Malicious mobile apps were on the decline in Q4 of 2017 largely due to a decrease in the inventory of AndroidAPKDescargar, the most prolific dealer of blacklisted apps, according to digital threat management leader RiskIQ in its Q4 mobile threat landscape report, which analysed 120 mobile app stores and more than 2 billion daily scanned resources. Listing and analysing the app stores hosting the most malicious mobile apps and the most prolific developers of potentially malicious apps, the report documents the return of familiar threats such as brand imitation, phishing, and malware—as well as the discovery of a bankbot network preying on cryptocurrency customers.
Feral Apps are Down
The Google Play store again led the way with the most blacklisted apps, but Q4’s analysis confirmed that feral apps—apps available for download outside of a store on the web—fell in popularity for the first time in several quarters, falling from the number two spot and giving way to three other stores:
- ‘AndroidAPKDescargar’ had 7,419 blacklisted apps, comprising 41 percent of the apps RiskIQ observed in their store
- ‘9game.com’ had 4,083 blacklisted apps, accounting for 86 percent of the total apps RiskIQ observed
- ‘9apps’ had 3,644 blacklisted, 15 percent of the total apps
‘KitApps’ Makes Another Appearance Indicating a Wider Trend
One consistent developer observed almost every quarter is ‘KitApps, Inc.’ With 147 blacklisted apps in 2017, 96 percent of those were found in the AndroidAPKDescargar store. Of these blacklisted apps, 137 contain Trojans and 133 have adware—two categories of blacklisted apps that can be found en masse across the AndroidAPKDescargar store. This may indicate the store is being used as a hub for campaigns in which actors are repackaging apps with Trojans and adware.
Riding the Cryptocurrency Wave
In November, RiskIQ researchers found a mobile app that was trying to pass itself off as a cryptocurrency market price app. This app was found to be part of the bankbot family of mobile Trojans and would monitor the device that installed it for a list of target apps. If the app were launched while the Trojan was installed, the Trojan would put an overlay over the legitimate app and collect sensitive information, such as login credentials from the banking customer.
Mobile Threat Actors are “Well-Connected”
In October, RiskIQ researchers were able to take malware hashes associated with the Red Alert 2 Android Trojan and find samples that contained data that was used to uncover infrastructure used by the malware. Pivoting off a host found in the APK, researchers discovered an IP address and registrant address, both of which led to further infrastructure. Two additional domains were found to be hosting more malicious apps claiming to be Adobe Flash Player updates, showing the breadth of infrastructure of mobile threat campaigns.
“Securing the mobile app ecosystem continues to be a challenge for app stores of all sizes, but efforts to improve version control, monitor for abuse, employ verification techniques, and offer security education can help,” said Mike Wyatt, director of Product Operations at RiskIQ. “Tracking the use of brand names and likeness is an equally daunting challenge for corporations. Brands should evaluate and implement solutions that constantly monitor their digital footprint online and in mobile app stores.”
For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q4 2017 Report at https://www.riskiq.com/research/2017-q4-mobile-threat-landscape-report/.
