Lately there have been a spate of incidents involving smartphone apps for the iPhone and Android phones that were discovered to be malicious in various ways. The important commonality in these revelations was that cyber-criminals had actually modified legitimate apps by hijacking several developer’s credentials, including their “Developer Certificate.” The developer key provides a digital signature that validates the app as being the genuine product of a legitimate app developer.
There also has been similar mischief around the “Enterprise Certificate” system, which allows businesses to develop custom smartphone apps for their own in-house company use, and are not supposed to be available to the public. These apps do not get the same security scrutiny as public apps get.
Both Apple and Google have had to remove apps from their respective stores that were found to be malicious, over intrusive, or that violated user privacy and code of conduct rules for apps. Also, security firm ESET. has reported that cyber-criminals have taken to the Google Play Store to misdirect cryptocurrency transfers made on Android smartphones.
There are different classes of smartphone malware, and most of these start life as an app, or posing as an app.
- Adware – Some apps contain adware elements that keep track of your browsing and social media feeds to track your interests, and then push annoying ads at you. This is probably the least dangerous, but most intrusive exploits.
- Chargeware – Chargeware is embedded in valid-looking apps, and used to charge a user for services without proper notification or knowledge. Often associated with Internet porn apps. These apps then download chargeware modules and the spurious phone charges begin.
- Insecure apps – Also known as “riskware,” these are legitimate apps that lack certain security features that make them exploitable, and can allow an attacker to install a backdoor and to take over a mobile device.
- Spyware and trackers – These modules are part of almost every app. They collect data, usually with the permission of the user, including location, contacts, stored pictures including metadata and other files. This information is sold to marketers and information brokers by the app company. In worse case scenarios, this information is collected by malicious apps and sold on the Dark Web.
- Trojan horse – Most everything we have described so far fits the definition of a Trojan horse, i.e., and malicious applications presenting themselves as useful or valuable programs. Current popular mobile Trojans include crypto-jacking, crypto-mining, email hijacking, and banking malware.
Protecting your phone and yourself from these threats is easily done.
- Learn about and use the security features on your phone
- Install an anti-malware app such as Sophos Mobile Security
- Keep an eye on your phone when out in public to make sure it doesn’t walk off in the hands of a thief.
- Install all OS and app updates
- Close apps and websites you are not using.
- Enable or install remote wiping apps for your phone.
- Don’t click on links in emails or texts unless you are sure they are legitimate.
- 7000 apps removed from Google Play
- iPhone Porn and gambling apps use Enterprise Certificates
- Apple to require 2FA for developers
- Google misuse of Enterprise Certificates
- Experian blog article
- Tech Republic – Clipper crypto-malware