With a proactive, store-first scanning mentality, RiskIQ observes and categorizes the cyber threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, analyzed, and stored. RiskIQ also records changes and new versions of apps as they evolve. Analyzing 120 mobile app stores and more than two billion daily scanned resources, RiskIQ’s Q4 mobile cyber threat landscape report examines new trends, including the app stores hosting the most blacklisted mobile apps and the most prolific developers of those apps.
The fourth quarter of 2017 showed a 37 percent decrease in blacklisted apps over Q3 but featured a host of familiar cyber threats such as brand imitation, phishing, and malware—as well as new ones such as a bankbot network preying on cryptocurrency customers. Blacklisted apps observed overall dropped from Q3 to Q4, with 60,904 seen in Q3 and only 38,425 seen in Q4, which is in large part due to AndroidAPKDescargar’s massive influx of blacklisted apps in Q3 (20,907). With only 7,419 new blacklisted apps seen in Q4, the result is a precipitous drop in apps, showing the profound effect one app store can have on the entire mobile cyber threat landscape.
The Google Play store led the way with the most blacklisted apps in Q4, with 9,375 matching against at least one blacklist such as VirusTotal, which, per its website, inspects files or web pages with over 70 antivirus products and other tools. A blacklist hit from VirusTotal shows that at least one vendor has flagged the file as suspicious or malicious. Only six percent of the total apps in the Google Play are blacklisted, which is a two percent increase from last quarter.
Playing the Imitation Game
One of the tried and true methods for cyber threat actors to ensnare victims is disguising the malicious apps as something they are not. In Q3, we covered how antivirus, dating, messaging, and social networking apps are favorite targets for this game. In November, RiskIQ researchers found a mobile app that was trying to pass itself off as a cryptocurrency market price app. This app was found to be part of the bankbot family of mobile Trojans and would monitor the device that installed it for a list of target apps.
If such an app were launched while the trojan was installed, the Trojan would put an overlay over the legitimate app and collect sensitive information, such as login credentials from the banking customer. RiskIQ researchers were able to find the IP address for the command and control (C2) server as well as a list of the monitored apps from the sample of the malicious app that was analyzed.
Mobile Cyber Threat Actors are “Well Connected”
In October, RiskIQ researchers were able to take malware hashes associated with the Red Alert 2 Android trojan and find samples that contained data that was used to uncover infrastructure used by the malware. Pivoting off of a host found in the APK, researchers discovered an IP address and registrant address, both of which lead to further infrastructure. Two additional domains were found to be hosting more malicious apps claiming to be Adobe Flash Player updates. The ability to pivot around in multiple datasets provided by RiskIQ is invaluable for uncovering more potential cyber threats.
RiskIQ for Mobile
RiskIQ looks for mobile apps in the wild. With a proactive, store-first scanning mentality, we observe and categorize the cyber threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, analyzed, and stored. RiskIQ also records changes and new versions of apps as they evolve.
RiskIQ automatically runs all mobile applications encountered through a variety of blacklists, including VirusTotal. We differ from other monitoring systems that rely on end users employing their virus scanning tools and/or manual sample submissions. RiskIQ Mobile Cyber Threats provides discovery across all major app stores as well as more than 150 less popular stores, including focused coverage of high-risk stores and regions for brand impersonation, malware, and fraud. In addition to comprehensive coverage of third-party app stores worldwide, RiskIQ incorporates a unique source of “feral app” binaries, or mobile apps collected outside of dedicated mobile app stores, via drive-by download for example. To read more about how RiskIQ can help with your mobile cyber security, click here.