Cybersecurity Technology & Innovation


July 26, 2020

App stores in focus

By Trey Herr, June Lee, Will Loomis, and Stewart Scott

This dataset features many software supply chain attacks that involve app stores. These stores are a common feature of the software ecosystem and how many users interact with the [tooltips keyword=”software supply chain” content=”The flow of goods, data, and finances related to software and systems delivery.”] on a regular basis, serving as a marketplace for apps and updates from third-party developers. Some apps fulfill specific functions, like advanced graphing calculators or audio editing suites. Others integrate productivity services like the Google Drive and Gmail apps for iOS. A few enable features relying on access to multiple devices, like [tooltips keyword=”two-factor authentication” content=”An extra layer of security used to make sure that people trying to access an online account are who they say they are.”], and still more provide a window to massively popular platforms like Facebook, Instagram, and Snapchat. As a consolidated venue, app stores simplify users search for software that maximizes the value of their devices. However, as a high-traffic download center connecting end-users to third party developers, app stores have become a popular way to attack the software supply chain.  

App store attacks generally unfold in one of three ways:  

Attackers build their own applications, designed to appear legitimate, which may function as advertised (e.g. providing wallpapers, tutorial videos, or games). Yet hidden in those applications is [tooltips keyword=”malicious software” content=”Any malicious program that causes harm to a computer system or network.”]. When attackers create their own applications, they sometimes impersonate legitimate examples through [tooltips keyword=”typosquatting” content=”A type of cybersquatting that involves registering domains with intentionally misspelled names of popular web addresses to install malware on the user’s system.”] or by posing as updates.

Expensive Wall (2017) 
Expensive Wall is named after one of several apps that attackers uploaded to the Google Play Store including Lovely Wallpaper which provided background images for mobile users. The malicious software in the apps evaded Google Play’s screening system using [tooltips keyword=”encryption” content=”A process that encodes a message or file so that it can be only be read by certain people”] and other obfuscation techniques. The malware, once downloaded, charged user accounts and sent fraudulent premium SMS messages, driving revenue to the attackers. They could also be easily modified to extract sensitive data and even microphone recordings from victims’ machines. The malware was eventually found in more than 50 applications downloaded between 1 and 4.2 million times before being removed from the store (installed apps remained on devices until users opted to remove them however).  

Other cases: Fake WhatsappEgyptian OAuth Phishing and AppsDroidDream and DroidDream LiteGooligan.

Attackers repackage applications, meaning they add their own malicious code to a legitimate app and then bundle it as a complete item for download, usually on third party sites.  

Pokemon Go and DroidJack (2016) 
Attackers repackaged Android versions of Pokemon Go to include the [tooltips keyword=”DroidJack ” content=”An Android remote administration tool (RAT) that, once downloaded, allows attackers to gain extensive access to and control over the targeted device.”]malware, which could access almost all of an infected device’s data and send it to an attacker command-and-control server by simply asking for extra application [tooltips keyword=”permissions” content=”Permissions determine what exactly particular apps and softwar programs have access to on your device.”]. [tooltips keyword=”DroidJack ” content=”An Android remote administration tool (RAT) that, once downloaded, allows attackers to gain extensive access to and control over the targeted device.”]is a popular piece of [tooltips keyword=”malicious software” content=”Any malicious program that causes harm to a computer system or network.”] and can also be used to steal text messages, contact details, and call logs. The attackers placed the malware-infested app on third party stores to take advantage of the game’s staggered release schedule, preying on users looking for early access to the game.  

Other cases: Sandworm Android AttackApple’s App Store 17Second Winnti Group Gaming AttackGeminiJoker malware family 

Attackers compromise the software used to develop apps, or [tooltips keyword=”software development kits (SDKs)” content=”A set of software tools and programs provided by hardware and software vendors that developers can use to build applications.”], allowing them to inject malware into legitimate apps just as they are created. Whatever the model, malicious actors make an effort to [tooltips keyword=”obfuscate” content=”The practice of rendering a malware program or its source code hard to understand, to prevent analysts from understanding the program’s behavior.”] their malware to evade detection by app store curators. 

