Lookout Threat Intelligence
Threat Intelligence

March 24, 2021

min read

When Legit Apps Turn Malicious. Hint: It Happens Often

A popular Android app Barcode Scanner was recently found to be infected with adware. After an update in late 2020, it started pushing advertising to users without warning. The QR code scanning app has been on the Google Play Store for years with over 10 million downloads and a high rating from users. So what happened?

This actually happens pretty often. App developers often integrate advertising software development (SDKs) so they can show advertisements to users, something that’s especially crucial for free apps. We’ve seen cases where the SDKs themselves become too aggressive or even malicious. In this case, it was clear that the Barcode Scanner developer obfuscated their malicious code on purpose to avoid being detected.

The lesson here is that app threats are ever-evolving. In this case, malicious code affected millions of devices with a simple update. Luckily, the intention was to aggressively surface ads. But what if more sophisticated code was added? So whether you’re an individual or run an organization, you need visibility into what your apps are doing on your smartphone, tablet or Chromebook.

Could this have happened to any app?

As a security researcher, I see this happen the most to apps that have basic functionality. Barcode Scanner is a QR code scanner, but it could’ve been a flashlight app or a wallpaper app. Malicious actors want to use something that has a simple codebase that can easily be altered. Also, these types of apps often have a big user base.

There are two main ways that a legitimate app turns malicious:

  • The first one involves the original developer of an app going rogue and embedding malware. We’ve seen this happen many times, including in 2019 with BeiTaAd, which was embedded in over 200 apps that collectively had over 440 million installs.
  • The second tactic tends to happen to apps developed by independent developers. Often these developers are willing to sell their apps for a fair price, sometimes the buyers would include malicious actors. These actors might pay more for the original developer certificate, other associated accounts and the upload keys.

Once the buyer has acquired the app and assets, they can quickly implement malicious code. And since they now own the keys, certificates and accounts associated with the app, the actor can quietly push an update without setting off any alarm bells.

Am I prepared to protect against a legit-turned-malicious situation?

Whether it’s scenario one or two, what you need to pay attention to is how quickly an app can flip from innocuous to malicious quickly and stealthily. Your employees are increasingly using their mobile devices for work. Updating apps is something that happens on a daily basis. To secure your employees and your organization, you need to understand what malicious behavior looks like and take action in real time.

This is an impossible task if your organization has a bring-your-own-device (BYOD) program, as you have no control or insight into what is on those mobile devices. This is also a great example of where deploying mobile device management (MDM) would not help. Enrolling your employees’ devices in MDM helps you manage and push updates to apps, but it doesn’t provide enough visibility. When a malicious actor has purchased everything from the previous developer, an MDM will assume the app is still safe as nothing has changed.

How do I secure my organization against app risks?

With many of us continuing to work away from the office, your perimeter-based security solutions are no longer available. Barcode Scanner should serve as a reminder that, without visibility into the components that make up mobile apps, you’re running with a blind spot in your risk, compliance and security posture.

There are two things you should do to secure against app risks:

  • First, educate your users on the consequences apps can have on themselves and on the organization. Even something like excessive permissions could jeopardize personal and corporate data.
  • The second recommendation is to deploy a comprehensive mobile security solution that leverages machine learning and crowdsourced data. To have real time visibility into the risks apps pose to your organization, you need to know what risks look like without needing to scan content.

To understand app risks and learn how you can keep your organization under compliance, check out the Lookout Risk and Compliance solution.