These days there’s plenty of discussion on rogue mobile applications. After all, mobile devices contain valuable personal information and commonly access corporate data. Also, let's not forget the fact that these devices are usually not subject to corporate security controls, which is why it's crucial to have an external threat management program.
At RiskIQ, we see a lot of rogue mobile applications—a lot. We covered a few of the common impersonations in our previous blog, which briefly covered Slempo. Now, we'd like to take a moment to point out yet another fake Flash Player update we recently spotted. The following screenshot was taken from the RiskIQ application, showing details about the package:
This particular application looks legitimate on the surface, but RiskIQ's technology quickly points out the excessive permissions, URLs, and other suspicious indicators, such as the unpronounceable Package Name—and the fact that the file name clearly does not support the narrative.
Looking back in our crawl data, we see that there was a low confidence rating coming from our friends over at VirusTotal:
A quick look in RiskIQ’s PassiveTotal tool shows that the domain has only been seen recently and the IP address contains different domains suggesting that this campaign is just getting started.
RiskIQ’s technology has already flagged this application and we continue to encourage our mobile users to only download applications from trusted app stores to minimize the likelihood of becoming a victim.
The following indicators of compromise (IOCs) have been extracted for public use: