RiskIQ Research: How the Global App Store Ecosystem is Changing

The Q2 Mobile Threat Landscape: Blacklisted Apps Down, Secondary Stores Up, Marcher Marches On

September 14, 2017, Mike Browning

The size, complexity, and dynamic nature of the global app store ecosystem make it harder than ever for brands to monitor their mobile presence and protect their customers from malware and fraud.

For our Q2 Mobile Threat Landscape Report, RiskIQ applied our crawling platform, which monitors over 120 mobile app stores around the world, as well as our daily scans of nearly 2 billion resources to observe the continued growth of the mobile threat footprint in the wild. Our research not only showed a pivot in tactics used by mobile threat actors to target users; it also showed a continued failure by app stores to provide the necessary protections against malicious and fraudulent apps.

Secondary Stores are the New Breeding Ground for Bad Apps

RiskIQ added two new stores—one hybrid and one secondary—to its monitoring during Q2 2017, resulting in almost 90,000 newly observed apps. We found that the total number of blacklisted apps dropped in Q2, likely a result of better awareness by consumers and providers. However, we saw a steady upward trend of secondary stores being the main source of blacklisted apps compared to official or affiliate stores. In fact, a secondary store (AndroidAPKDescargar) led the way for blacklisted apps for the second-straight quarter, offering 9,285 dangerous or fraudulent apps. We are likely to see this trend continue as more and more secondary stores come online.

The increasing size and complexity of the global app store ecosystem make it difficult for brands to monitor their presence and protect customers.

Fig- RiskIQ data shows secondary app stores on the rise

Meanwhile, feral apps, which are packages directly downloaded from the internet and not found in stores, came in a close third on this list behind Google Play. There were 13% fewer feral apps than last quarter in which they ranked second for blacklisted apps, but their continued prevalence shows consumers are still not fully aware of the risks and dangers of mobile packages that don’t come from a store.

Leading Threats

The emerging threats in Q2 remained similar to what we’ve seen in the past, with Trojans dominating the malicious app market followed closely by adware. Banking Trojans continued to grow and evolve in Q2 with researchers noticing new trends in obfuscation and encryption within the apps themselves. Cybercriminals have also found ways to bypass protections put in place by Google on newer versions of Android such as two-factor authentication, by intercepting SMS messages. The increased usage of encryption and obfuscation has not only made these apps harder to detect for antivirus vendors, but also made it much harder for researchers to identify and expose the financial institutions being targeted by the Trojan itself.  

As always, these criminals are in an arms race with malware researchers to keep expanding and growing their victim base, and that is expected to continue through Q3 with an increased presence of the Marcher Trojan variant, which targets legitimate banking apps to harvest banking credentials from users’ smartphones. This trojan is typically disguised as legitimate software purporting to be an update to a popular app or an “unlocked” version of a paid app. Financial institutions should advise and attempt to notify their customers of the potential danger involved in these malicious apps

How to Protect Yourself

When it comes to mobile, users are engaging in plenty of risky behavior, making the job for threat actors easier than it should be. While brands should employ a solution that identifies instances of their branding being used fraudulently across the mobile app ecosystem, consumers should take a few simple precautions before downloading an app:

  1. Beware of too many permission requests

Users should make sure the things an app is requesting the capability to do matches up with what they expect it to do—malicious apps are much more likely to ask for vast swathes of extra permissions, well beyond what their core function would suggest they need. These might include the subtly suspicious permissions or some that are completely out of the ordinary, such as being able to wipe a phone back to factory settings.

  1. Lots of downloads or positive reviews don’t mean an app isn’t harmful

Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.

  1. Ensure that you are only downloading apps from official app stores such as Google or Apple

Of course, there are still security concerns with official stores such as the Apple App Store and Google Play, but many cyber threat actors have moved away from official stores, focusing more on feral applications and secondary hosting providers. For example, one of the stores we added last year, AllFreeAPK, shot immediately into our list of top 10 all-time providers of blacklisted applications within the first few months of being tracked. In Q2, “AndroidAPKDescargar” became prolific for blacklisted apps.

  1. Does it look credible?

Take a deeper look at each app. New developers, or those that take advantage free email services (@gmail) for their developer contact, can be enormous red flags—threat actors often use them to produce mass amounts of malicious apps in a short period. Also, bad grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

RiskIQ for Mobile

RiskIQ looks for mobile apps in the wild. With a proactive, store-first scanning mentality, we observe and categorize the mobile threat landscape as a user would see it while visiting or attempting to download apps. Every app we encounter is downloaded, executed, analyzed, and stored. RiskIQ also records changes and new versions of apps as they evolve.

RiskIQ automatically runs all mobile applications encountered through a variety of blacklists, including VirusTotal. We differ from other monitoring systems that rely on end users employing their virus scanning tools and manual sample submissions. RiskIQ provides discovery across all major app stores as well as more than 150 less popular stores, including focused coverage of high-risk stores and regions for brand impersonation, malware, and fraud. In addition to comprehensive coverage of third-party app stores worldwide, RiskIQ incorporates a unique source of “feral app” binaries, or mobile apps collected outside of dedicated mobile app stores, via drive-by download for example. 

For a full analysis of the mobile threat landscape in Q2, download our report here. To read more about how RiskIQ can help with your mobile security, click here.

Share: