Security vendor RiskIQ has warned of the risk of a Halloween nightmare from malware infected apps. The warning comes in a blog from Ian Cowger, Security Researcher, RiskIQ. Cowger wants people to think before they grab an app to make Halloween more fun.
How bad is the problem?
This is not just about rogue games waiting to trap the unwary. Malware writers like to spread their attacks across a range of different types of apps. Among these are device themes, apps and information services.
A simple keyword search for ‘Halloween’ inside the RiskIQ platform, which monitors more than 100 app stores around the world, shows more than 7,000 blacklisted mobile apps, approximately 1,400 of which are inside the Google Play store.
Cowger lists three things to be on the lookout for:
Beware of too many permission requests: Excessive permissions are a major problem with apps. It is not just apps looking to install malware that will trigger this warning. Apps developers want data so that they can better market their app but also so that they have something to sell on. Cowger calls out an app called Halloween saying it: “calls for 128 different permissions.” Among those are access to texts, calls and even the ability to lock a phone.
Lots of downloads or positive reviews don’t mean an app isn’t harmful: Reputation means nothing. Over the last few years hackers have become smarter. Some release good apps, establish their reputation and then deliver a payload. Others simply game the review systems by using botnets to post positive reviews. Cowger says: “Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.”
Cowger explains how a seemingly harmless app can be a risk. “The ‘Halloween Weather Widget Theme’ appears to be a harmless weather app, boasting over 50,000 downloads. But RiskIQ’s blacklist reveals that it’s flagged by multiple vendors for delivering Android/Anydown.J, a variant of the Android.Rootnik trojan. The app is currently still up and active in the Google Play store with a strong user rating.”
Like an app? Know what’s under its mask: This is where Cowger might struggle to see users do the right thing. He wants users to take a deeper look at the apps before downloading them. Part of this includes validating the developer. Using a free email account such as Gmail could be “an enormous red flag” according to Cowger. It’s never quite as easy as that.
Cowger highlights ‘Halloween Screensaver FREE’ as a good example. As a Halloween theme, it may look innocent enough, but it’s flagged by six different antivirus vendors, including a Zillya detection for Downloader.OpenConnection.JS, which attempts to download and execute files from an arbitrary host.
The democratisation of software development means anyone can write and release an app. Many people don’t own their own domains and do not want to use their work email so they use a free email address. Poor grammar, always a red flag in phishing emails, could simply be a result of using Google translate.
Conclusion
Spotting malware is never as easy as researchers and security professionals think. Users lack their skill sets and intuition. While Cowger lists some key things to look for, the reality is that many people won’t bother. All they want is their phone to look spooky for Halloween. The last thing they expect is the monsters to end up inside their phone.
Malware developers are good at selling their wares to people. They know that most people don’t bother to check the apps they use. They will often go to an app store and download something free especially it is has a lot of reviews. Cowger wants users to just pause and think first. The risk is not just to their device or data. If the device is also used for work then they could end up infecting other people in the business.
