Security vendor FireEye has released a timely warning about the scale of the mobile threat facing users with a new report claiming that over five billion downloaded Android apps are vulnerable to remote attacks.
The firm’s Out of Pocket report details analysis of seven million iOS and Android apps.
The JavaScript-Binding-Over-HTTP (JBOH) flaw may be the riskiest for those five billion vulnerable apps, it claimed.
It can allow attackers to hijack HTTP traffic to inject malicious content and links into WebView code to gain full control of the app. Almost one third (31%) of popular Android apps with over 50,000 downloads were vulnerable, the report claimed.
It’s not just insecurely coded apps that are exposing Android users to danger, the platform now accounts for 96% of all mobile malware, according to FireEye.
Malware designed to steal financial information was particularly prevalent – rising 500% in volume in the second half of 2013.
The report added:
“We found that Android malware (excluding adware and grayware) surged from roughly 240,000 unique samples in all of 2013, to more than 390,000 unique samples in the first three quarters of 2014.”
The iOS ecosystem has always been strictly regulated by Apple, meaning that historically very little in the way of malware or security flaws existed.
However, this is gradually changing, according to FireEye.
So-called "EnPublic" apps, signed with enterprise certificates and distributed using enterprise provisioning profiles, are becoming a popular way for malware writers to bypass the App Store review process.
Some 80% of them use private APIs, which Apple prohibits, for example.
“EnPublic apps can use private APIs within iOS and load user interfaces mimicking authentic Apple apps, which attackers use to attack iOS devices. Attackers can easily send victims a text message or email with a link to download an EnPublic app.”
Although FireEye only found 1,400 of these apps on the public internet, there could be many more on the way, the firm warned.
Another security risk for iOS users are new malware strains WireLurker and Pawn Storm which enterprise and ad-hoc provisioning to install malware on non-jailbroken devices.
WireLurker used trusted USB connections and enterprise provisioning to download malware onto non-jailbroken devices, with the end goal to steal money from victims.
Pawn Storm uses ad-hoc provisioning to install on non-jailbroken devices, collecting private user data to send to a remote C&C server.
The report warned that all stakeholders in the mobile ecosystem must do better to reduce risk.
“App store providers, app developers, organizations, and users must better understand the threats and risks they face from mobile apps,” it said.
“Consumers must pay special attention to app behaviors. Enterprises must consider mobile devices a key endpoint. And both sides must make understanding apps and securing them a priority.”