Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Threat actors’ primary objective is to drive as many downloads of their fake and compromised malicious mobile apps as possible. A tactic that’s proven to be extremely reliable in this regard is social engineering; leveraging holidays, current events, and important dates in threat campaigns to raise awareness of their apps. In August and September, the “back to school” theme begins trending, targeting kids and their families who are focusing on preparing for another school year.
A simple keyword search for ‘back to school’ inside the RiskIQ platform returns 9,343 active mobile apps, 1,182 (12.7%) of which are blacklisted. As you can see in the screenshot below, these apps come in many different languages and cover just about everything—games, informational services, device themes—even apps that help you “cheat on your exams”:
Fig-1 Malicious “back to school” apps in the RiskIQ platform
RiskIQ, which uses its crawling platform to monitor over 120 mobile app stores around the world while leveraging approximately 2 billion daily scanned resources to look for mobile apps in the wild, provides insight into how mobile threat actors are getting their “back to school” malicious apps to consumers. We found that the Google Play Store, which has a relatively good reputation but led app stores in total blacklisted applications in Q2, hosts 333 of the blacklisted “back to school” apps.
Here’s what to look for when trying to avoid these malicious apps.
Mobile threat actors use much of the same permissions to exploit users that benign applications use, so consumers should use permissions as clues to help them determine an app’s level of danger– by matching the permissions that they require with what the app purports to do. If an app’s permissions are not congruous with the functions it claims to provide, you should be suspicious. For example, does an app really need access to your phone calls, SMS messages, or billing to serve its purpose?
The mobile game below called “Salon: Back to School,” appears to be a typical mobile game, but it requests 16 different permissions, including access to billing. A quick check in the RiskIQ platform shows that it’s been blacklisted by five different antivirus vendors for android.InMobi adware:
Fig-2 Permissions listed in the blacklisted “Salon: Back to School” game
RiskIQ’s Threat Research Team sees a rise in free email services such as Hotmail, Gmail, and Yahoo! being used as the contact address for the developer of blacklisted applications. Consumers are advised to be aware of who they expect the app to come from, and verify that the contact of the app they’re downloading is legitimate. For instance, the contact for an app purporting to be from a well-known brand will not be “firstname.lastname@example.org.”
The app below called “Dress Up School Fashion” is blacklisted by ten different antivirus vendors for serving malware, adware, and Trojans. Its contact email is email@example.com:
Fig-3 “Dress Up School Fashion” has a sketchy contact email
Although many blacklisted apps have no contact email listed, consumers can still look at the developer to see if it’s a brand they recognize. If it’s not, or has a strange appearance or spelling, think twice before downloading. You can even do a Google search on the developer for more clues about its reputation.
Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling victims. For instance, despite being blacklisted, each of the apps listed above has tens of thousands of downloads.
Below is an app from the Google Play Store with thousands of downloads and excellent reviews. However, upon closer inspection, you can see that there’s something strange: the description is barely coherent. This extremely poor grammar highlights the haste of development and the lack of marketing professionalism and acumen that are hallmarks of mobile malware campaigns:
Fig-4 Despite rave reviews, something is amiss (and hard to read) with this app
While Google has acknowledged the issues with Android and has committed to fixing them, users are still exposed to risks—particularly those with older phones, with rooted phones, or who download applications from unofficial stores. The fact that thousands of these apps are live in popular stores like Google Play goes to show that consumers are largely left to their own discretion when determining if an app is safe.
Consumers are not the only ones threatened by malicious mobile apps during the back to school season. Brands are also targeted by threat actors who use their logos and branded terms fraudulently to fool people into downloading their apps. Therefore, brands should have a solution that can mitigate the impact and damage. With a proactive, store-first scanning mentality, RiskIQ External Threats’ mobile app monitoring observes and categorizes the threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, detonated, analyzed, and stored giving our customers crucial insight into how their brand appears in the mobile app ecosystem. RiskIQ also records changes and new versions of apps as they evolve.
Contact us for more about how RiskIQ can help defend your mobile attack surface.
Another Magecart group has started to compromise misconfigured S3 buckets! Please secure your buckets.
We detailed how to secure your S3 Buckets in our original reporting: https://t.co/QKrZqWV506
The Columbus, OH #ThreatHunting community is out in full force for today's workshop! Together, we're powering better investigations through data.
Some insights based on reporting by @RiskIQ: Beyond Wipro: Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools https://t.co/6Vxsnygp1z via @ooda
For today's executives, protecting your organization means protecting yourself—and knowing that personal security sits at the confluence of the physical and digital worlds. https://t.co/HShORi3X6j #ExecutiveProtection #ExecutiveSecurity
Overlap in RiskIQ's unique data sets uncovered a massive threat campaign using popular marketing and analytics tools to target gift card retailers, distributors, and processors. Here's what you need to know https://t.co/GkHsPFwkkd #ThreatIntelligence