Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Cyber threat actors’ primary objective is to drive as many downloads of their fake and compromised malicious mobile apps as possible. A tactic that’s proven to be extremely reliable in this regard is social engineering; leveraging holidays, current events, and important dates in cyber threat campaigns to raise awareness of their apps. In August and September, the “back to school” theme begins trending, targeting kids and their families who are focusing on preparing for another school year.
A simple keyword search for ‘back to school’ inside the RiskIQ platform returns 9,343 active mobile apps, 1,182 (12.7%) of which are blacklisted. As you can see in the screenshot below, these apps come in many different languages and cover just about everything—games, informational services, device themes—even apps that help you “cheat on your exams”:
Fig-1 Malicious “back to school” apps in the RiskIQ platform
RiskIQ, which uses its crawling platform to monitor over 120 mobile app stores around the world while leveraging approximately 2 billion daily scanned resources to look for mobile apps in the wild, provides insight into how mobile cyber threat actors are getting their “back to school” malicious apps to consumers. We found that the Google Play Store, which has a relatively good reputation but led app stores in total blacklisted applications in Q2, hosts 333 of the blacklisted “back to school” apps.
Here’s what to look for when trying to avoid these malicious apps.
Mobile cyber threat actors use much of the same permissions to exploit users that benign applications use, so consumers should use permissions as clues to help them determine an app’s level of danger– by matching the permissions that they require with what the app purports to do. If an app’s permissions are not congruous with the functions it claims to provide, you should be suspicious. For example, does an app really need access to your phone calls, SMS messages, or billing to serve its purpose?
The mobile game below called “Salon: Back to School,” appears to be a typical mobile game, but it requests 16 different permissions, including access to billing. A quick check in the RiskIQ platform shows that it’s been blacklisted by five different antivirus vendors for android.InMobi adware:
Fig-2 Permissions listed in the blacklisted “Salon: Back to School” game
RiskIQ’s Cyber Threat Research Team sees a rise in free email services such as Hotmail, Gmail, and Yahoo! being used as the contact address for the developer of blacklisted applications. Consumers are advised to be aware of who they expect the app to come from, and verify that the contact of the app they’re downloading is legitimate. For instance, the contact for an app purporting to be from a well-known brand will not be “email@example.com.”
The app below called “Dress Up School Fashion” is blacklisted by ten different antivirus vendors for serving malware, adware, and Trojans. Its contact email is firstname.lastname@example.org:
Fig-3 “Dress Up School Fashion” has a sketchy contact email
Although many blacklisted apps have no contact email listed, consumers can still look at the developer to see if it’s a brand they recognize. If it’s not, or has a strange appearance or spelling, think twice before downloading. You can even do a Google search on the developer for more clues about its reputation.
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a cyber threat actor was successful in fooling victims. For instance, despite being blacklisted, each of the apps listed above has tens of thousands of downloads.
Below is an app from the Google Play Store with thousands of downloads and excellent reviews. However, upon closer inspection, you can see that there’s something strange: the description is barely coherent. This extremely poor grammar highlights the haste of development and the lack of marketing professionalism and acumen that are hallmarks of mobile malware campaigns:
Fig-4 Despite rave reviews, something is amiss (and hard to read) with this app
While Google has acknowledged the issues with Android and has committed to fixing them, users are still exposed to risks—particularly those with older phones, with rooted phones, or who download applications from unofficial stores. The fact that thousands of these apps are live in popular stores like Google Play goes to show that consumers are largely left to their own discretion when determining if an app is safe.
Consumers are not the only ones threatened by malicious mobile apps during the back to school season. Brands are also targeted by cyber threat actors who use their logos and branded terms fraudulently to fool people into downloading their apps. Therefore, brands should have a solution that can mitigate the impact and damage. With a proactive, store-first scanning mentality, RiskIQ External Threats’ mobile app monitoring observes and categorizes the cyber threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, detonated, analyzed, and stored giving our customers crucial insight into how their brand appears in the mobile app ecosystem. RiskIQ also records changes and new versions of apps as they evolve.
Contact us for more about how RiskIQ can help defend your mobile attack surface.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
RiskIQ's #COVID19 Daily Update for 4/8:
➡️The lockdown in Wuhan, China has been lifted for residents
➡️Twitter CEO Jack Dorsey gives $1 billion to COVID-19 relief
➡️Nearly 1/3 of U.S. apt. renters haven't paid any April rent
Read the full update here: https://bit.ly/2Uv3CMV
.@CrowdStrike Store partner @RiskIQ is offering a free Digital Footprint Snapshot report for businesses transitioning to working remotely. It's a quick, easy way to understand the assets connected to your organization. Learn more: http://ow.ly/R1Mp50z3qnk #remotework #wfh
As RiskIQ finds a spike in potentially malicious infrastructure using #COVID19, the UK’s domain name registrar has suspended 600 suspicious #coronavirus websites. Read more via @daphneleprince, @ZDNet https://zd.net/2XgfOUJ
Register for RiskIQ's latest webinar to learn how #COVID19 changed the threat landscape for both the attacker and defender. RiskIQ's Fabian Libeau will explore this rapid transformation and outline steps security teams must now take: https://bit.ly/2Xi81pq
RiskIQ's #COVID19 Daily #Cybercrime Update for 4/7:
➡️NASA suffers huge increase in #malware attacks
➡️Hackers are spoofing Zoom and other tools to deploy malware
➡️#Interpol issues alert on #ransomware attacks on hospitals
Read the full update here: https://bit.ly/2QwfRHS