Developer insight: Fleeceware and fraud in the App Store
Lookout's Burak Agca explores the dangers of fleeceware and fraud in the Apple App Store and details how companies can keep ahead of the hackers
A recent story from the Washington Post has shown that the iOS App Store isn’t as infallible as people think. Fraudulent apps and fleeceware have been found in the iOS App Store as attackers come up with new ways to get around app review processes. In fact, Chinese threat actors have been known to use the App Store as a quick way to release and spread malware to hundreds of devices, simply by developing an obfuscated SDK that passes Apple’s vetting processes. Considering that more than 200 billion applications have been downloaded via the App Store, the impact on personally identifiable information (PII) can be significant, even if the app is deleted shortly after purchase.
Sourmint, which was the name given to a malicious advertising SDK from Chinese ad platform Mintegral, exemplifies the issue perfectly. The SDK was found to have extensive visibility into user PII and could allegedly send URL requests from the integrated app to a third-party host. This SDK was found to be active in over 1,200 iOS apps with roughly 300 million monthly downloads.
The risk of malware is universal across operating systems and devices. In a Zero Trust world where people expect to be able to work from anywhere, access to company data and resources is very risky when no clear end point to cloud security strategy exists. We all have security software installed on our computers, so why do we treat our smartphones and tablets any differently? These devices have more access to cloud-based apps and infrastructure than ever before. Since mobile devices are very personal, we see them as an extension of ourselves. We take them everywhere, and as a result, we often put convenience ahead of security.
Attackers also take advantage of the sideloading process, which Apple allows on its devices if a developer wants to test an app before releasing it on the App Store. However, attackers use it as a way to distribute malicious apps that haven’t been approved by Apple’s strict app vetting policies. Without visibility into devices, enterprise organisations can’t determine whether a user has a sideloaded app that could be laced with malware. Threat actors entice individuals to download these apps by offering extended features beyond what the official version of the app offers.
Staying protected
Using a mobile security solution that detects known and unknown malware is key to both consumer and enterprise security. Attackers know that we place too much trust in our smartphones and tablets, and for that reason target us through mobile phishing or malicious apps. Once they compromise login credentials or plant malware on the device, they can move laterally into personal and corporate apps to steal sensitive data.
With employees accessing corporate data from devices and networks that are outside of the enterprise’s control, it’s difficult to detect anomalous user behaviour and the risk associated with it. Security and IT teams need to implement granular access policies beyond the all-or-nothing approach of VPNs. Access needs to be limited to only the necessary apps and data to stop attackers from moving laterally across the network. These policies need to be able to govern both the network and any cloud-based SaaS app or infrastructure. It’s a good start to preventing incidents caused by over-entitlement. More importantly, security teams need a way to continuously monitor the risk profile of each user and device in order to dynamically adjust access based on risk.
Mobile threats have grown to match those on PC in both volume and severity. Today, Apple devices are as exposed to mobile malware, mobile advanced persistent threats and phishing attacks, just as much as any other platform. No matter what development policies are put in place, then threat actors will always find a way to circumvent them.
Burak Agca brings more than 20 years of experience in modern end-point management and cybersecurity. Prior to joining Lookout he worked at LANDesk (now Ivanti), focused on systems management and at Citrix-leading enterprise mobility management opportunities in the UK. In his current role, he is a trusted adviser for mobile security, helping multiple customers with their mobility strategies, and is a passionate public speaker at events, conferences and the press.