Many CISOs tell us they do not need any form of mobile protection because their organization does not have a mobile app. After a quick check, organizations will often find that they do, in fact, have a mobile app—sometimes dozens of them.
Only, these apps are not official; threat actors make them, imitating their organization to trick consumers into downloading them to phish for information and spread malware.
On rare occasions, these "rogue" mobile apps appear in official stores, even breaching the robust defenses of the Google Play and the Apple App stores. However, with Apple treating its App Store like Fort Knox and Google's security controls improving despite allowing troublesome apps to enter its store at a level they find acceptable, threat actors must focus on other app stores to turn a profit. Some of these "alternative stores" are somewhat reputable, but most are not.
Sketchy app stores and their wares represent a murky mobile underworld that not only exists outside of the relative safety of reputable stores but also outside of the purview of most organizations' security teams. With many of these apps found in stores hosted in countries, such as China, or outside of stores altogether on the open web—often referred to as feral apps—it is no wonder CISOs can't keep tabs on them.
For example, one of the well-frequented alternative store which RiskIQ monitors: '9Game.com', flooded the market with over 34,880 new suspicious apps over two quarters. The amount of its inventory blacklisted by RiskIQ as dangerous represented a staggering 95 percent of the total apps in its store. Yet, many consumers still frequent 9Game.com.
These rogue apps often come in the form of copycat apps that mirror the look and feel of legitimate ones and can be just as dangerous as compromised official apps. Both affect customers of the business and can do equal harm to the brand's reputation. These imposter apps are an effective tactic because our brains recognize and make instantaneous judgments about visual stimuli.
While many users are becoming savvier in identifying phishing emails, most do not have that same level of suspicion when downloading a new mobile app, especially when the app is associated with a well recognized and trusted brand. Once downloaded, the user's phone is susceptible to all manners of threats.
How ubiquitous is this lookalike tactic? Over Q4, the holiday shopping season, RiskIQ found 3,839 blacklisted apps targeting the branded terms of ten of the most trafficked e-commerce sites. The mobile threat landscape sees attackers leveraging other significant events, such as tax season, producing scores of malicious apps mimicking tax-filing software meant to fool taxpayers into downloading them.
Luckily, some of these apps are easy to spot. One potential giveaway is excessive permissions, where an app requests permissions that go beyond those required for its stated functionality. Another is a suspicious developer name, especially if it does not match the developer name associated with other apps from the same organization. User reviews and number of downloads, where present, also help to give some level of reassurance that the app is legitimate.
Although they cannot make up for preventative measures such as checking permissions, anti-malware products provide some protection from malicious code. If a person finds that they have installed an app that spams them with links or tries to force downloads—or it turns out to be a lookalike or disappears after installation or one use—having regular, recent backups lets them wipe the phone and restore it to a safe state.
Mobile apps have become a preferred method of engagement between organizations and consumers, and the rapid growth in the number of mobile apps and app stores in recent years is a testament to that. Across the millions of apps and hundreds of app stores out there, RiskIQ detects tens of thousands of new blacklisted apps each quarter—it detected 53,955 in Q3 2019 alone.
This hidden mobile threat landscape is a branding and consumer trust nightmare for businesses. Whether they have an official mobile presence or not, brands must be aware of this mobile app landscape to understand the entirety of their mobile attack surface.