Lookout Coverage and Recommendation for Admins
Lookout users are protected from both the malicious website as well as the malicious app noted in this report. In order to ensure protection across the entire mobile fleet, Lookout admins should first enable Phishing & Content Protection (PCP) in the Lookout admin console. This will help protect against threats like this that leverage malicious sites to deliver malware to mobile devices.
To protect against malicious and risky apps, admins can do two things in the Lookout admin console. First, they can review the application policies in the console. Doing so will enable them to set appropriate risk levels and responses that enable end users to resolve most issues on their own. In addition, they can search through their own fleet to understand which apps have access to sensitive data, which is critical for compliance and data privacy, and denylist any apps that violate their overarching data policies.
A malicious version of the legitimate app RedAlert - Rocket Alerts was recently discovered when Cloudflare became aware of a malicious website hosting it. The open-source app, which provides timely alerts about incoming airstrikes in the wake of the conflict between Israel and Hamas, has been popular amongst people living in Israel.
Research from Cloudflare suggests that the malicious version of the app was being hosted on a domain that differed from the app’s legitimate website by only one letter. In addition, the malicious website linked to the infected version of the Android app but the legitimate version of the iOS app. The malicious Android app is able to collect highly sensitive data including the full contact list on the device, all SMS messages and call data, installed applications, and any logged-in email or app accounts.
This situation is exemplary of how societal disruption creates opportunity for malicious actors - especially when people are unsure of how to navigate a situation. For example, at the start of the COVID-19 pandemic, Lookout researchers saw a massive spike in malicious phishing links related to the pandemic, government aid, and information about vaccines. Researchers even discovered a campaign that distributed malware through online watering holes using COVID as the lure.
Leveraging a crisis to increase the likelihood of a successful social engineering campaign intending to deliver invasive malware to the target is a lethal attack chain. The malicious version of the RedAlert app exemplifies two critical risks on mobile devices - malicious URLs and sideloaded apps that aren’t hosted in the Play Store or App Store. It shows that not all malicious links are built for phishing, but that they can also be used to deliver malware to the target. In fact, Lookout data shows that 55% of malicious links intended to do so in Q3 of 2023. While the malicious website discovered by Cloudflare has been taken down, it’s still possible that malicious versions of this app are present in the wild.
Related Threat Discoveries
CVE-2023-5217 is a vulnerability disclosed in libvpx that affects multiple browsers that use libvpx including Chrome, Firefox, and Firefox Focus for Android