Now that the weather is getting warmer outside, and with the
huge anticipation of receiving a timely tax refund (this is assuming of course,
you file electronically), many Americans will now want to get instant access to
any and or all of their financial accounts (even including credit card) to make
sure that they have enough to do things on the whim. A lot of this can be done via the mobile
apps, which are either available on the Apple Store or Google Play.
Or very often, the financial institution may even offer a
link as to where you can download their particular app. Studies have even shown that almost 87% of the
American population now uses some kind of mobile app on their smartphone to get
access to this kind of information.
But of course, as something gets popular in usage, it can
only mean one thing on the flip side:
The Cyberattacker is going to be there.
In fact, mobile app theft, as it relates to your financial
app, has increased by a whopping 600% since 2015. This means that 1/20 apps will be prone to an
attack in which your personal data will be stolen.
But just because you downloaded an app from a reputable
source does not meant that you are completely out of the woods. The Cyberattacker
has now found a new way in which to deploy a malicious payload onto it.
These are known technically as “Dropper Apps”. This is occurs when the hacker can drop
pieces of it over periods of time, without you noticing it.
Once all of it has been collected and assembled back into
its original state, the malicious payload will then remain dormant for long
period of time, collecting all of your personal information, and sending that
back to the Cyberattacker.
So while you may think you may be safe because you are at
encrypted website, there could be a probability that your mobile could be
infected with this kind of malicious payload, and sending all of your keystroke
patterns back to malicious third party.
In fact, these Dropper Apps are so covert any traditional anti-virus
software that you may use on your wireless probably will not even pick it up.
It is important to note here that this hacks have mostly originated
from the mobile apps that have been downloaded from Google Play, when compared
to Apple, is known to have much laxer security standards.
Although this platform has automated tools that routinely scan
for any lines of malicious source code once the app has been uploaded by the software
development team, it has come to the point now where the Cyberattacker can
misdirect these scans in certain areas.
And it is here where these Dropper Apps are then deployed, going
undetected. So thus, once the end user
has downloaded this app, he or she basically has infected machine. But interestingly enough, these Dropper Apps
are not completely activated until the victim actually updates their particular
mobile app.
Once they are initiated, the Dropper Apps can then deploy keylogging
software, attempt to gain root access to the wireless device, launch smaller
bits of malicious code, and even misdirect the victim to a phony website, which
to them, will look like the real thing.
Yes, this does sound scary. But what can be done to prevent this
from happening? Truthfully, no matter
how much a bank does, there will always be some sort of risk. Keep in mind that both Google Play and Apple
Store are recipients of literally of thousands of mobile apps in a single
day.
Software developers are constantly creating new ones, and
the push do upload more to these platforms becomes even greater. Thus, even these automated scanning also have
their limits. There is only so much
scanning they can do in a pre-defined time limit, and if they are overloaded,
they too can break down.
But this is where the responsibility of both Google and
Apple come in. They need to keep continually
upgrading their automated tools in order to make sure that all apps that are
accepted for uploading are as secure as possible.
As I have mentioned earlier, Apple has a very strong record
in this regard. They will not let any software development team upload their
newly created app until it has been thoroughly vetted by the requirements set forth
by Apple.
Unfortunately, Google does not have requirements that are so
high. Thus, software developers have
greater liberties to pretty much upload whatever they have created. This is where most of the Dropper Apps have
originated from.
The next line of responsibility comes from the financial
institutions themselves. In the rush to
save costs, many of them now outsource their software code development to other
places, where security is not such a high priority.
In my view, this thinking needs to be changed. It all comes down the old proverbial
statement, “You get what you pay for”.
Perhaps it would be far better to pay more $$$ to have the source
code development for the mobile app done locally, where the CISO can detail and
enforce the security details that are required for creating a safe mobile
app. One of these should be testing for
any vulnerabilities in the source code at a modular level, and rectifying the
situation at that point, so it does not all get bottlenecked at the end.
Also, after the mobile app has been created, the IT Security
team of the financial institution should then check it in a sandboxed environment
to make sure that all vulnerabilities and gaps are remediated. Once this is done, only then should it be
released to Google or Apple, or even both.
Finally, you the, the customer have a role to play in this
as well. You need to take extra precautions
as well to make sure that you are downloading a safe mobile app, to the best of
your ability. This means doing a Google
search on the app to see if it has received any negative, reviews, and even
contacting the financial institution to make sure that their app you want to
download has been completely tested.
If possible, always try to download what you need from the Apple
Store.
My Thoughts On This:
Another key thing that you can do is reduce the attack
surface on your wireless device. This simply
means that do not go crazy and download every app that you want. Only get those
which you will absolutely need on a daily basis, for both your personal and professional
uses. I know of plenty of people who
have gone “app crazy”, their screens have become nothing but squares. This only opens the door to the Cyberattacker
to penetrate through, given the plethora of choices they now have.
In the end, always trust your gut. If something seems not right, then simply don’t
download it. There are other ways to get
to what you need to access.
Finally, more technical information about the Dropper App
can be seen here at this link:
https://www.darkreading.com/application-security/malware-operator-employs-new-trick-to-upload-its-dropper-into-google-play
No comments:
Post a Comment