JE and Scott King (@thescottking), mobile app cybersecurity evangelist from Zimperium, discuss how current post-Covid events and an increasingly bring-your-own-device and work-from-home workforce impacts the threat landscape for mobile application attacks and malware on iOS and Android devices. Includes examples from Scott’s recent overview of banking application security and privacy research.
Intellyx co-host: Jason English.
Topics covered:
- Has the COVID crisis increased the urgency of mobile device security?
- Why are malware attacks spiking right now?
- What are some of the most common techniques?
- You recently had your research teams run testing against 300 finance and banking apps – what did you find?
- Differences in level of security/privacy for iOS/Android apps
Show links:
- Scott King’s Bio: https://thescottking.com/about/
- Research: Banking report on mobile device breaches and malware: https://blog.zimperium.com/mobile-app-breaches-and-leaks/
Listen/download the Podcast on your favorite player here: https://anchor.fm/intellyx/episodes/Brainwave-S1E4-How-do-you-identify-mobile-app-threats–Scott-King-el9tkb
Watch the YouTube version here: https://youtu.be/rfr3vaDdtgo
Transcript of the podcast:
Jason English: Hello, everyone. Welcome to another Brainwave podcast with Intellyx. I’m Jason English, your host, and joining me today is Scott King (@thescottking on Twitter). He’s an application security evangelist from Zimperium. Thanks for joining me, Scott.
Scott King: Hey, glad to be here, Jason. Thanks for setting this up.
Jason English: Yeah. I thought it was a particularly important time to have you on right now because, we’ve heard a lot about how the COVID crisis has created a need to work from home, and it’s driven people to use apps more than ever before, and especially, the way that they were leaning so much on the digital side of our ability to do business rather than meeting in person and all those things.
So, the COVID crisis increased the urgency of mobile device security and application security?
Scott King: I don’t know if it increased the urgency, but it definitely increased the need. For a couple of different reasons, one for work, we’re supposed to be stuck at home.
Jason English: Right.
Scott King: And social distancing. So we’re using devices for shopping for dating, right? No one goes on dates anymore. For e-commerce, for banking. So we’re really depending a lot on our mobile devices. And now we’re constantly at home, so you really need to pay attention to, your home network security.
And then, if you’re at home using your home network, you more than likely are logging onto your corporate systems with your home devices in your home network. So there’s a lot of variables, but in mobile, you can look at AppAnnie, they do a lot of research on mobile usage and they help mobile app developers develop advertising campaigns and do usage and statistics and things.
But, they’ve seen a huge increase in mobile usage and hence, the criminals are gonna follow so they can subscribe to the same services. So yeah. is the need there? Yeah, there’s actually more of a need because we’re using our devices for more than anything that we ever did before.
Jason English: Yeah. Have your audience and your users seen a spike in malware attacks or other kinds of exploit attempts right now?
Scott King: Definitely. So we saw a really big spike in early March, to middle of April. And a lot of this malware was resident in the COVID contact tracing apps.
People were starved for information. They downloaded these COVID contact tracing apps to help alleviate the spread of the Coronavirus. But enterprising hackers or cybercriminals put up fake apps, and they put malware in there, and that malware can do lots of different things.
They could be cryptomining. Right? And they can use processing power. They could be data harvesting. They can be doing all types of things, but if you can grab on to some other need, like an event, like a pandemic, enterprising cybercriminals get the ability to actually launch those campaigns, versus the ability for corporations to defend against a brand new [attack] – for something like that there’s a big gap, right?
So they’re just much more nimble.
Jason English: Right. And it seems like the opportunity cost of launching such attacks keeps going down over time as well. There’s very little sunk cost in, in running a lot of these kinds of attacks. I know that some of them are actually more expensive than others.
I mean, what are some of the most common techniques you’re seeing right now? I’ve also heard a lot of people talking about the relative cost or, or the value of such attacks? So, if somebody does find an exploit, what’s your perspective on that?
Scott King: Well, the cost to the cybercriminals varies. Because it depends on who is doing this.
There are application development organizations that just develop malware, right? So they work it as a full time job, and you can look at their power usage on the grid and you see that the staff gets there at eight and they leave at five.
Right. They work it just like a full-time job. But other people that don’t have that type of infrastructure, you can just rent the mobile malware — and it’s a SaaS product. So, it has subscription costs and it varies, right? So it could be like $2,000, it could be $25,000 depending on what it is.
There’s a great bit of variability and well, the good news is there’s a price for everybody. So if you want to spy on mobile devices, you can do it with relatively low skills.
