Beware: ad slingers thinly disguised as security apps 0 876

Fake Security App

According to AV-Comparatives, an independent testing organization, there are significant differences in the level of protection provided by mobile security solutions. However, even the least secure of them are still far better than questionable apps that impersonate security applications in order to display ads to users. Thirty-five such applications have recently been discovered in the Google Play official Android app store.

These apps have Google Play statistics showing a minimum of over six million installs, cumulatively. However, not all those were necessarily real installations, it is possilbe that many were bot downloads posting fake reviews to improve the ratings for the app.

All 35 apps have been flagged by ESET and eventually removed from the store.

In addition to annoying their victims with ads, disguising these apps as security software has some serious negative side effects, too. In mimicking basic security functions – in fact, they all act as very primitive security checkers relying on a few trivial hardcoded rules – they often detect legitimate apps as malicious. And last but not least, they create a false sense of security in the victims, which might expose them to real risks from malicious apps that are not detected as such.

ESET’s analysis has shown that among these 35 apps, only a handful stand out for their specific features: one app is not completely free as it offers a paid upgrade; one app has implemented a primitive, easily bypassed, app-locker manager; another app flags other apps from this group as dangerous by default; and finally, one misuses ESET’s branding.

 

Security-mimicking functionality
In order to stay under the radar, all the shady ad-displaying apps mimic actual mobile security solutions. However, their ‘detection mechanisms’ are incomplete and very primitive, which makes them easy to bypass and prone to false positives.

Our research into these questionable apps has shown that their ‘detection mechanisms’ can be divided into four categories. These mechanisms are identical or almost identical across the whole set of apps.

1) Package name whitelist & blacklist
These whitelists features popular apps such as Facebook, Instagram, LinkedIn, Skype and others. The ‘blacklists’ contains far too few items to be considered security functionality at all.

2) Permissions blacklist
All apps (including legitimate ones) are flagged if they require some of the listed permissions that are considered dangerous, such as send and receive SMS, access location data, access the camera, etc.

3) Source whitelist
All apps but those from the official Android store, Google Play, are flagged – even if they are completely benign.

4) Activities blacklist
All apps that contain any of the blacklisted activities: that is, parts of applications. This mainly concerns some ad-displaying activities.

Flagged are all apps that contain any of the blacklisted activities, i.e., packages of application that are used in an application. These packages can handle additional functionalities (mainly some ad-displaying activities).

While there is nothing wrong with the idea of activity blacklisting, the implementation in these questionable apps is rather sloppy. For example, Google Ads is included in the blacklist despite the fact that it is a legitimate service. On top of being legitimate, this service is implemented in all of the shady apps we analyzed.

Additional security “functionality”
Some of the questionable security apps are capable of protecting a user’s apps with a password or a pattern locker. The idea behind this seemingly useful feature is to provide the user with another layer of security in selected apps.

However, due to insecure implementation, this feature also fails to provide true security to the user.

The problem is that relevant information is not stored safely on the device – instead of using encryption, which is common baseline practice in cybersecurity, these apps store the names of locked apps and the passwords to unlock them as plaintext.

This means that the data can be accessed after the device is rooted.

Besides compromising the unencrypted data by rooting the phone, there is another way to bypass the app lock. An attacker with physical access to the device can change the app-locking password without knowing the old one!

Conclusion
Having a security solution installed in an Android phone is definitely a good thing. However, not all apps featuring “security” or “antivirus” in their name do what the name promises. Before installing a security solution, think twice: is it really a tool you can safely rely on?

The 35 pseudo-security apps described in this article are not, say, ransomware or other hardcore malware. The only harm they do is displaying annoying ads, making false-positive detections and giving the victim a false sense of security. However, those millions of unwary users who downloaded them could easily have ended up downloading true malware in some similar disguise.

Instead of shady apps with flashy names and icons and outlandish, unsubstantiated promises, seek a reputable security solution. And which one to choose? An independent test by a well-respected testing organization might help.

Previous ArticleNext Article

Hacking and targeted cyber-attacks as a result of anti-competitive practices in business 0 93

Targeted Attacks

In ongoing consultations with clients, large companies named targeted attacks and hacking as two of their biggest security challenges since they can seriously impact the continuity of business activities in an organization.

Attackers have many means to infiltrate companies. However, many attacks, don’t require a very high level of technological sophistication. Instead, techniques like targeted social engineering, i.e. spear phishing, or the use of known vulnerabilities for which, patches may have been issued but businesses have not yet deployed, can lead to damaged reputation, revenue and data breaches.

