in

removing malicious applications, and while some

may slip through from time to time, it is far safer

to download from there than third-party stores

which may be used for malicious campaigns.

Logos for malicious apps will often closely resemble that of the app they are

imitating. There may also be only subtle differences in the developer name, such

as a slight misspelling or the use of a comma or other punctuation in place of

or in addition to a period (e.g., ‘WhatsApp Inc.,’). Other apps will pretend to be

innocuous and perform a useful function such as a flashlight app, but will try to steal

information or perform other nefarious activities without the awareness of the user.

Just because it is in an official store does not mean you can trust it. Regardless

of what store an app comes from, check the permissions the app is asking for. If

the permissions are unnecessary for the app’s purpose, or the permissions seem

numerous, closer scrutiny of the app is not a bad thing. If you must side-load,

scan the app through a service like VirusTotal. Those services are not perfect as

there may be both false positives and false negatives, but they are a good starting

point. Awareness and scrutiny remain the user’s best defense against malicious

applications.

It is far safer to

download from the

Google Play store

than third-party stores.

RiskIQ provides comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. RiskIQ’s platform delivers unified insight and control over external web, social, and mobile exposures. Thousands of security analysts use RiskIQ to expedite investigations, monitor their attack surface, assess risk, and remediate threats.

Learn more at riskiq.com

Copyright © 2018 RiskIQ, Inc. RiskIQ, the RiskIQ logo and RiskIQ family of marks are registered trademarks or trademarks of RiskIQ, Inc. in the United States and other countries. Other trademarks mentioned herein may be trademarks of RiskIQ or other companies. 03_18

The only warranties for RiskIQ products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. RiskIQ shall not be liable for technical or editorial errors or omissions contained herein.

22 Battery Street, 10th Floor San Francisco, CA. 94111

sales@riskiq.net RiskIQ.com

1 888.415.4447 @RiskIQ

9