Jason English: Hmm. Yeah. So what would be some of the most common techniques? I guess they’re renting them or they’re downloading them, or what are some of the most common techniques people are using to exploit users?
Scott King: Well, the most common, there were fake Coronavirus apps, the contact tracing apps.
There were fake apps, right? You download an app, you decompile it. Cause most of the apps are not obfuscated enough to prevent reverse engineering. So they just basically create another app that looks exactly like it — they make it available and then, kind of pass it around through your network.
So this could be SMS phishing. This could be ad campaigns. you could put fraudulent ads inside of another app. That’s another way. The more sophisticated attacks actually exploited the entire device. And this is what we’re seeing with the banker malwares, I create an enterprising app, maybe a cryptocurrency converter app, and that contains malware, the malware gets into a device.
And then once the malware is inside that device, it basically takes the device over. And, forces the user to see, image overlays instead of real apps. So if I log on to, Royal Bank of Scotland and it looks like I’m logging in, and then what happens is I’m actually typing my credentials into a different system, then the cybercriminal is actually harvesting my data.
And then, once they have your username and password, then they try and log on and create a fraudulent transaction. There’s data from RSA. So they put out a fraud report first quarter, this year that said, 25% of fraud on mobile was from a good account. So that account was over 90 days old, but it was a brand-new device.
So that would really be indicative that you surrendered your credentials. But someone somewhere else is logging in as you on another device. So, banks would need to have a fraud system intelligent enough to get away from IP spoofing, location spoofing, device tokens, things like that.
Jason English: Yeah. It’s a little bit hard to stay ahead of that. especially when the human behavior on the other end of it seems to be so far behind in general. I think of all the SMS messages with links, and emails with links, there’s always going to be, one to 2% of vulnerable people who will click on those things.
Like ‘you have a package waiting’ or ‘your COVID results are in’ or, or something like that, right?
Scott King: Yeah. the package waiting, that’s actually a good one, right now, because the postal service is in the news about mail in ballots or whatever. There’s phishing campaigns that have notices about, “Hey, your postal service has been delayed or whatever.”
So again, another event. Right? But it’s basically, if you think about it, it’s just like an agile marketing campaign, just, they’re not selling products. They’re harvesting data.
Jason English: Hmm. You recently had a project where you had research teams running testing against 300 different finance and banking apps. Can you talk about that project a little bit?
Because I thought it was interesting, , how you approached that particular market.
Scott King: Yeah. So, basically what we did is, we researched, over a thousand different mobile banking apps from all across the world, in the US it was about 300, a little bit less, but essentially what we did is we, we ranked these apps for privacy and security relative to each other.
So we put them in a group and I’ve got a picture here, if you want to.
Jason English: Yeah, sure.
Scott King: See a picture here. Let me share my screen. There it is.
Essentially what we’ve done is we took, we put all of these apps into a mobile application testing platform and it scans all of these apps for privacy and security on the left-hand side. Those apps need improvement for security. And this is your API keys. This is your obfuscation. Any type of app data, right?
And then, and on the vertical access, this is privacy risk. So. This is how invasive is this app to user information. So think about when you download an app and it asks you for certain permissions, I need your location. For a mobile banking app. Location is important. Maybe I’m looking for a branch or an ATM when we used to be able to walk around.
Right, so that makes sense. The camera. That makes sense too, because for my app, I can actually take a picture of a check and deposit it. What doesn’t make sense is some of these apps have access to calendars. I don’t really know why a mobile banking app would need to understand what meetings that I’m in.
that’s private information. Even geolocation, in California, that is becoming private information, because you can track people. That is important. What we did is we basically said, okay, we take a look at all these apps, these are better for privacy, and these are better for security and in the upper right hand corner.
About 30% of the apps are doing a good job, and the lower left hand corner, about 20% of the apps, they need significant improvement for security and privacy.
Jason English: Yeah. So what would be an outlier? Like the one on the lower left? What will be some of the bad conditions that occur there?
Scott King: One of the worst apps, and I’m just going to run through some of the findings because, there’s a lot of them. So, there’s hundreds of different findings, but one of the worst apps it has commands to launch another app. So sometimes we see apps inside of apps and sometimes that makes sense.
Think about a helper app for a game. There’s no reason that a mobile banking app should have that. Let’s see this app. It blindly loads, all files that come into the system. It accesses the phone call log. So it actually knows, not just if you’re on a call, it knows what numbers you called, the full call log.
So it doesn’t really make sense to have that. It also can perform a trace route network function. So if you’re trying to circumvent any other system, by moving your traffic around this app it actually is tracking you while you’re doing that. Let’s see, I can capture screenshots. So sometimes that is okay.
