Lookout Endpoint Security
Endpoint Security

May 25, 2016

min read

5 Active Mobile Threats Spoofing Enterprise Apps

Enterprise employees use mobile apps every day to get their jobs done, but when malicious actors start impersonating those apps, it spells trouble for IT departments everywhere.

Lookout recently researched five families of malware doing just that: spoofing real enterprise apps to lure people to download their malware. Our dataset of mobile code shows that these five, active mobile malware families often impersonate enterprise apps by ripping off the legitimate app’s name and package name. These apps include Cisco’s Business Class Email app, ADP, Dropbox, FedEx Mobile, Zendesk, VMWare’s Horizon Client, Blackboard’s Mobile Learn app, and others.

All Lookout customers are protected from these threats.

Each family uses this tactic as a means to different ends. You can check out a list of the families and their various malicious aims below.

Profiting from trickery

In order to stay afloat, malware authors use a number of tricks to get new victims: one of these is pretending, in some capacity, to be a popular app or brand that people trust. It’s the classic wolf in sheep’s clothing trick and mostly eliminates the need for that malware to do much more convincing.

In this case, these malware families are specifically spoofing an app’s legitimate package name, either using the same package name or one very similar, as well as the app’s name (e.g. “ADP Mobile Solutions”).

For enterprises, this is concerning as many of these apps are either likely to be used by an employee or are technologies that could be deployed by an enterprise, such as Cisco or VMWare. Employees are also more likely to trust enterprise brands they know and work with daily. Because of that, they are more likely to award permissions to apps pretending to be those trusted brands, and less likely to uninstall them.

Impact on the enterprise

The fact that mobile malware authors are moving to this kind of trickery is no shock to us. Enterprise data is valuable and mobile attacks on enterprises are actually happening. According to a report from The Ponemon Institute, 67% of IT and security pros say that their organization has likely already been hit by an attack through mobile. Another 83% confirm employees’ mobile devices are susceptible to attack. This means that mobile has become a legitimate vector for enterprise breach, a vector that is being actively used by criminals.

Unfortunately, MDM (mobile device management) isn’t a silver bullet here. These types of management solutions often allow enterprises to blacklist (i.e. block specific apps from running on a device) or whitelist (i.e. exclusively allow specific apps to run on a device). MDMs do this using the app’s package name. If an enterprise uses FedEx, for example, and whitelists the shipping company’s app as okay to run on a device, a malicious application using the same package name would easily slip by this mechanism.

In general, the idea that mobile devices running MDM are not impacted by malware is wrong: around 33 out of 1,000 devices running major MDM brands still encounter malware, according to Lookout research observing devices running these solutions. This is just as often as those device not running MDM solutions. This means devices running MDMs will still come in contact with malware, and will need to trust that the security and management solutions running on the device will detect the malware, flag it, and help remediate the situation quickly.

Here’s a look into some of the mobile malware pretending to be these legitimate enterprise apps:


What does it do?

A screenshot from Lookout's previous research into Shuanet.

Shuanet automatically roots a device, installs itself on the system partition (which makes it very difficult to remove), and then installs further applications at will. These applications could be malicious or could be benign apps, pushed to the phone as part of a scheme to get more downloads. Shuanet may also push very aggressive and intrusive advertising to the device.

What is the risk to an enterprise?

A threat that can root a device and install further applications is particularly concerning because of a few factors. First, rooted devices are devices in an altered state of security. Oftentimes people will root a device to customize it, but they may not know how to properly configure security on the device post-root and also may not receive regular software updates. Secondly, malware like Shuanet not only roots the device, it then installs itself in the system partition, making it very difficult to remove. Even factory resetting a device infected with malware like Shuanet does not remove the threat. Lastly, malware that installs applications could drop further malicious apps onto the device, putting the device and its data at risk.

Is it live? Yes, this threat is currently active.

Examples of apps it spoofs: ADP Mobile Solutions, CamCard Free, Cisco Business Class Email (BCE), Duo Mobile, Google Authenticator, VMWare Horizon Client, Zendesk, Okta Verify


What does it do?

Originally developed as a university project to create a “remote administration tool,” AndroRAT allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.

What is the risk to the enterprise?

Hidden remote access software allows an attacker to easily exfiltrate data, corporate and personal, from the mobile device. Also, having continued remote access to a mobile device allows an attacker to infiltrate corporate wifi networks and VPNs that the infected device connects to.

Is it live? Yes, this threat is currently active.

Examples of apps it spoofs: Dropbox, Skype, Business Calendar


What does it do?

UnsafeControl can collect contact information and download it to a third-party’s server. It also has the ability to spam that contact list or send SMS messages to phone numbers specified by its command and control (CNC) servers. The message content is also specified by the CNC.

What is the risk to the enterprise?

Malware like UnsafeControl steals contact information, which can be considered very sensitive information to many enterprises. For example, the contacts within a Chief or VP of Sales’ device might be a competitive advantage for a company.

Is it live? Yes, this threat is currently active.

Examples of apps it spoofs: FedEx Mobile, Google Keep, Remote VNC Pro, Sky Drive, PocketCloud, Skype


What does it do?

PJApps may collect and leak the victim’s phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.

What is the risk to the enterprise?

Malware like PJApps is generally using its functionality for monetary gain, but the technology itself is concerning. Threats that collects location information is generally concerning, but especially when considering executives’ devices. This could mean revealing information about a business’ plans. As discussed, the ability to download further applications to a device also opens the device up to new types of malicious software.

Is it live? Yes, this threat is currently active.

Examples of apps it spoofs: CamScanner

Keeping your enterprise safe

The concern is that one of these apps might actually trick an employee who is just looking to FedEx a package or scan a business card in their everyday working activities, and inadvertently put the enterprise at risk. Unfortunately, just having an MDM solution won’t protect you from these threats.

The majority of these apps are likely downloaded through third-party marketplaces and drive-by download attacks. That said, we regularly see malware in official app stores. Even when employees are acting sensibly, there is still potential for attack.

Visibility is a necessary component of mobile security. While your employee might not know what they’re downloading, with the right tools, IT administrators can see, almost immediately, that a seemingly innocuous app is actually a threat to corporate data.


Lookout researchers used the Mobile Intelligence Center to query our dataset of the world’s mobile code for popular enterprise app package names that the Lookout Security Cloud and our security researchers previously deemed malicious.