Saturday, March 5, 2022

3 Golden Keys To Unlock Protection From The Dropper App

 


Now that the weather is getting warmer outside, and with the huge anticipation of receiving a timely tax refund (this is assuming of course, you file electronically), many Americans will now want to get instant access to any and or all of their financial accounts (even including credit card) to make sure that they have enough to do things on the whim.  A lot of this can be done via the mobile apps, which are either available on the Apple Store or Google Play.

Or very often, the financial institution may even offer a link as to where you can download their particular app.  Studies have even shown that almost 87% of the American population now uses some kind of mobile app on their smartphone to get access to this kind of information. 

But of course, as something gets popular in usage, it can only mean one thing on the flip side:  The Cyberattacker is going to be there.

In fact, mobile app theft, as it relates to your financial app, has increased by a whopping 600% since 2015.  This means that 1/20 apps will be prone to an attack in which your personal data will be stolen. 

But just because you downloaded an app from a reputable source does not meant that you are completely out of the woods. The Cyberattacker has now found a new way in which to deploy a malicious payload onto it.

These are known technically as “Dropper Apps”.  This is occurs when the hacker can drop pieces of it over periods of time, without you noticing it. 

Once all of it has been collected and assembled back into its original state, the malicious payload will then remain dormant for long period of time, collecting all of your personal information, and sending that back to the Cyberattacker.

So while you may think you may be safe because you are at encrypted website, there could be a probability that your mobile could be infected with this kind of malicious payload, and sending all of your keystroke patterns back to malicious third party. 

In fact, these Dropper Apps are so covert any traditional anti-virus software that you may use on your wireless probably will not even pick it up.

It is important to note here that this hacks have mostly originated from the mobile apps that have been downloaded from Google Play, when compared to Apple, is known to have much laxer security standards. 

Although this platform has automated tools that routinely scan for any lines of malicious source code once the app has been uploaded by the software development team, it has come to the point now where the Cyberattacker can misdirect these scans in certain areas.

And it is here where these Dropper Apps are then deployed, going undetected.  So thus, once the end user has downloaded this app, he or she basically has infected machine.  But interestingly enough, these Dropper Apps are not completely activated until the victim actually updates their particular mobile app.

Once they are initiated, the Dropper Apps can then deploy keylogging software, attempt to gain root access to the wireless device, launch smaller bits of malicious code, and even misdirect the victim to a phony website, which to them, will look like the real thing.

Yes, this does sound scary. But what can be done to prevent this from happening?  Truthfully, no matter how much a bank does, there will always be some sort of risk.  Keep in mind that both Google Play and Apple Store are recipients of literally of thousands of mobile apps in a single day. 

Software developers are constantly creating new ones, and the push do upload more to these platforms becomes even greater.  Thus, even these automated scanning also have their limits.  There is only so much scanning they can do in a pre-defined time limit, and if they are overloaded, they too can break down.

But this is where the responsibility of both Google and Apple come in.  They need to keep continually upgrading their automated tools in order to make sure that all apps that are accepted for uploading are as secure as possible. 

As I have mentioned earlier, Apple has a very strong record in this regard. They will not let any software development team upload their newly created app until it has been thoroughly vetted by the requirements set forth by Apple.

Unfortunately, Google does not have requirements that are so high.  Thus, software developers have greater liberties to pretty much upload whatever they have created.  This is where most of the Dropper Apps have originated from. 

The next line of responsibility comes from the financial institutions themselves.  In the rush to save costs, many of them now outsource their software code development to other places, where security is not such a high priority. 

In my view, this thinking needs to be changed.  It all comes down the old proverbial statement, “You get what you pay for”. 

Perhaps it would be far better to pay more $$$ to have the source code development for the mobile app done locally, where the CISO can detail and enforce the security details that are required for creating a safe mobile app.  One of these should be testing for any vulnerabilities in the source code at a modular level, and rectifying the situation at that point, so it does not all get bottlenecked at the end. 

Also, after the mobile app has been created, the IT Security team of the financial institution should then check it in a sandboxed environment to make sure that all vulnerabilities and gaps are remediated.  Once this is done, only then should it be released to Google or Apple, or even both.

Finally, you the, the customer have a role to play in this as well.  You need to take extra precautions as well to make sure that you are downloading a safe mobile app, to the best of your ability.  This means doing a Google search on the app to see if it has received any negative, reviews, and even contacting the financial institution to make sure that their app you want to download has been completely tested. 

If possible, always try to download what you need from the Apple Store.

My Thoughts On This:

Another key thing that you can do is reduce the attack surface on your wireless device.  This simply means that do not go crazy and download every app that you want. Only get those which you will absolutely need on a daily basis, for both your personal and professional uses.  I know of plenty of people who have gone “app crazy”, their screens have become nothing but squares.  This only opens the door to the Cyberattacker to penetrate through, given the plethora of choices they now have.

In the end, always trust your gut.  If something seems not right, then simply don’t download it.  There are other ways to get to what you need to access.

Finally, more technical information about the Dropper App can be seen here at this link:

https://www.darkreading.com/application-security/malware-operator-employs-new-trick-to-upload-its-dropper-into-google-play

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...