Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
In our Q1 2018 Mobile Threat Landscape Report, which analyzed 120 mobile app stores and more than two billion daily scanned resources, RiskIQ researchers found that malicious mobile apps continued to decline, despite the total number of apps we observed once again increasing.
In fact, apps newly observed by RiskIQ have increased by hundreds of thousands over the past year, but in Q1, only 21,948, or 1.4%, of the total of 1,508,825 newly observed apps matched against our blacklist—a lower percentage than in the previous four quarters. Even the numbers of blacklisted feral apps, known to be inherently untrustworthy, declined for the fourth-straight quarter despite still representing a significant portion of all blacklisted apps—RiskIQ blacklisted 46 percent of feral apps we observed in Q1.
Meanwhile, Google hosted 8,287 blacklisted apps over that period, which is consistent with previous quarters and outpaces the next most blacklisted store, AndroidAPKDescargar, by 4,595. Although the Play Store consistently had high numbers of blacklisted apps between Q3 2017 and Q1 2018, its rate of blacklisted apps has hovered around a relatively modest five percent.
While blacklisted apps are still leaving the mobile app ecosystem looking like the Wild West, they often leave behind clues hinting at their shadiness which can help consumers and threat researchers alike identify them. Mainly, the research found, these clues are in the form of apps requesting the same handful of dubious permissions. Eighty-six percent of apps blacklisted in Q1 claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication. Most of the apps that can read messages can also track location, read and write to the call log, generate alert windows, change settings and other dubious requests.
Fig-1 Blacklisted apps by quarter
Despite the overall lower number of blacklisted apps, the findings showed several new threats about which consumers should be wary. The report highlights how malicious apps leveraged by nation-state actors are becoming more prominent, and how threat actors are taking advantage of the popularity and volatility of the cryptocurrency landscape via the mobile attack vector.
For instance, in March, an app called Calendar 2, which appeared in the Apple App Store, began mining Monero digital currency on user devices. Although the app disclosed this activity and offered the option for users to pay fees instead — or use the app with all advanced features disabled — the app developers set mining as the default option, which meant users would have to opt-out rather than opt-in. The app described mining as “free” for the user, which is misleading because of the significant energy and computing costs associated with mining activity. Ultimately, bugs that caused the app to continue mining, despite users opting out and used excessive CPU usage, caused the developer to pull the app from the store after a short period.
Also in Q1, RiskIQ issued an alert warning of blacklisted apps masquerading as or associating themselves with Bitcoin exchanges, Bitcoin wallets, or just “cryptocurrency” in general. These are indicative of the rise of digital currencies and their attractiveness as an income stream for both crooks and legitimate businesses.
Users should be discerning and skeptical when downloading anything and have passive protection such as antivirus software along with regular backups. Watch out for malicious apps mimicking popular, highly downloaded apps. There is a persistent problem of lookalike apps. This tactic is effective because our brains recognize and make instantaneous judgments about visual stimuli. So, when you see an app with the same logo as that popular encrypted messenger, it is easy to choose it without noticing that the name has a trailing period that should not be there. You should also check an app’s permissions to make sure it does not have access beyond its stated functionality. Although they cannot make up for preventative measures such as checking permissions, anti-malware products provide some protection from malicious code. If you find you have installed an app that spams you with links or tries to force downloads—or it turns out to be a lookalike or disappears after installation or one use—having regular, recent backups lets you wipe the phone and restore it to a safe state.
For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q1 2018 Report here.
Some organisations have a mature attack surface management programme, others are just starting on the journey, evaluating the scope of their programme and identifying where to start, notes Aaron Mog of @RiskIQ
#informationsecurity #GDPR #CyberSecurity
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa