Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Antivirus mobile apps are here, and they aren’t who they purport to be.
With the world connecting more and more through mobile devices, it is becoming increasingly important to make sure those devices are secured. While many security companies are taking on the challenge of keeping data safe in a mobile world, there are plenty of predators out there who see this as another avenue to exploit.
Case in point: the rise of fake WannaCry “protectors,” apps that use the fear and hysteria around the self-propagating ransomware to drive downloads, even though mobile systems are safe from its impact. These apps don’t do anything helpful and the possibility that some threat actors will build fake WannaCry apps to propagate malware remains.
Leveraging the threat of malware infections to drive downloads of potentially unwanted programs, worthless mobile apps, and even malware isn’t limited to the WannaCry theme. Using RiskIQ’s mobile database, hundreds of examples of apps that claimed to help defend mobile phones were found, instead, to be preying on unsuspecting users by pushing adware, trojans, and other malware:
Fig-1: “Androids Antivirus” an antivirus app discovered in the Mobiles24 store with its associated VirusTotal hits on the right
Using a title search for “Antivirus” resulted in 6,295 total apps, past and present, claiming to either be an antivirus solution, review antivirus solutions or be associated with antivirus software in some way. More than 700 of these apps triggered blacklist detections from the aggregated antivirus vendors in VirusTotal. Trimming the dataset to compare apps only coming from the Google Play store showed 655 results. Of those, 131 had triggered blacklist detections.
Fig -2 “Mobile Antivirus Security Info” was a mobile antivirus review app that the Google Play store removed. VirusTotal hits on the right
We then refined the data to only apps still labeled as being active. More than 4,290 antivirus apps were still being active, with 525 of those having blacklist hits. The Google Play store has 508, with 55 blacklisted. Comparing the numbers, it shows that historically, the Google Play store has had a greater percentage of blacklisted antivirus apps, at 20% versus the overall 11%. However, the current amount of blacklisted antivirus apps in the Google Play store is at 10.8%, versus the overall of 12.2%.
Fig-3 “Antivirus Malware Trojan” was a mobile antivirus app that the Google Play store removed. VirusTotal hits on the right
Many of these apps are not what they claim to be
Of course, not all of these blacklist hits from VirusTotal mean that the app is malicious, and many malicious antivirus apps are not blacklisted at all. After all, even on VirusTotal’s website, they state “it may be used as a means to detect false positives.” VirusTotal can be utilized as a way to gauge the riskiness of scanned files, and if a trusted AV vendor flags an app, or multiple AV vendors flag an app, it may be worth further review. The example apps throughout this blog post have multiple hits from AV vendors, including some of the more trustworthy and well-known ones.
Fig-4 “MP Security Antivirus App Lock” is an antivirus app on the Google Play store. VirusTotal hits on the right
When it comes to the safety of your mobile devices, it is always best to be diligent. Be careful about inviting the bad guys in and giving them access to everything when choosing an antivirus app.
General tips on what to look out for also apply to mobile antivirus solutions:
RiskIQ automatically runs all mobile applications encountered through a variety of blacklists, including VirusTotal. We differ from other monitoring systems that rely on end users employing their virus scanning tools and/or manual sample submissions. RiskIQ Mobile Threats provides discovery across all the leading app stores as well as more than 150 less popular stores, including focused coverage of high-risk stores and regions for brand impersonation, malware, and fraud. In addition to comprehensive coverage of third-party app stores worldwide, RiskIQ incorporates a unique source of “feral app” binaries, or mobile apps collected outside of dedicated mobile app stores, via drive-by download for example. With this comprehensive mobile presence knowledge, organizations have the unparalleled ability to:
Another Magecart group has started to compromise misconfigured S3 buckets! Please secure your buckets.
We detailed how to secure your S3 Buckets in our original reporting: https://t.co/QKrZqWV506
The Columbus, OH #ThreatHunting community is out in full force for today's workshop! Together, we're powering better investigations through data.
Some insights based on reporting by @RiskIQ: Beyond Wipro: Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools https://t.co/6Vxsnygp1z via @ooda
For today's executives, protecting your organization means protecting yourself—and knowing that personal security sits at the confluence of the physical and digital worlds. https://t.co/HShORi3X6j #ExecutiveProtection #ExecutiveSecurity
Overlap in RiskIQ's unique data sets uncovered a massive threat campaign using popular marketing and analytics tools to target gift card retailers, distributors, and processors. Here's what you need to know https://t.co/GkHsPFwkkd #ThreatIntelligence