The mobile cyber delinquency ecosystem was structured in 2020. On the occasion of the CLUSIF Panocrim, let us come back to the many faces of the mobile threat, by questioning the responsibility of intermediaries such as application stores.
For two decades now, at the beginning of each year, the CLUSIF has been providing an overview of cybercrime: I named the Panocrim. During this annual meeting, we take stock of the evolutions of the harmful activities of the year which has just passed. The last edition was held on January 26th. For my first participation as a speaker, I had the pleasure of speaking in duet with Benoit Grunemwald (ESET) on the subject of mobile threats and in duet with Loic Guezo(Proofpoint) on "cyberconflictuality". The Panocrim exercise is not always simple: it is a matter of restoring facts over a year in 5 or 10 minutes. As the subject of mobile threats is not treated as much in French as I would have liked, we decided with Benoit to write this more detailed article containing the different sources used to complete our remarks during the event.
2019 was the pivotal year for the emergence of the mobile threat. This was structured in 2020 which was characterized by mobile malevolence with multiple faces. Even before the pandemic, mobile devices became the benchmark tool for Internet access, led by the smartphone (87% in 2019, according to the MIPS report from CLUSIF). These devices to which users entrust their data, whether personal (e.g., banking or geographic location) and that of their employer, attract the greed of many malicious actors.
There are many mobile means of harmLike the general trend of rampant ransomware attacks, mobile platforms are not spared. In this case, the most frequent ransomware is of the screen locker type, i.e. blocking access to the terminal without encrypting the data. Such an operation is possible through the abusive use of the permissions allocated to malicious applications; these can thus be superimposed on other applications to demand the ransom. Often, the latter takes the form of an injunction from the police. On the attacker side, both for the sake of efficiency in view of the great diversity of mobile platforms, we note in 2020 the use of machine learning modules; we think for example. androids / MalLocker.B.
In 2020, we also saw a significant influx of banking Trojans. An interesting example was Cerberus (targeting Android). Its operators auctioned off the entire project in July 2020, selling the source code, accompanying manual, and client list. In August 2020, the source code was made public, which generated many variations. Among these, the Alien mobile malware is a perfect example of increasing sophistication: billed as Malware-as-a-Service, Alien enables phishing, theft of contact lists and SMS, recording of keystrokes, or again the theft of Google Authenticator tokens. To be distributed, Alien hides in an apparently legitimate application (over 200 such applications have been counted), available on application stores. As with its predecessor Cerberus, parasitized applications limit their detection by keeping the viral load inactive for several weeks or even months.
These two examples do not have a direct link to COVID or containment. However, 2020 also saw developments related specifically to the pandemic. In this context, let us note the increase in spyware installations: + 51% between March and June 2020, compared to January and February 2020. Stalkelware, in particular, arms cyberstalking, and domestic violence and represents an additional means of pressure on the victims. On Android, it is possible to install this kind of application from or outside of Google Play. On the iOS side, the installation of applications seems more limited; the easiest technique to spy on someone is to sync with their iTunes account.
The other part of the impact of COVID and containment relates to phishing and attempted fraud. The agility of attacker groups and their ability to keep up with hot topics have been in the news, from decoys linked to parcel deliveries to fakes of popular apps like TousAntiCovid. These diversions have been observed in many countries. To deploy, these applications use various methods. The recovery of contacts thanks, in particular, to the Trojans which one spoke about earlier, makes it possible to diffuse SMS of phishing (one says "smishing", a mantle word between "SMS" and "phishing") and spam traditionally.
If these mobile means of harm are many and varied, how are they disseminated? We thus endeavor to dissect the main distribution channels of this harmful software that are the application stores such as Google Play and the Apple Appstore. Many application stores are infested with various Trojans, stalk ware, and other intrusive adware.
What methods of distribution for these means of harm?Indeed, the question arises of how all these harmful applications are disseminated. The main distribution channels for these apps are application stores such as Google Play and the Apple Appstore. At the start of 2020, there were already 120 separate application stores, many of them entirely dedicated to the distribution of malicious mobile applications. The count in 2020 will not change drastically.
