Mobile apps have made the lives of employees everywhere infinitely better, and more efficient, as enterprises lean towards virtual offices and establish BYOD policies. Apps designed for the business sector or that improve productivity have steadily risen over the last couple of years. The disadvantage to relying on these helpful apps to get work done lies in their inherent vulnerability to security threats such as malware.
A growing trend in malware development is to create apps capable of impersonating legitimate apps, and using this ‘bait-and-switch’ technique to trick unsuspecting employees and CEOs into downloading the fake app whose real purpose is to deliver malware. The threat of business-spoofing apps has been a real challenge for enterprises as even very popular mobile applications have been impersonated, including:
- FedEx Mobile
- Cisco’s Business Class Email app
- Blackboard’s Mobile Learn app
By mimicking the app’s name and package name, malware authors are able to piggyback on the reputation of some fairly trusted enterprise brands, which means few will think twice about downloading the app. Some of these apps are employed by entire enterprises and that means they’re used daily; and are more likely to be granted permission by users, furthering the malware creator’s hold on mobile devices.
The danger of spoofed enterprise apps adds to the already troubling list of ways malware has used mobile devices to compromise the data of its users. The real issue, however, is that this vulnerable technology is now providing access to corporate data and networks.
Company data put in jeopardy by increased reliance on mobile devices
According to a 2016 study conducted by the Ponemon Institute, mobile devices have already proven a significant threat to the integrity of corporate networks. There’s been a 43% increase in mobile access to company data by mobile device users, the study found; and paired with the realization that over 50% of company data can be accessed on both PCs and mobile devices means mobile malware is that much more of a danger to enterprises.
Infected mobile devices give malware authors access to corporate emails, confidential emails, financial data, employee PII (personally identifiable information), contacts, and customer records. As our workplace reliance on mobile grows, so too does the breadth of the data we’re accessing. The issue is really a matter of lack of preparedness on behalf of IT departments and companies who utilize employee-owned devices.
Earlier this year we talked about the rise in mobile malware and how devices can be safeguarded against malicious software, but now the problem has grown. Hackers and malware authors have begun targeting businesses, demonstrating the value of stealing data from enterprises of all scales.
Enterprises targeted by unique malware designed to masquerade as big-name business apps
The most basic security measure against mobile malware is the mobile device management software (MDM). The MDM is typically used to whitelist or blacklist specific apps, but when malware can spoof whitelisted apps then mobile devices lose some of that protection.
An example of this would be a company who uses FedEx. Said company might whitelist the shipping company’s app but if a spoofed app uses the same package name, it may very well not be stopped by the MDM.
There are five heavy hitters currently making their rounds—five pieces of malware that are actively spoofing well-known enterprise apps and wreaking havoc on company and employee-owned mobile devices.
Shuanet’s most devastating effects are its ability to root a device and install itself on the system partition, making it extremely difficult to remove from the device. It also installs other apps, which may or may not be malicious as well. The introduction of new apps through Shuanet could put the device, as well as its data, at further risk.
Shuanet has spoofed apps like ADP Mobile Solutions, Business Class Email (Cisco), CamCard Free, Google Authenticator, and VMWare Horizon Client.
This malware app gives control of your device to a third party and allows them to collect information like your contacts, call logs, the device’s location, and more. This kind of hidden remote access software lets someone extract both personal and corporate data from a mobile device, and gives them access to company WiFi networks and VPNs when and if the infected device is connected to them.
So far, AndroRat has spoofed Skype, Dropbox, and Business Calendar.
The PJApps malware works by collecting and then leaking a user’s phone number, the mobile device’s unique identifier, and location. It may also send messages to premium SMS numbers in order to make money. Further, PJApps can also download more applications, some of which may be harmful. Software that exfiltrates data concerning user location is always worrisome, especially if used to discern information about a business’ plans.
CamScanner is a good example of mobile apps that PJApps has impersonated.
Ooqqxx disrupts a device user’s activity by pushing ads to the notification bar, creating pop-up ads, or placing shortcuts that weren’t permitted. The app is essentially a time waster, disrupting work and then requiring assistance from IT which is further lost time.
Ooqqxx has spoofed enterprise apps such as Evernote, PocketCloud, Mobile Learn from Blackboard, Remote Desktop, and Adobe Reader.
UnsafeControl focuses on data collection and spam. Once it has a user’s contact information, it can spam the contact list or send SMS messages to predetermined phone numbers specified by the malware creator. Contact information can be incredibly sensitive information to corporations, so having this leaked to others could prove financially detrimental.
Currently, UnsafeControl has impersonated apps like FedEx Mobile, Google Keep, Sky Drive, Skype, and Remote VNC Pro.
McAfee Labs latest report shows mobile threats steadily increasing
After conducting a review of the threats posed by mobile malware, McAfee Labs made the following discoveries:
- More than 5,000 versions of 21 consumer mobile apps contained colluding code that made it susceptible to file inspection, data exfiltration, and other malicious activity
- Ransomware grew 24% quarter-over-quarter in Q1 2016
- 17% quarter-over-quarter increase in new mobile malware samples in Q1 2016
Cybercriminals are still taking advantage of mobile app development to distribute malware and carry out other illegal activities.
The excerpted chart above shows that while the overall number of globally reported mobile malware infections is considerably lower than it was in 2014, the reports are starting to rise in Q1 2016 compared to 2015. Malware isn’t going anywhere, and neither will the hackers interested in exploiting the growing reliance on mobile devices in corporate settings.