On the other hand, high levels of sophistication can also be utilized as is in the case of a Zero Day attack.  Chief among these was Stuxnet, a recorded attack where malicious code successfully deployed four zero-day vulnerabilities to impede a uranium enrichment program in Iran, and which, according to media, was a state-sponsored attack.

There are many reasons why organizations become repeat targets. Their bank accounts contain more resources than those of an average person or small business and they also have considerable amounts of interesting data that can be monetized. Attacks targeting companies can also be used as a form of competition. Most often, this concerns data hunting, i.e. obtaining interesting information or intellectual property. These attacks can be accompanied by blackmail. For example, a client database is stolen from a company and is later approached by the perpetrators and asked, “what they are going to do about their loss”.

Different ways to monetize attacks bring different consequences

Organizations often find it difficult to admit they have been breached by these types of attacks. Consequently, this may give other companies the false impression that such attacks happen only occasionally. A typical example of targeted attacks, common in recent years, are DDoS as a Service – attacks, which are sponsored by one company to attack the website of another, with the effect of disrupting business and directing customers away from the targeted company and (possibly) towards the attacker’s “employer”. These are criminal tactics, and the attackers know very well which business areas to target for maximum gain.

There are of course other approaches. Take the example of the British National Health Service, which has become a frequent target of ransomware attacks. Digitization of health services has resulted in a situation where the malicious encryption of medical data may lead to a halt in medical interventions and surgeries. Under such conditions, targeted organizations are often more inclined to pay a ransom for the “hijacked” patient data.

In Kenya attackers have been known to target their attacks to banks and financial institutions, with figures of Ksh400 million being reported stolen from an unnamed local bank and Ksh29 million from National Bank of Kenya in 2018 alone.

Innovative approaches to old tricks

In many rural areas worldwide, one quick glance at powerlines will reveal how easy it is to make illegal connections to the power grid. As of late, cyberattackers have followed a similar model, focusing their resources on illegally mining various cryptocurrencies, which have proven to be highly popular in the public’s imagination.

A more complex example was a targeted attack meant to infect StatCounter, which provides a service  very similar to Google Analytics and uses a special script legitimately placed on websites to obtain data about website visitors. In this case, attackers successfully breached StatCounter and subsequently gained access to the service’s end users by injecting JavaScript code in all websites that use Stat Counter’s service.

The problem came to light when visitors navigated to the now compromised websites which contained the infected scrip, and who’s devices then began covertly mining bitcoins for the attackers. During the second stage, the attackers proceeded to steal bitcoins directly from infected devices when they attempted to access a popular cryptocurrency exchange. To get an idea of the scale of such an operation, StatCounter can be found on more than two million websites.

Such an attack means that system resources of infected devices at the company legitimately using the service are additionally tasked to mine. This may not concern only computers, but also mobile devices and especially servers. The subsequent cryptomining accelerates wear and tear on devices and also increases electricity bills. In addition, we should not forget that malicious cryptomining code is usually capable of uploading other types of malicious script onto the network.

Investigations may take months and are looking for a needle in a haystack

When a large company falls victim to such an attack, it is necessary to carry out a complicated investigation of what happened and how the company has been affected. Research shows that it takes about 150-200 days for companies to find out they’ve been infected. Further investigation regarding the method by which the company was infected and where the malicious code originated may take even longer.

Facing such substantial risks, large companies should leverage solutions like ESET Dynamic Threat Defense to detect new, never before seen threats.

To find out more about ESET Dynamic Threat Defense or to request a free in-house cyber security training session for your organisation, please sign up below.

Ransomware Protection Crucial to Enterprise 0 281

Ransomware

Ransomware is by far the biggest threat among Enterprises.  So what is Ransomware? It is a malicious code that blocks or encrypts the contents of a device and demands a ransom to restore access to the data.

According to research done by ESET,  Companies named ransomware their number one concern.

In response to customer needs and concerns, ESET integrated Ransomware Shield into its security solutions. ESET has long been providing its customers with very good behavior-based malware detection and also with Host-based Intrusion Prevention System (HIPS) that allows users to set custom rules for the protection against ransomware. However, should something slip past the 11 other security layers, Ransomware Shield will be automatically activated.

While ransomware infection often starts with clicking a suspicious link or a fictitious invoice, ESET found that email remains the most common distribution method.

To combat these scenarios, enter ESET Dynamic Threat Defense (EDTD). EDTD provides another layer of security for ESET products like Mail Security and Endpoint products. It utilizes a cloud-based sandboxing technology and multiple machine learning models to detect new, never before seen type of threats. In result, attachments that were classified as malicious are stripped off the email and the recipient gets information about the detection.

To learn more about how ESET can protect your business, and to book a FREE in house Cybersecurity Training Session for your employees, please sign up below.

Free Training