The Top 5 most used app stores include Google Play and the Apple app store. These are pre-installed on the majority of smartphones sold today, which makes them essential. These two stores are also infested with various Trojans, stalk ware, and other intrusive adware. These two players have different business models. The same is true for and their authorization policies for making applications available. At Google, the barrier to entry is low, resulting in a higher volume of apps than at Apple. At Apple, the a priori control of candidate apps for the AppStore is known to be stricter.
Still, the mobile threat has many faces. Besides the application stores dedicated to the dissemination of mobile malware, many malicious apps exist. In addition, as will be seen with the cases of adware (intrusive adware), there is a strong emergence of malicious components included in completely legitimate applications. The following anthology brings up the question: What about the responsibility of these intermediaries in the fight against cyber small veil lance?
On Google Play, there is fleece are type applications. They claim to be of service, so we are tempted to install them without paying more attention. They offer a few days of free operation and then you have to take out a paid subscription. So far, nothing abnormal except that these modalities are organized to be confusing and to embark the user in a payment difficult to stop. In this example, we are talking about 25 apps with more than 600 million installations. The situation is similar on the Apple side. As the intermediary here is the application store, it is extremely difficult for the swindlers to have an effective remedy: their money is therefore wasted.
As noted, much mobile malware is distributed either under the auspices of legitimate applications or on its own. Joker is stealthy malware whose disguise abilities are unmatched. Its objective is to make payment fraud. Most of the time, Joker is disguised as a legitimate app. Which, on the application store side, translates into a major cleaning: here, for example, we are talking about 17,000 apps deleted from Google Play. In the painful genre, we have also seen a comeback of Anubis; spyware turned banking Trojan targeting Android smartphones. Among other things, it begins by disabling Google Play Protect, the app monitoring tool that the Google application store ships by default.
Of course, Apple is also participating in this race against mobile malware. Its app store has introduced a notarization process, namely an additional a priori control of any app wishing to be there. This process is far from enough because it has failed two times in the space of fewer than two months.
This question of the responsibility of intermediaries brings me to the theme of advertisements served via mobile apps. Google has already announced that it is banning apps serving ads deemed disruptive, that is, that appear inadvertently during active use of the app. We think of ads that launch while browsing an app for example. Google's decision is quite interesting: showing ads frequently is an approach to monetizing free apps, encouraged by the Google Play approach we talked about earlier.
This is not the only problem with adware. There is an ever-increasing amount of application components that engage in ad fraud. They can be found in legitimate applications, e.g. the case of such a brick present in more than 1,200 iOS apps cumulating 300 million installations. This component makes it possible in particular to steal advertising revenue by recording user behavior vis-à-vis the ads presented by the apps. This so-called “clicker” activity is intensifying with dozens of apps embedding new components stealing advertising revenue.
Finally, whatever the means of harm and their distribution channels, the preemption of personal data remains a central problem. The role of the intermediaries that are the application stores is once again to be questioned as to their level of requirement of respectful practice on the part of developers submitting apps.
New attacks and PEBKACSo, yes, the mobile threat has many faces. The pandemic and the insufficient consideration of mobile cybersecurity have greatly contributed to the merger of professional and personal uses. In all of these cases, mobile apps used to collect personal data, whether through malicious or legitimate uses.
And there is all the difficulty of protecting: we feel surrounded by so many dangers. It is all the more difficult therefore to recall the need to pay attention to what we say about ourselves online, whether it is personal or professional. In 2019, we saw how a completely legitimate use of Starve, the physical activity tracking app, made it possible to geolocate military bases. We had "season 2" of this kind of hijacking in 2020 with Untapped, an app for sharing his best beer tastings. Incidentally, these shares also allow the unveiling of places that must be kept secret.
So, in 2021, let's take a more serious look at the many faces, new and old, of the mobile threat.