Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Cyber threat actors’ primary objective is to drive as many downloads of their fake and compromised malicious mobile apps as possible. A tactic that’s proven to be extremely reliable in this regard is social engineering; leveraging holidays, current events, and important dates in cyber threat campaigns to raise awareness of their apps. In August and September, the “back to school” theme begins trending, targeting kids and their families who are focusing on preparing for another school year.
A simple keyword search for ‘back to school’ inside the RiskIQ platform returns 9,343 active mobile apps, 1,182 (12.7%) of which are blacklisted. As you can see in the screenshot below, these apps come in many different languages and cover just about everything—games, informational services, device themes—even apps that help you “cheat on your exams”:
Fig-1 Malicious “back to school” apps in the RiskIQ platform
RiskIQ, which uses its crawling platform to monitor over 120 mobile app stores around the world while leveraging approximately 2 billion daily scanned resources to look for mobile apps in the wild, provides insight into how mobile cyber threat actors are getting their “back to school” malicious apps to consumers. We found that the Google Play Store, which has a relatively good reputation but led app stores in total blacklisted applications in Q2, hosts 333 of the blacklisted “back to school” apps.
Here’s what to look for when trying to avoid these malicious apps.
Mobile cyber threat actors use much of the same permissions to exploit users that benign applications use, so consumers should use permissions as clues to help them determine an app’s level of danger– by matching the permissions that they require with what the app purports to do. If an app’s permissions are not congruous with the functions it claims to provide, you should be suspicious. For example, does an app really need access to your phone calls, SMS messages, or billing to serve its purpose?
The mobile game below called “Salon: Back to School,” appears to be a typical mobile game, but it requests 16 different permissions, including access to billing. A quick check in the RiskIQ platform shows that it’s been blacklisted by five different antivirus vendors for android.InMobi adware:
Fig-2 Permissions listed in the blacklisted “Salon: Back to School” game
RiskIQ’s Cyber Threat Research Team sees a rise in free email services such as Hotmail, Gmail, and Yahoo! being used as the contact address for the developer of blacklisted applications. Consumers are advised to be aware of who they expect the app to come from, and verify that the contact of the app they’re downloading is legitimate. For instance, the contact for an app purporting to be from a well-known brand will not be “firstname.lastname@example.org.”
The app below called “Dress Up School Fashion” is blacklisted by ten different antivirus vendors for serving malware, adware, and Trojans. Its contact email is email@example.com:
Fig-3 “Dress Up School Fashion” has a sketchy contact email
Although many blacklisted apps have no contact email listed, consumers can still look at the developer to see if it’s a brand they recognize. If it’s not, or has a strange appearance or spelling, think twice before downloading. You can even do a Google search on the developer for more clues about its reputation.
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a cyber threat actor was successful in fooling victims. For instance, despite being blacklisted, each of the apps listed above has tens of thousands of downloads.
Below is an app from the Google Play Store with thousands of downloads and excellent reviews. However, upon closer inspection, you can see that there’s something strange: the description is barely coherent. This extremely poor grammar highlights the haste of development and the lack of marketing professionalism and acumen that are hallmarks of mobile malware campaigns:
Fig-4 Despite rave reviews, something is amiss (and hard to read) with this app
While Google has acknowledged the issues with Android and has committed to fixing them, users are still exposed to risks—particularly those with older phones, with rooted phones, or who download applications from unofficial stores. The fact that thousands of these apps are live in popular stores like Google Play goes to show that consumers are largely left to their own discretion when determining if an app is safe.
Consumers are not the only ones threatened by malicious mobile apps during the back to school season. Brands are also targeted by cyber threat actors who use their logos and branded terms fraudulently to fool people into downloading their apps. Therefore, brands should have a solution that can mitigate the impact and damage. With a proactive, store-first scanning mentality, RiskIQ External Threats’ mobile app monitoring observes and categorizes the cyber threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, detonated, analyzed, and stored giving our customers crucial insight into how their brand appears in the mobile app ecosystem. RiskIQ also records changes and new versions of apps as they evolve.
Contact us for more about how RiskIQ can help defend your mobile attack surface.
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa
RiskIQ's @ydklijnsma was on @DarknetDiaries to talk about the global phenomenon of #Magecart. Listen in on how credit card skimming on online purchases is happening—and happening often.