Skip to main content
Blog

Apps That Go Bump in the Night

In the spirit of Halloween and unnervingly creepy things, there have been several articles recently talking about mobile attacks which involve stalker apps. Such as, the Indian Hacker group Donot Team’s attacks against Togolese human rights activists reported by Amnesty. Or, the recent New York Times article about several victims of stalker apps and the dire consequences and capabilities of such apps. As the public becomes increasingly aware of the existence of these nasty creatures, it’s an opportune time to talk about them.

What is a Stalker App?

On the surface it’s an innocent looking calendar app or maybe a calculator app, but in reality it’s an app which is systematically leeching data from your device; everything from your SMS messages to your location, in real time. Think something along the lines of a scene you’ll see in Mr. Robot or Life360 app on steroids.

These have been around for a while but as hackers have been targeting mobile devices as a typically vulnerable attack surface, these attacks have become more prevalent and insidious. Each week we’re seeing reports on high-profile breaches through the mobile space.

Security Breaches, Mobile Breaches, Privacy Violations & Potential for Abuse

These types of breaches tend to hit on a personal level, because there is a difference between traditional security breaches and mobile breaches. Mobile breaches can put the lives of your employees in danger, as mobile devices are inherently personal. In a lot of ways, they’re our avatar to the online world. When those devices are breached, the potential for abuse and violation is horrifying.

With that in mind, let’s talk about privacy. In the traditional cybersecurity model, you’re deploying onto servers, workstations, laptops, normally owned by an organization. So there doesn’t tend to be much consideration given to the privacy of the user of that device.

In these types of models, when we talk about privacy what we are really talking about is data, and data exfiltration. How “private” is an organization’s data on that device? What are the chances of data being exfiltrated from that device, either maliciously or by accident?

On Android and iOS, all the above holds true but there is another vital aspect to consider. The privacy of the device-users themselves. I cannot state this clearly enough; cybersecurity is different on mobile devices from a technical point of view but also, more importantly, from a consequences point of view. These devices are constantly around us. They have GPS trackers installed on them, microphones, cameras and access to our correspondence, contacts and texts.

A Sticky Situation: Device and Data Privacy

This is where things can get sticky. If the device is owned by an organization, what duty of care do you owe to the employee using that device? And if you do not own the device, but that privately owned device is being used to access organizational data and the organisation’s network, you definitely need to worry about data privacy. Is that user compromising the organisation’s data simply by checking their social media apps or sending a payment via a cash app?

As organizations’ mobile plans expand, it leads to these types of questions. Typically, Apps have had an easy ride because users tend to trust apps, but it’s becoming clear that the trust we have given to Apps which are being installed on our devices isn’t deserved and can lead to compromising situations.

For an organization, considering the devices which are accessing their network and the apps on those devices, they need to understand what security risks, but also privacy risks, they are exposing the organization to. Additionally, if that device is a corporate owned device, what risks are they exposing their employees to? What happens if you require an app to be installed and used by your employees regardless of whether the device is owned by the organization or not; don’t you need to understand the potential risks that that app is introducing? Is that corporate device being used to track and stalk your employee? Or read their private text messages? If so, what are the implications of such a state? Even if the device isn’t corporate owned, what is the moral obligation to the user? These are the types of discussions which are unique to the mobile space.

Staying Safe Against Data Exfiltration

You’re probably wondering if this is an organizational problem or if this is an Apple and Google problem? I mean, Apps are meant to go through a submission process so aren’t they vetted thoroughly? The problem is that while Apple and Google do carry out some statistical analysis, it is nowhere near the depth of static, dynamic, force path execution that an engine like Kryptowire does.

Also there is a context which is missing and unknown to Google and Apple, such as the possibility that the malicious app appears legitimate and clean during testing but needs access to the GPS location, microphone, or our SMS messages to work and show its true nasty colours.

And as these types of mobile attacks become more prevalent, it is important to understand the app’s stated purpose compared to what the app is really doing. Never trust the bright and sleek facade. Know what your seemingly innocent app truly does. It states it is a fitness app but in reality it is sending your location abroad 24 hours a day. Or it is a simple match 3 game but it has permissions to unfettered access to your camera. And, more importantly, what the security and privacy risks of those apps are. Both in the context of data exfiltration and malicious intent. Not just as a snapshot of the current state, but continued monitoring of subsequent versions of an app to understand how the security and privacy landscape of those apps changes over time.

We’re talking about this in the terms of stalker apps but while that’s a valid concern, the truth is that’s not necessarily the vector which attacks take place. When you think about an app, about 40% to 90% of it isn’t written by the app developer. The majority of apps’ code are from SDKs. The developer has little insight into what those SDKs are doing behind the scenes.

At Kryptowire, we regularly see Apps exfiltrate camera rolls, GPS data, Contacts, IMEI numbers, not because the Apps themselves are leveraging that data, but because the Apps were given permissions to that data and the SDKs are leveraging that to send that data to data brokers. This is even true of custom apps made for organizations where a developer pulls in an SDK and suddenly you have a major security issue on your hands because they are trying to blindly navigate minefields where nothing is what it seems.

Following increased use of mobile devices and tablets in the workplace, schools and home, we are leveraging Android and iOS more than ever, and just like you wouldn’t dream of not having some insight on the laptops you deploy, the need for continuous insight into the threat landscape of the apps that you are leveraging and using is just as important, particularly in the light of the increasing attacks we see from this vector.

There is a paradigm shift. The future of consumer computing is Android and iOS. This change brings new challenges and new ways of thinking about security. Kryptowire is at the forefront of tackling these challenges. We help you to understand and mitigate these issues both as a developer and as an enterprise as a whole. Check out the Kryptowire website to understand how we do that.

