The size, complexity, and dynamic nature of the global app store ecosystem make it increasingly difficult for brands to monitor their mobile presence and protect their customers from malware and fraud. Like most things mobile, the mobile threat footprint in the third quarter of 2017 continued to grow. It showed an increase in blacklisted apps over Q2 and featured familiar threats such as brand imitation and Trojan apps in official app stores, but also introduced an entirely new one in the massive WireX botnet.
Analyzing 120 mobile app stores and more than two billion daily scanned resources, RiskIQ’s Q3 mobile threat landscape report examines these trends, including the app stores hosting the most blacklisted mobile apps and the most prolific developers of those apps.
Highlights of the report include:
Despite the Google Play Store's percentage of malicious apps falling to a low of four percent in Q3 after reaching a high of eight percent in Q2, the analysis confirmed that the Play store and feral apps (apps available for download outside of a store on the web) were the most abundant sources of malicious apps. However, secondary stores, which are often stood up and flooded with suspect apps as part of threat campaigns, continue to be the riskiest place to download apps with the highest percentage of blacklisted apps in their inventory. For example, secondary store 'AndroidAPKDescargar' had comparable numbers of blacklisted apps feral apps, and 97 percent of 9game.com’s 6,052 apps were flagged as suspect.
Playing the Imitation Game
One way malicious apps spread is through imitating others that are well known and popular. The report found that antivirus, dating, messaging, and social networking apps are favorite targets. Querying RiskIQ data for apps in the Play store since the start of Q3 containing the word “WhatsApp,” excluding any from the official WhatsApp developer, returned 497 entries. The same query for Instagram returned 566 entries. Other well-known brands are popular targets as well.
WireX Mobile Botnet Emerges
Coinciding with the increase in dangerous/imitation apps, Q3 also saw the emergence of a massive mobile botnet attack, known as WireX. In August, RiskIQ, Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, Team Cymru, and others collaborated to take down the new threat, affecting the devices of at least 70,000 Android users globally. After a short development stage, the botnet struck several content delivery networks (CDNs) with between 130,000 and 160,000 unique IPs observed from 100+ countries.
Around 300 apps tied to WireX were identified in total, a subset of which was found in official app stores, such as the Play store. Google moved to block these apps and to remove them from all Android devices. These apps masquerade as media and video players, ringtones, and storage managers. Once installed, they activate hidden functionality to communicate with command and control servers and launch attacks, whether the app is in use or not.
RiskIQ for Mobile
RiskIQ looks for mobile apps in the wild. With a proactive, store-first scanning mentality, we observe and categorize the threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, analyzed, and stored. RiskIQ also records changes and new versions of apps as they evolve.
RiskIQ automatically runs all mobile applications encountered through a variety of blacklists, including VirusTotal. We differ from other monitoring systems that rely on end users employing their virus scanning tools and/or manual sample submissions. RiskIQ Mobile Threats provides discovery across all major app stores as well as more than 150 less popular stores, including focused coverage of high-risk stores and regions for brand impersonation, malware, and fraud. In addition to comprehensive coverage of third-party app stores worldwide, RiskIQ incorporates a unique source of “feral app” binaries, or mobile apps collected outside of dedicated mobile app stores, via drive-by download for example.