“App stores are the greatest malicious software delivery method ever invented”, Smith told Infosecurity. “There have been an unbelievable number of examples of applications that are available for both Android and iOS that either are malware or behave differently than advertised”, he added.
Smith observed that most people believe app stores are safe because they come from a trusted source. “Today, anybody can sign up for 100 bucks and write their own application. Nobody is vetting who these application writers are….I could write an application for Android and have it for sale an hour later.”
Just last month, Google removed 55 apps from its Android Market after tens of thousands of users downloaded applications that were infected by the DroidDream trojan. The list of infected Android applications included Chess, Super Guitar Solo, Bowling Time, Super History Eraser, and Photo Editor.
“Apple doesn’t get the same publicity and so people believe that Apple is safe”, Smith said. “But no one can actually tell you an app that is behaving good today will behave good tomorrow”, he added.
Smith explained that criminals are able to make money from malicious apps. For example, a malicious application could jailbreak, take over the smartphone, and then operate in the background, looking for information like a bank account user name and password, he said. “Unfortunately, this is very easy to do today”, he added.
To address the threat posed by malicious apps, M.A.D. is teaming with RiskIQ to lower the risk of malicious apps infecting mobile devices. RiskIQ is contributing its Threat Flow Engine technology, which prevents malicious apps from reaching devices, to the partnership. M.A.D. is contributing its Application Access Control technology.
“We came up with the Application Access Control…that looks at how devices are behaving and the patterns of devices. If it sees something suspicious, it quarantines the device and even wipes the device”, he explained.
By analyzing the mobile threat environment through automated behavioral analysis of mobile applications, the partnership tests available apps in app stores, both official and unofficial. The capability offered by the companies identifies applications and mobile developers involved in mobile phishing, mobile identity theft, marketing fraud, and mobile malware.
Lou Manousos, chief executive officer of RiskIQ, explained the partnership this way. “Our collaboration with Mobile Active Defense and their fundamental architecture of the MECS [Mobile Enterprise Compliance and Security] Server provides something no other enterprise-grade mobile security product could provide until now – detection and blocking of hostile apps before they can be installed and cause any damage, breaches or data loss.”