Blog

Apps That Go Bump in the Night

In the spirit of Halloween and unnervingly creepy things, there have been several articles recently talking about mobile attacks which involve stalker apps. Such as, the Indian Hacker group Donot Team’s attacks against Togolese human rights activists reported by Amnesty. Or, the recent New York Times article about several victims of stalker apps and the dire consequences and capabilities of such apps. As the public becomes increasingly aware of the existence of these nasty creatures, it’s an opportune time to talk about them.

What is a Stalker App?

On the surface it’s an innocent looking calendar app or maybe a calculator app, but in reality it’s an app which is systematically leeching data from your device; everything from your SMS messages to your location, in real time. Think something along the lines of a scene you’ll see in Mr. Robot or Life360 app on steroids.

These have been around for a while but as hackers have been targeting mobile devices as a typically vulnerable attack surface, these attacks have become more prevalent and insidious. Each week we’re seeing reports on high-profile breaches through the mobile space.

Security Breaches, Mobile Breaches, Privacy Violations & Potential for Abuse

These types of breaches tend to hit on a personal level, because there is a difference between traditional security breaches and mobile breaches. Mobile breaches can put the lives of your employees in danger, as mobile devices are inherently personal. In a lot of ways, they’re our avatar to the online world. When those devices are breached, the potential for abuse and violation is horrifying.

With that in mind, let’s talk about privacy. In the traditional cybersecurity model, you’re deploying onto servers, workstations, laptops, normally owned by an organization. So there doesn’t tend to be much consideration given to the privacy of the user of that device.

In these types of models, when we talk about privacy what we are really talking about is data, and data exfiltration. How “private” is an organization’s data on that device? What are the chances of data being exfiltrated from that device, either maliciously or by accident?

On Android and iOS, all the above holds true but there is another vital aspect to consider. The privacy of the device-users themselves. I cannot state this clearly enough; cybersecurity is different on mobile devices from a technical point of view but also, more importantly, from a consequences point of view. These devices are constantly around us. They have GPS trackers installed on them, microphones, cameras and access to our correspondence, contacts and texts.

A Sticky Situation: Device and Data Privacy

This is where things can get sticky. If the device is owned by an organization, what duty of care do you owe to the employee using that device? And if you do not own the device, but that privately owned device is being used to access organizational data and the organisation’s network, you definitely need to worry about data privacy. Is that user compromising the organisation’s data simply by checking their social media apps or sending a payment via a cash app?

As organizations’ mobile plans expand, it leads to these types of questions. Typically, Apps have had an easy ride because users tend to trust apps, but it’s becoming clear that the trust we have given to Apps which are being installed on our devices isn’t deserved and can lead to compromising situations.

For an organization, considering the devices which are accessing their network and the apps on those devices, they need to understand what security risks, but also privacy risks, they are exposing the organization to. Additionally, if that device is a corporate owned device, what risks are they exposing their employees to? What happens if you require an app to be installed and used by your employees regardless of whether the device is owned by the organization or not; don’t you need to understand the potential risks that that app is introducing? Is that corporate device being used to track and stalk your employee? Or read their private text messages? If so, what are the implications of such a state? Even if the device isn’t corporate owned, what is the moral obligation to the user? These are the types of discussions which are unique to the mobile space.

Staying Safe Against Data Exfiltration

You’re probably wondering if this is an organizational problem or if this is an Apple and Google problem? I mean, Apps are meant to go through a submission process so aren’t they vetted thoroughly? The problem is that while Apple and Google do carry out some statistical analysis, it is nowhere near the depth of static, dynamic, force path execution that an engine like Kryptowire does.

Also there is a context which is missing and unknown to Google and Apple, such as the possibility that the malicious app appears legitimate and clean during testing but needs access to the GPS location, microphone, or our SMS messages to work and show its true nasty colours.

And as these types of mobile attacks become more prevalent, it is important to understand the app’s stated purpose compared to what the app is really doing. Never trust the bright and sleek facade. Know what your seemingly innocent app truly does. It states it is a fitness app but in reality it is sending your location abroad 24 hours a day. Or it is a simple match 3 game but it has permissions to unfettered access to your camera. And, more importantly, what the security and privacy risks of those apps are. Both in the context of data exfiltration and malicious intent. Not just as a snapshot of the current state, but continued monitoring of subsequent versions of an app to understand how the security and privacy landscape of those apps changes over time.

We’re talking about this in the terms of stalker apps but while that’s a valid concern, the truth is that’s not necessarily the vector which attacks take place. When you think about an app, about 40% to 90% of it isn’t written by the app developer. The majority of apps’ code are from SDKs. The developer has little insight into what those SDKs are doing behind the scenes.

At Kryptowire, we regularly see Apps exfiltrate camera rolls, GPS data, Contacts, IMEI numbers, not because the Apps themselves are leveraging that data, but because the Apps were given permissions to that data and the SDKs are leveraging that to send that data to data brokers. This is even true of custom apps made for organizations where a developer pulls in an SDK and suddenly you have a major security issue on your hands because they are trying to blindly navigate minefields where nothing is what it seems.

Following increased use of mobile devices and tablets in the workplace, schools and home, we are leveraging Android and iOS more than ever, and just like you wouldn’t dream of not having some insight on the laptops you deploy, the need for continuous insight into the threat landscape of the apps that you are leveraging and using is just as important, particularly in the light of the increasing attacks we see from this vector.

There is a paradigm shift. The future of consumer computing is Android and iOS. This change brings new challenges and new ways of thinking about security. Kryptowire is at the forefront of tackling these challenges. We help you to understand and mitigate these issues both as a developer and as an enterprise as a whole. Check out the Kryptowire website to understand how we do that.