By Arxan’s count, 97% of top paid Google (GOOG) Android Apps have been hacked; 87% of top paid Apple (AAPL) iOS apps have been hacked; 80% of the popular free Android apps have been; and 75% of the popular free iOS apps have been. Arxan is a developer of app protection tools.
It gets worse. Many key financial-services apps have been hacked, reported Arxan. Around 95% of popular Android financial apps have been, said Arxan. With iOS it’s 70%.
Matters are just as bad in retail where, according to Arxan, 90% of Android apps have been hacked and 35% of iOS apps have been.
A word of definition. To Arxan, a hacked app is one where a cybercriminal has opened the app’s code and “made an unauthorized injection of binary code,” explained Jonathan Carter, Arxan’s technical director. In every way that app should look exactly like the XYZ bank or brokerage app -- because it is. What’s different is that a toxic payload has been inserted.
Carter said identity theft, credit card misappropriation and other financial damage often is inflicted on victims.
The news keeps worsening. Said Jukka Alanen, an Arxan vice president, “The Black Hats are far advanced over the builders of the apps. It’s really concerning for trusted brands.”
Distribution of corrupted Android apps is straightforward. They primarily show up on third-party apps storefronts and Android allows downloads from anywhere, said Alanen.
With iOS, matters are less straightforward. For most users, most of the time, the official Apple Apps store is the only place where they can download apps. Alanen explained that the tainted Apple apps are aimed at owners of “jailbroken” iPhones, a process that strips away many of the limitations built into iPhones. For those owners there are numerous sites that provide iPhone apps but, said Arxan, many of those apps now are tainted.
This past week, however, the U.S. Computer Emergency Readiness Team issued a warning to iOS users about what it called Masque, where a rogue app pretends to be a legitimate app by hijacking its unique “bundle identifier,” a code Apple uses to identify apps. Such an app can be installed from unofficial sources. It replaces the legitimate app -- with the same bundle identifier -- on the phone.
Carter also said that iOS devices are vulnerable to another attack -- announced by security firm Palo Alto Networks in early November -- called WireLurker. This scheme -- epidemic in China -- harnesses Apple’s so-called “enterprise deployment” program to install malware on any iOS device. In enterprise deployment a company gets permission from Apple to make available what amounts to private apps -- employee directories, say -- without putting the app in the public App Store. WireLuker subverts that and installs malicious apps on iOS devices connected via USB to Apple computers running the OS X operating system, versions of which run on most Apple computers.
With WireLuker and Masque, iPhones do not need to be jailbroken to become victims. So far, however, incidence of such attacks in the U.S. is believed to be minute.
Otherwise, there is a simple fix that will keep smartphone users safe from most, traditionally distributed malware: download apps only from the official stores operated by Apple for iOS and Google and Amazon (AMZN) for Android. All three are known to examine apps for toxic components before distributing them. There have been fumbles but, generally, the road to safety is through the official stores.
Julie Conroy, research director for Boston based consulting firm Aite Group’s retail banking practice where she is an expert on fraud -- while praising Arxan for good work -- underlined that “[Arxan is] looking at offbeat sites, not just app stores that significantly skews the numbers, since the app stores have some processes for app review (not always the most robust), whereas these processes are often non-existent in third-party sites.”
That is, the Arxan numbers may be accurate but they may also not reflect traditional user behavior which, generally, is to download from the official storefronts. When users stick to that route, they will probably be safe.
Massachusetts-based identity theft expert Robert Siciliano said, “Consumers are reminded to only download from approved sites and refrain from jailbreaking their devices.”
Nonetheless, what Arxan has found is terrifying.
There is a tidal wave of malware-tainted copies of mainstream apps out there and if one gets on a user’s phone, trouble lies ahead.
The fix proposed by Arxan: “Software developers need to make their apps resistant to reverse engineering,” said Carter. There are known techniques, insisted Carter. Arxan, not coincidentally, has developed its own techniques for safeguarding apps from corruption. Such tools are not widely deployed but, just maybe, if hacked apps cause enough mayhem that may change.
And the mayhem may be coming: “We will see a rise in malware on mobile,” predicted Carter. That’s because more of our computing has shifted to the mobile channel. Hacked apps will follow, like fleas on a dog, and that means “criminals are putting a lot more focus on mobile,” said Carter.