When you get a chance, take a look at the top three news headlines. Whatever major events, developments or cultural phenomena you see there, you can be sure that cyber threat actors are trying to exploit them for political or monetary gain.
So it's no surprise that with Poku00e9mon GO, Zika, and the Olympics firmly in the public conscience, there's a breadth of cyber schemes aimed at leveraging their immense popularity. And one of the most common modus operandi for stealing sensitive data from unsuspecting users? Fraudulent mobile apps. Out of the millions of mobile apps RiskIQ crawls each day—in the major app stores like Google Play, Apple's App Store, and Amazon, as well as third-party app stores and mobile carriers’ markets serving localized content to users around the word—thousands are fraudulent or otherwise malicious.
The Olympics: Getting torched
Cyber threat actors are using the size, complexity, and dynamic nature of the global app store ecosystem to exploit well-known Olympic Games sponsors. In such a complex environment, it’s increasingly difficult for sponsoring organizations to monitor their mobile presence and protect their customers from fraud. Cyber threat actors, realizing this lack of visibility by major sponsors, will create several—if not hundreds—of apps that mimic the original, offering games or other interactive experiences that ask users to provide financial data and other sensitive information.
Users are conditioned to grant app permissions to gain access to the content. Shady developers are happy to take advantage of this social conditioning.
It’s worth noting that even legitimate apps can be compromised, especially if they are not kept up to date. The story is always the same; every major sporting event—from the Super Bowl to the Olympics to the Copa America—leaves a graveyard of event-specific apps in their wake made by sponsors and completely forgotten about by all—except opportunistic cyber threat actors. Eventually, these can be hacked and exploited at the organization’s expense.
Poku00e9mon GO: Gotta hack 'em all
Once published, malicious mobile apps can rapidly proliferate from official stores throughout the app store ecosystem, spreading to new stores and web download locations without the developer's knowledge or consent. The distribution of fraudulent Poku00e9mon apps is broad—of the 2,100 malicious apps in one Poku00e9mon search query inside RiskIQ, 364 of them are from an app store in China, while almost 300 are in Google Play.
These unofficial, third-party apps, such as "Helper for Poku00e9mon GO", in which players can crowdsource the Poku00e9mon they can find in the game at a particular time, were created to leverage the Poku00e9mon brand for nefarious purposes. The ratio of fraudulent Poku00e9mon apps to authentic ones is extraordinarily high: one out of ten Poku00e9mon apps is malicious, and of the 2,100 Poku00e9mon apps we've found, 1,150 can steal information. These actors were so successful that at its peak of popularity, "Poku00e9 Radar" hit #2 on the Apple App Store, behind only Poku00e9mon Go itself.
Zika: Not the only virus you have to worry about
RiskIQ has even found fake mobile apps exploiting the concern over the Zika epidemic in Brazil by offering “safety information” but delivering malware instead. The example below is a malicious app that was in the Android app store. It looks like a helpful way for people traveling to Rio can stay safe and informed, promising to send push notifications with crucial updates. However, it was blacklisted by RiskIQ for serving malware instead.
Below is a similar app within the RiskIQ tool. In gritty detail, it lists the app’s attributes, many of which are clear indicators of its fraudulent nature.
Apple's review process is much more intense than other app stores, though Google began screening apps before they get pushed to Google Play in 2015. Still, it's possible for apps like the one above to slip through the review process—and even top the charts.
There just too many savvy cyber threat actors out there with the tools and know-how to take advantage of people and wreak havoc on their employers, and eventually the organization’s data. For security teams to defend their organizations against growing cyber threats outside the firewall like fraudulent mobile apps, they must discover and monitor their entire attack surface so they can quickly identify, remediate, and investigate any cyber threats that may surface.
But that’s not enough. These attackers use automation to launch sophisticated attacks at very low cost by rotating and reusing undetected infrastructure, so a security team’s visibility is mostly based on what they see on the corporate network. Once they detect a cyber threat locally, the attacker has already moved, and they’re stuck playing catch up. Therefore, security teams must use the internet as a replacement for the corporate network, i.e. calling upon their own advanced analytics and machine learning to wield Internet datasets such as WHOIS and Passive DNS against adversaries to stay one step ahead of them.