XcodeGhost / Xcode (2015) 
Attackers uploaded malicious alterations of Xcode, an iOS and OS X app development tool, to Chinese file sharing services like Baidu Yunpan. The third-party versions were popular in China and downloaded much more quickly than licensed versions hosted outside of the country. Though apps made with the compromised versions of XCode passed Apple Store security checks, they contained malware with a variety of functions. They could send user data to a [tooltips keyword=”command and control server” content=”A centralized machhine used to send commands to systems compromised by malware and receive stolen data from a target network.”], prompt fake alerts used for phishing, open some URLs, and read from and write to the user’s clipboard, enabling password and payment credential theft. Infected apps included versions of WeChat, WinZip, China Unicom Mobile Office, and NetEse Cloud Music, which compromised over 500 million users, mostly in China and the Asia-Pacific region. Disagreement about the number of infected apps persists, with some estimating there may have been as many as 4,000. Apple eventually made licensed copies of Xcode available for download from China to combat the problem.  

Other cases: SimBadOperation SheepGoogle Play Store Misfire 

Once attackers have managed to slip malware into an app store, they have several options for distributing it. In our database, the majority of attacks went through the Google Play Store. As the proprietary store for Android mobile applications, its significant traffic and its security, repeatedly criticized as lax, make it an attractive target. The Apple App Store, on the other hand, has more stringent requirements for third party applications, leading to a significantly lower rate of compromise in this dataset. Attacks that did breach its protections tended to be more complex and go undiscovered for many months. Malicious apps were also found in [tooltips keyword=”third-party distributors” content=”An outside partner or provider with access to your systems and data that distributes apps and other software services.”], which house illegitimate copies of apps not available in certain regions and host local versions for quicker downloads when national [tooltips keyword=”firewall” content=”A network security system that monitors and controls network traffic based on established security rules.”] permit.  

The manner in which an attacker inserts their malware into an app often determines which app store spreads the malicious code. With a compromised SDK, the developer ends up making the choice for the attacker, sometimes leading to incompatibility between malware and infected devices. Such a mismatch can result in widespread infections with minimal effect, as in 2018, when at least 145 Google Play Store apps were found laced with malware that had no effect on the devices it had infected. The malware had been designed to record keystrokes on Windows machines, not Android phones. When attackers repackage legitimate apps, they usually limit themselves to unlicensed third-party distributors, where modified applications are more easily distributed without sending up red flags. Impersonating or repackaging well-known apps, infecting widely used SDKs, and infiltrating proprietary application stores with several applications at the same time all tend to lead to higher numbers of infected machines. 

The malicious payloads themselves can have a variety of effects. Many are employed as part of a criminal scheme to generate revenue by running background ads ([tooltips keyword=”adware” content=”Software that automatically displays or downloads advertising material (often unwanted) when a user is online.”]), stealing payment information, diverting payments to attacker-owned Bitcoin wallets, or sending SMS payments. The proximity of many app stores to payment information—think of credit cards associated with app store accounts—and the banality of apps requesting permissions from users make these viable targets for attackers. Some apps also stole device and user data, either bundling and forwarding it for sale or using it for surveillance. Several apps also stole [tooltips keyword=”credentials” content=”Digital documents used in authentication and access control that demonstrate a user’s identity or authority.”] for related accounts (often Google accounts) and used device access to boost the ratings and reviews of the infected apps themselves, making them more visible and leading to more downloads.  

App stores and hubs are a popular target for software supply chain attacks on large numbers of users, exploiting trust in proprietary app ecosystems and the security of storefronts like Play Store and App Store. Security for these hubs will always be a process of attack and defense but even this snapshot underlines just how careful users have to be in selecting and loading apps on their phone, staying alert for security notices, and hoping that their phone isn’t soon to be the next great target in the software supply chain. 

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Trey Herr, Stewart Scott, and Will Loomis