Qihoo 360: Just the Tip of the Whitelisted Malware Iceberg

The Check Point Mobile Threat Prevention team has long stressed how dangerous it can be to get apps from sources other than the Apple App Store and Google Play. Even with well-known third-party app stores the problem of security has become more obvious than ever.

A great example of this is Qihoo 360, a Chinese company known for its anti-virus software and mobile apps store and that unintentionally whitelisted malware as part of a complex cyberattack.

A complex attack straight out of a spy novel

The attack itself was quite extensive:

1. White listing of malicious apps
Cyber criminals bribed employees of a Chinese gaming company into including their malware among the legitimate apps it sent to Qihoo 360.

These apps passed Qihoo’s inspection and were whitelisted, allowing the hidden malware to run on machines protected by Qihoo’s wide-spread and free anti-virus solution for mobile and PCs. Once this phase was complete, the attackers could initiate their true malicious activity.

2. Infecting a seller/store
Attacks were staged using Taobao.com, a popular Chinese marketplace that’s similar to eBay but operates differently. On Taobao.com, buyers initiate purchases by sending a picture of an item to the seller using the Aliwanwang instant messaging app. Money is then exchanged between the buyer and the seller using Alipay, Aliwanwang’s payment platform.

Attackers disguised as a Taobao.com buyers sent sellers legitimate photos injected with whitelisted Trojans. These sellers then opened the pictures on a PCs and became infected because the Trojans weren’t detected by Qihoo anti-virus.

3. Collecting credentials for a financial attack
For the last state, the attacker requested a refund from the seller, requiring the seller to log in to their Alipay account. The Trojan then keylogged their credentials, allowing the attacker to steal money from the seller’s account.


Why is this important to mobile security?

There are two major points in this attack which are worth further discussion:

First is how even primitive malware can managed to infiltrate a “secure” network. Even known malware has a way of inflicting damage. And because simple AVs use known malware signatures, they cannot be relied upon as a sole protection against malware.

Many AVs use a whitelist approach to avoid false positive detection, but the way these whitelists are generated  and, like as we saw in the Qihoo 360 case, they can be compromised.

The second and more interesting point is the different methods third-party app stores use to protect users. The Qihoo incident is similar in a way since Qihoo’s whitelisting review was easily bypassed, leaving Qihoo AV users exposed to attacks. So app stores that you might believe to be safe may, in fact, really not be as safe as you’d think.

This subject was recently explored in length by one of our colleges, Avi Bashan, in a Dark Reading Article. In his analysis, Bashan demonstrates how malware manages to repeatedly infiltrate the Apple App Store and Google Play, and explains why the defenses of these stores remain deficient.

We already know that the mobile threat landscape often mirrors that of the PC world. So if malware can be installed on machines protected by Qihoo and can infiltrate into its own app store, this example illustrates how important it is to avoid third-party stores and to instead at least rely on stores with more reliable security.

But even still, stores like the App Store and Goolge Play aren’t immune to threats. It’s only a matter of time before attackers turn their full attention to infiltrating the app stores users trust most.

Learn more:
Check Point Mobile Threat Prevention

See it in action:
Schedule a demo of Mobile Threat Prevention