In our Q1 2018 Mobile Threat Landscape Report, which analyzed 120 mobile app stores and more than two billion daily scanned resources, RiskIQ researchers found that malicious mobile apps continued to decline, despite the total number of apps we observed once again increasing.
In fact, apps newly observed by RiskIQ have increased by hundreds of thousands over the past year, but in Q1, only 21,948, or 1.4%, of the total of 1,508,825 newly observed apps matched against our blacklist—a lower percentage than in the previous four quarters. Even the numbers of blacklisted feral apps, known to be inherently untrustworthy, declined for the fourth-straight quarter despite still representing a significant portion of all blacklisted apps—RiskIQ blacklisted 46 percent of feral apps we observed in Q1.
Meanwhile, Google hosted 8,287 blacklisted apps over that period, which is consistent with previous quarters and outpaces the next most blacklisted store, AndroidAPKDescargar, by 4,595. Although the Play Store consistently had high numbers of blacklisted apps between Q3 2017 and Q1 2018, its rate of blacklisted apps has hovered around a relatively modest five percent.
While blacklisted apps are still leaving the mobile app ecosystem looking like the Wild West, they often leave behind clues hinting at their shadiness which can help consumers and threat researchers alike identify them. Mainly, the research found, these clues are in the form of apps requesting the same handful of dubious permissions. Eighty-six percent of apps blacklisted in Q1 claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication. Most of the apps that can read messages can also track location, read and write to the call log, generate alert windows, change settings and other dubious requests.
Fig-1 Blacklisted apps by quarter
Despite the overall lower number of blacklisted apps, the findings showed several new threats about which consumers should be wary. The report highlights how malicious apps leveraged by nation-state actors are becoming more prominent, and how threat actors are taking advantage of the popularity and volatility of the cryptocurrency landscape via the mobile attack vector.
For instance, in March, an app called Calendar 2, which appeared in the Apple App Store, began mining Monero digital currency on user devices. Although the app disclosed this activity and offered the option for users to pay fees instead — or use the app with all advanced features disabled — the app developers set mining as the default option, which meant users would have to opt-out rather than opt-in. The app described mining as "free" for the user, which is misleading because of the significant energy and computing costs associated with mining activity. Ultimately, bugs that caused the app to continue mining, despite users opting out and used excessive CPU usage, caused the developer to pull the app from the store after a short period.
Also in Q1, RiskIQ issued an alert warning of blacklisted apps masquerading as or associating themselves with Bitcoin exchanges, Bitcoin wallets, or just “cryptocurrency” in general. These are indicative of the rise of digital currencies and their attractiveness as an income stream for both crooks and legitimate businesses.
Users should be discerning and skeptical when downloading anything and have passive protection such as antivirus software along with regular backups. Watch out for malicious apps mimicking popular, highly downloaded apps. There is a persistent problem of lookalike apps. This tactic is effective because our brains recognize and make instantaneous judgments about visual stimuli. So, when you see an app with the same logo as that popular encrypted messenger, it is easy to choose it without noticing that the name has a trailing period that should not be there. You should also check an app’s permissions to make sure it does not have access beyond its stated functionality. Although they cannot make up for preventative measures such as checking permissions, anti-malware products provide some protection from malicious code. If you find you have installed an app that spams you with links or tries to force downloads—or it turns out to be a lookalike or disappears after installation or one use—having regular, recent backups lets you wipe the phone and restore it to a safe state.
For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q1 2018 Report here.