Cybersecurity Technology & Innovation
Feature July 26, 2020

App stores in focus

By Trey Herr, June Lee, Will Loomis, and Stewart Scott

This dataset features many software supply chain attacks that involve app stores. These stores are a common feature of the software ecosystem and how many users interact with the software supply chain on a regular basis, serving as a marketplace for apps and updates from third-party developers. Some apps fulfill specific functions, like advanced graphing calculators or audio editing suites. Others integrate productivity services like the Google Drive and Gmail apps for iOS. A few enable features relying on access to multiple devices, like two-factor authentication, and still more provide a window to massively popular platforms like Facebook, Instagram, and Snapchat. As a consolidated venue, app stores simplify users search for software that maximizes the value of their devices. However, as a high-traffic download center connecting end-users to third party developers, app stores have become a popular way to attack the software supply chain.  

App store attacks generally unfold in one of three ways:  

Attackers build their own applications, designed to appear legitimate, which may function as advertised (e.g. providing wallpapers, tutorial videos, or games). Yet hidden in those applications is malicious software. When attackers create their own applications, they sometimes impersonate legitimate examples through typosquatting or by posing as updates.

Expensive Wall (2017) 
Expensive Wall is named after one of several apps that attackers uploaded to the Google Play Store including Lovely Wallpaper which provided background images for mobile users. The malicious software in the apps evaded Google Play’s screening system using encryption and other obfuscation techniques. The malware, once downloaded, charged user accounts and sent fraudulent premium SMS messages, driving revenue to the attackers. They could also be easily modified to extract sensitive data and even microphone recordings from victims’ machines. The malware was eventually found in more than 50 applications downloaded between 1 and 4.2 million times before being removed from the store (installed apps remained on devices until users opted to remove them however).  

Other cases: Fake WhatsappEgyptian OAuth Phishing and AppsDroidDream and DroidDream LiteGooligan.

Attackers repackage applications, meaning they add their own malicious code to a legitimate app and then bundle it as a complete item for download, usually on third party sites.  

Pokemon Go and DroidJack (2016) 
Attackers repackaged Android versions of Pokemon Go to include the DroidJack malware, which could access almost all of an infected device’s data and send it to an attacker command-and-control server by simply asking for extra application permissionsDroidJack is a popular piece of malicious software and can also be used to steal text messages, contact details, and call logs. The attackers placed the malware-infested app on third party stores to take advantage of the game’s staggered release schedule, preying on users looking for early access to the game.  

Other cases: Sandworm Android AttackApple’s App Store 17Second Winnti Group Gaming AttackGeminiJoker malware family 

Attackers compromise the software used to develop apps, or software development kits (SDKs), allowing them to inject malware into legitimate apps just as they are created. Whatever the model, malicious actors make an effort to obfuscate their malware to evade detection by app store curators. 

XcodeGhost / Xcode (2015) 
Attackers uploaded malicious alterations of Xcode, an iOS and OS X app development tool, to Chinese file sharing services like Baidu Yunpan. The third-party versions were popular in China and downloaded much more quickly than licensed versions hosted outside of the country. Though apps made with the compromised versions of XCode passed Apple Store security checks, they contained malware with a variety of functions. They could send user data to a command and control server, prompt fake alerts used for phishing, open some URLs, and read from and write to the user’s clipboard, enabling password and payment credential theft. Infected apps included versions of WeChat, WinZip, China Unicom Mobile Office, and NetEse Cloud Music, which compromised over 500 million users, mostly in China and the Asia-Pacific region. Disagreement about the number of infected apps persists, with some estimating there may have been as many as 4,000. Apple eventually made licensed copies of Xcode available for download from China to combat the problem.  

Other cases: SimBadOperation SheepGoogle Play Store Misfire 

Once attackers have managed to slip malware into an app store, they have several options for distributing it. In our database, the majority of attacks went through the Google Play Store. As the proprietary store for Android mobile applications, its significant traffic and its security, repeatedly criticized as lax, make it an attractive target. The Apple App Store, on the other hand, has more stringent requirements for third party applications, leading to a significantly lower rate of compromise in this dataset. Attacks that did breach its protections tended to be more complex and go undiscovered for many months. Malicious apps were also found in third-party distributors, which house illegitimate copies of apps not available in certain regions and host local versions for quicker downloads when national firewall permit.  

The manner in which an attacker inserts their malware into an app often determines which app store spreads the malicious code. With a compromised SDK, the developer ends up making the choice for the attacker, sometimes leading to incompatibility between malware and infected devices. Such a mismatch can result in widespread infections with minimal effect, as in 2018, when at least 145 Google Play Store apps were found laced with malware that had no effect on the devices it had infected. The malware had been designed to record keystrokes on Windows machines, not Android phones. When attackers repackage legitimate apps, they usually limit themselves to unlicensed third-party distributors, where modified applications are more easily distributed without sending up red flags. Impersonating or repackaging well-known apps, infecting widely used SDKs, and infiltrating proprietary application stores with several applications at the same time all tend to lead to higher numbers of infected machines. 

The malicious payloads themselves can have a variety of effects. Many are employed as part of a criminal scheme to generate revenue by running background ads (adware), stealing payment information, diverting payments to attacker-owned Bitcoin wallets, or sending SMS payments. The proximity of many app stores to payment information—think of credit cards associated with app store accounts—and the banality of apps requesting permissions from users make these viable targets for attackers. Some apps also stole device and user data, either bundling and forwarding it for sale or using it for surveillance. Several apps also stole credentials for related accounts (often Google accounts) and used device access to boost the ratings and reviews of the infected apps themselves, making them more visible and leading to more downloads.  

App stores and hubs are a popular target for software supply chain attacks on large numbers of users, exploiting trust in proprietary app ecosystems and the security of storefronts like Play Store and App Store. Security for these hubs will always be a process of attack and defense but even this snapshot underlines just how careful users have to be in selecting and loading apps on their phone, staying alert for security notices, and hoping that their phone isn’t soon to be the next great target in the software supply chain. 

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Trey Herr, Stewart Scott, and Will Loomis