Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
In our Q1 2018 Mobile Threat Landscape Report, which analyzed 120 mobile app stores and more than two billion daily scanned resources, RiskIQ researchers found that malicious mobile apps continued to decline, despite the total number of apps we observed once again increasing.
In fact, apps newly observed by RiskIQ have increased by hundreds of thousands over the past year, but in Q1, only 21,948, or 1.4%, of the total of 1,508,825 newly observed apps matched against our blacklist—a lower percentage than in the previous four quarters. Even the numbers of blacklisted feral apps, known to be inherently untrustworthy, declined for the fourth-straight quarter despite still representing a significant portion of all blacklisted apps—RiskIQ blacklisted 46 percent of feral apps we observed in Q1.
Meanwhile, Google hosted 8,287 blacklisted apps over that period, which is consistent with previous quarters and outpaces the next most blacklisted store, AndroidAPKDescargar, by 4,595. Although the Play Store consistently had high numbers of blacklisted apps between Q3 2017 and Q1 2018, its rate of blacklisted apps has hovered around a relatively modest five percent.
While blacklisted apps are still leaving the mobile app ecosystem looking like the Wild West, they often leave behind clues hinting at their shadiness which can help consumers and threat researchers alike identify them. Mainly, the research found, these clues are in the form of apps requesting the same handful of dubious permissions. Eighty-six percent of apps blacklisted in Q1 claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication. Most of the apps that can read messages can also track location, read and write to the call log, generate alert windows, change settings and other dubious requests.
Fig-1 Blacklisted apps by quarter
Despite the overall lower number of blacklisted apps, the findings showed several new threats about which consumers should be wary. The report highlights how malicious apps leveraged by nation-state actors are becoming more prominent, and how threat actors are taking advantage of the popularity and volatility of the cryptocurrency landscape via the mobile attack vector.
For instance, in March, an app called Calendar 2, which appeared in the Apple App Store, began mining Monero digital currency on user devices. Although the app disclosed this activity and offered the option for users to pay fees instead — or use the app with all advanced features disabled — the app developers set mining as the default option, which meant users would have to opt-out rather than opt-in. The app described mining as “free” for the user, which is misleading because of the significant energy and computing costs associated with mining activity. Ultimately, bugs that caused the app to continue mining, despite users opting out and used excessive CPU usage, caused the developer to pull the app from the store after a short period.
Also in Q1, RiskIQ issued an alert warning of blacklisted apps masquerading as or associating themselves with Bitcoin exchanges, Bitcoin wallets, or just “cryptocurrency” in general. These are indicative of the rise of digital currencies and their attractiveness as an income stream for both crooks and legitimate businesses.
Users should be discerning and skeptical when downloading anything and have passive protection such as antivirus software along with regular backups. Watch out for malicious apps mimicking popular, highly downloaded apps. There is a persistent problem of lookalike apps. This tactic is effective because our brains recognize and make instantaneous judgments about visual stimuli. So, when you see an app with the same logo as that popular encrypted messenger, it is easy to choose it without noticing that the name has a trailing period that should not be there. You should also check an app’s permissions to make sure it does not have access beyond its stated functionality. Although they cannot make up for preventative measures such as checking permissions, anti-malware products provide some protection from malicious code. If you find you have installed an app that spams you with links or tries to force downloads—or it turns out to be a lookalike or disappears after installation or one use—having regular, recent backups lets you wipe the phone and restore it to a safe state.
For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q1 2018 Report here.
What’s in a #malvertisement? We found more #magecart and a 186% spike in drive-by delivery https://t.co/rsl9GGiRUZ
.@TechCrunch's @zackwhittaker found that thousands of MoviePass customer card numbers were exposed because a critical server was left unsecured. With @ydklijnsma and RiskIQ data in @passivetotal, he discovered the exposure began all the way back in May https://t.co/blde3p21dU
Can you spot the phish? In tomorrow's PassiveTotal Thursday, we’ll take a real-life #phishing page targeting a popular brand and break it down to show how it differs from the genuine. Register today: https://t.co/EP2q6On5vE #ThreatHunting
We're thrilled to welcome Dean Ćoza, who will lead our product and technology teams as RiskIQ Chief Product Officer. Read more about Dean's appointment here:
Check out the brand new @RiskIQ Threat Hunting course on @CybraryIT
Manage Your Attack Surface Management using the "Mark of the Web"
https://t.co/ZGDBGyecJr #cybersecurity #magecart #course #cybrary