Hackers often recognize weak points in mobile apps that can facilitate their nefarious goals. In fact, 76% of mobile-focused attacks in early 2020 targeted mobile apps. With mobile apps becoming an even bigger part of how we live, work and play in the era of COVID-19 and distributed workforces, mobile app attacks will only become more common. No industry is immune, either. Below, we explore four of the most brazen and far-reaching app threats we’ve seen so far in 2020.
Location: Canada & beyond
Threat Types: Fake App, Ransomware
What Happened: Health Canada launched a COVID-19 contact tracing app in an effort to control the spread of the virus. Soon after, the CryCryptor malware builders released a fake version of the app. The fake version contained malware that encrypts targeted files and removes the original files from a user’s computer.
This is just one example of the many fake COVID-19 apps that have been spreading throughout the world. Anomali Threat Research has identified at least 12 malicious COVID-19 related apps targeting people in countries across the globe. Most contain malware like Anubis and Spynote.
Guardsquare has also recently conducted analysis of 17 COVID-19 contact tracing apps produced by governments, finding that just one of the 17 is using proper app hardening techniques. In other words, both fake apps and insufficiently secured legitimate coronavirus apps are a problem for both developers and end-users. (Read the report.)
Takeaways: One of the best ways to prevent fake apps is to produce your own legitimate apps and distribute them via the approved app stores. If you already have apps out there, make sure you are taking a layered approach to mobile app security to prevent attacks that can facilitate fake apps and/or spread ransomware.
Location: U.S. & beyond
Threat Types: Trojans, credential theft
What Happened: With a dramatic increase in mobile banking usage amid coronavirus-related shutdowns, the FBI is warning U.S. citizens about the prevalence of banking trojans. These malicious viruses hide on users’ mobile devices until a legitimate banking app is downloaded. After the legit app is on the user’s device, the banking trojan puts an overlay onto the app and tricks the user into clicking it and inputting their banking login credentials.
Trojans aren’t the only issue at play in the financial services space, either. Much like contact tracing apps, there are a plethora of fake finserv apps on the market now, as well. Moreover, Guardsquare conducted an analysis of Android mobile financial services apps in late 2019, and found the vast majority were not applying basic app hardening techniques like obfuscation. (Read the report.)
Takeaways: For developers of finserv apps, this is a good reminder to employ proper security measures. These include app hardening, RASP, and real-time threat monitoring. Users must exercise caution in choosing which apps to download (only from legitimate app stores). Two-factor authentication should be enabled on all apps that require banking or financial services credentials.
Industry: Online Dating
Location: U.S., South Korea & beyond
Threat Types: Improper data storage
What Happened: Several online dating services, including CatholicSingles.com, TIKI, Blurry and SKYKX have been identified as storing users’ information in insecure databases. As Colin Bastable, CEO of a security awareness training company put it, “They dropped the ball.”
This is a good reminder that not all threats are intentional and malicious in nature. In this case, database misconfigurations have publicly revealed highly personal information and communications of more than 100 million users. Not very romantic. The creators of mobile apps, whether they are for dating, banking, gaming or any other purpose, must take database configuration seriously.
Takeaways: Misconfigured databases are one of the most common ways that users’ private information and financial details wind up leaked on the internet. Moreover, it’s absolutely vital to use layered app hardening techniques to make it more difficult for hackers to find sensitive information inside mobile apps.
Location: North Korea (hackers), global targets
Threat types: Phishing, credential harvesting, malware injection
What Happened: A North Korean hacking group that once primarily targeted their phishing campaigns to email have expanded their focus to stealing credentials via third-party mobile messaging apps and social media platforms. Once they harvest employee login credentials via mobile apps, they inject malicious code into the checkout pages on retailers’ websites. These are Trojan-like attacks that are nearly impossible for end-consumers to identify. Moreover, if retailers do not have sufficient security measures built in, they also may not recognize the code changes until the fraud has already taken place.
State-sponsored actors can have other motivations, but it appears that in this case the main goal was to commit financial fraud. They may also have been stealing personal data to sell on dark web sites. As eCommerce becomes even more popular in the COVID-19 era of social distancing, the potential rake-in for this type of fraud grows.
Takeaways: It’s up to app makers to make it as difficult as possible for hackers to harvest credentials. It’s up to consumers and business users to be diligent about both mobile apps and eCommerce sites. Businesses should continue to provide security awareness training to prevent their users from falling prey to phishing and other social engineering attacks.