Sometimes mobile app developers put in screenshot information for usability, but it could leak data. So especially if I have a private key, that’s an E wallet app and I’ve got my private keys. And my address is in there. The developer can just take that — that’s pretty scary, location.
This app actually stores inline API keys and values in plain text. That is a no-no.
Jason English: Are you looking at a different screen?
Scott King: Yes, but I’m reading it. I can’t, I can’t tell you what this is.
Jason English: Oh, it’s fine.
Scott King: Yeah, it does all kinds of stuff. Has access to the camera. Connects to an application service.
It’s pretty invasive, right? So one it’s invasive and then two, it’s not properly secured because there’s no obfuscation in this app either.
Jason English: Well, that’s particularly interesting. I mean, I guess the big lesson to take away from this is that, for all of these apps, it’s almost like everything is on a need to know and need to do basis.
Right? Any particular action that that app enables that it doesn’t really need to do — that’s what creates the vulnerabilities.
Scott King: Yeah. If I think about when you download apps, you don’t know what all those permissions and what those terms mean.
This goes way beyond, tricking somebody with an SMS message. An SMS message, it’s short, right? 140 characters and a link, there’s only so much information, but some of the terms for the mobile app are pages long and purposefully. Right? because what they want to do, is they want to be invasive to your device so they can grab all your data.
They may not even use it, but they have it. You need to really be concerned about that. That, because a big majority of people do not read the terms of all those mobile apps and what they do.
Jason English: And nobody has time for that.
Scott King: Right? One of the mobile banking apps that we identified, had access on iPhones had access to your health data or your health app.
So this is your heart rate, your steps, your PulseOx, I guess if you have an Apple watch, the mobile banking app had access to that, it’s kind of curious why your bank would need access to how far you walked. The developer just probably just said, okay, I’m going to get all of the permissions.
I don’t need them, but I’m just going to use them because probably it’s just easier.
Jason English: Yeah. Just grab as much as you can, I guess. Are there any fundamental differences between iOS and Android apps? I mean, it seems like you read the advertising. iOS, Apple always says iOS has ads say ‘it’s a more secure platform,’ but, I’m sure there’s a lot more to be gained by hacking iOS apps.
What’s your impression of that?
Scott King: Well, I think it depends on who your target is. I mean, both of the operating systems are very, very secure and they work really hard to make them secure.
Jason English: Yep.
Scott King: Android gets talked about more because there’s more malware in Android systems. And there’s a lot of reasons, right? It’s an open system.
iOS, it’s a closed system. For iOS malware, a lot of times it’s not called malware, we’ll find malicious profiles and it’s basically an extra little management profile that comes standard in iOS, in an app that will put a profile on there. If they put a profile on your device, they can manipulate that. So we do find a lot of those.
On the Android side, since all the apps are public, it’s open source software, then it’s easier to create malware for that, for whatever reason.
There’s also more global market share for Android. So your target, your pie is bigger, right? There’s just more Android devices. What Android has going for it though, is how fragmented it is. So some people say that’s a bad thing, but the fragmentation is actually like a self-defense, because if I develop an exploit for Android 9.0.1, it only works on a certain portion.
Right. But if I develop an iOS exploit, for 13.4, there’s a lot of devices on that. because a lot of people update more often because there’s not device-specific operating systems. So there’s good and bad for both, but essentially they all use the same internet protocols and communication protocols and the protocols themselves are vulnerable.
Like WiFi. So, logging onto an app at Starbucks, it’s just as vulnerable on an iOS device as an Android device.
Jason English: Hmm. Wow. Well, it’s a fascinating world out there in application security. Um, thanks for joining me, Scott. I appreciate it.
Scott King: Yeah, it was a pleasure. It was great talking to you again.
Jason English: Yeah. Where, where can our listeners go if they want to, perhaps see this report in action or learn more?
Scott King: Well you can contact me directly. That’s pretty easy.
Basically Google “theScottKing’ and you’ll find me, all my tags. Twitter and LinkedIn are ‘@theScottKing.’ there’s lots of information on the Zimperium blog, which is https://blog.zimperium.com.
And we keep all of our reports and things like that, on the blog.
Jason English: Alright, well, thanks. Have a good day everyone and keep thinking. All right.
Announcer: Thank you for listening to the Intellyx podcast. If you have any questions or ideas for future episodes, feel free to drop us an email at PR@Intellyx.com. Until next time, keep on transforming.
©2020 Intellyx LLC. At the time of publishing, Zimperium is not an Intellyx customer. All dialogue in this program represents the expressed opinions of the hosts and guests, and are not necessarily the official position of Intellyx, or any company mentioned or included in this podcast audio or video.