In The Wild: App Stores Are No Sanctuary for Mobile Malware

Most mobile users rely on Google Play and the Apple App Store for their safety and assume that by downloading only highly-rated apps from these stores keeps them safe from mobile malware. In the past, this might have been a good strategy, but today it doesn’t always work.

Breaking the Myth: Google Play

The Check Point research team recently detected two instances of new malware on Google Play called “DressCode” and “CallJam.” While these aren’t the first malware to infiltrate Google Play successfully, CallJam demonstrates exactly how malware can deceive cautious users.

CallJam masqueraded as an app that provides free items for the game “Clash Royal.” Users were asked to rate the game before it initiates under the pretense that they would receive additional currency to use inside the game, giving the app a high rating.

After installation, the malware generated fraudulent ads and dialed premium numbers to make money for attackers. Another interesting CallJam feature uses the HTML5 phone vibrate API as part of its ad popups. This enables the malware to trigger phone vibration using JavaScript, which makes the popups seem as if they are actual system alerts.

Breaking the Myth: App Store

In the past year, we have seen more and more malware and vulnerabilities that successfully circumvent Apple’s security measures, including SideStepper and the Trident exploits. These prove that users can’t rely on these protections alone to keep their devices and data safe.

Our team also detected samples of an iOS jailbreaking app in the wild. What’s extraordinary about the discovery is that the app originated in the official Apple App Store. The app, named “PG Client,” managed to infiltrate the App Store only for a short time on August 29 before Apple removed it.

It used an exploit related to the infamous Pangu group to Jailbreak 64-bit devices running iOS 9.3.3. A Jailbroken device is completely defenseless against attacks, and can be exploited and used for functions far beyond what most trustworthy apps are allowed.

The fact that an actual Jailbreaking app managed to find its way into the App Store means the walls of Apple’s garden continue to crumble. If a straightforward Jailbreaking app can make its way in, sneaky malware is bound to succeed.

Mobile DDoS Attacks Can Cripple 911

Researchers from Ben-Gurion University have demonstrated how a phone DDoS (Distributed Denial of Service) attack could potentially take down the US emergency phone system. The attack uses malware disguised as the actual IMSI identifier of attacking mobile devices to avoid blacklisting and identification.

According to the research:

  • a botnet of a mere 6,000 infected devices could be enough to shut down half a local 911 center’s answering points
  • a botnet of 50,000 devices would be able to jam 90% of a center’s resources
  • and a botnet of 200,000 could put the entire country’s emergency services at risk

These numbers are relatively small compared to recent Android botnets found in the wild, such as HummingBad with 10 million infected devices, Viking horde with over 200,000 infected Devices, and DressCode with between 500,000 and 2 million infected devices.

Relying on the official app stores for your device’s integrity is not sufficient. Mobile malware poses a grave risk for users, and even critical infrastructure. To protect their devices, both Android and iOS users must implement a comprehensive solution capable of advanced app analysis and blocking unknown threats.

Learn more: Check Point Mobile Threat Prevention

See it in action: Schedule a demo of Mobile Threat Prevention

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.