Blog

When you get a chance, take a look at the top three news headlines. Whatever major events, developments or cultural phenomena you see there, you can be sure that threat actors are trying to exploit them for political or monetary gain.

So it’s no surprise that with Pokémon GO, Zika, and the Olympics firmly in the public conscience, there’s a breadth of cyber schemes aimed at leveraging their immense popularity. And one of the most common modus operandi for stealing sensitive data from unsuspecting users? Fraudulent mobile apps. Out of the millions of mobile apps RiskIQ crawls each day—in the major app stores like Google Play, Apple’s App Store, and Amazon, as well as third-party app stores and mobile carriers’ markets serving localized content to users around the word—thousands are fraudulent or otherwise malicious.

The Olympics: Getting torched

Threat actors are using the size, complexity, and dynamic nature of the global app store ecosystem to exploit well-known Olympic Games sponsors. In such a complex environment, it’s increasingly difficult for sponsoring organizations to monitor their mobile presence and protect their customers from fraud. Threat actors, realizing this lack of visibility by major sponsors, will create several—if not hundreds—of apps that mimic the original, offering games or other interactive experiences that ask users to provide financial data and other sensitive information.

Users are conditioned to grant app permissions to gain access to the content. Shady developers are happy to take advantage of this social conditioning.

It’s worth noting that even legitimate apps can be compromised, especially if they are not kept up to date. The story is always the same; every major sporting event—from the Super Bowl to the Olympics to the Copa America—leaves a graveyard of event-specific apps in their wake made by sponsors and completely forgotten about by all—except opportunistic threat actors. Eventually, these can be hacked and exploited at the organization’s expense.

Pokémon GO: Gotta hack ’em all

Once published, malicious mobile apps can rapidly proliferate from official stores throughout the app store ecosystem, spreading to new stores and web download locations without the developer’s knowledge or consent. The distribution of fraudulent Pokémon apps is broad—of the 2,100 malicious apps in one Pokémon search query inside RiskIQ, 364 of them are from an app store in China, while almost 300 are in Google Play.

These unofficial, third-party apps, such as “Helper for Pokémon GO”, in which players can crowdsource the Pokémon they can find in the game at a particular time, were created to leverage the Pokémon brand for nefarious purposes. The ratio of fraudulent Pokémon apps to authentic ones is extraordinarily high: one out of ten Pokémon apps is malicious, and of the 2,100 Pokémon apps we’ve found, 1,150 can steal information. These actors were so successful that at its peak of popularity, “Poké Radar” hit #2 on the Apple App Store, behind only Pokémon Go itself.

Zika: Not the only virus you have to worry about

RiskIQ has even found fake mobile apps exploiting the concern over the Zika epidemic in Brazil by offering “safety information” but delivering malware instead. The example below is a malicious app that was in the Android app store. It looks like a helpful way for people traveling to Rio can stay safe and informed, promising to send push notifications with crucial updates. However, it was blacklisted by RiskIQ for serving malware instead.

Zika

Fig-1 Just one of the many fraudulent apps in mainstream app stores.

Below is a similar app within the RiskIQ tool. In gritty detail, it lists the app’s attributes, many of which are clear indicators of its fraudulent nature.

Another Example of a Zika-related fraudulent app.

Fig-2 Another Example of a Zika-related fraudulent app.

Apple’s review process is much more intense than other app stores, though Google began screening apps before they get pushed to Google Play in 2015. Still, it’s possible for apps like the one above to slip through the review process—and even top the charts.

Protect yourself

There just too many savvy threat actors out there with the tools and know-how to take advantage of people and wreak havoc on their employers, and eventually the organization’s data. For security teams to defend their organizations against growing threats outside the firewall like fraudulent mobile apps, they must discover and monitor their entire attack surface so they can quickly identify, remediate, and investigate any threats that may surface.

But that’s not enough. These attackers use automation to launch sophisticated attacks at very low cost by rotating and reusing undetected infrastructure, so a security team’s visibility is mostly based on what they see on the corporate network. Once they detect a threat locally, the attacker has already moved, and they’re stuck playing catch up. Therefore, security teams must use the internet as a replacement for the corporate network, i.e. calling upon their own advanced analytics and machine learning to wield Internet datasets such as WHOIS and Passive DNS against adversaries to stay one step ahead of them.

Share:

Connect with us
Featured Post

Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims