RiskIQ analyzed 120 mobile app stores and more than 2 billion daily scanned resources. In listing and analyzing the app stores hosting the most malicious mobile apps and the most prolific developers of malicious apps, their Q3 mobile threat landscape report documents an increase in blacklisted apps over Q2, as well as the continued issues of imitation and trojan apps in official app stores and the emergence of the massive WireX mobile botnet.
Total number of blacklisted apps in each store for all of 2017 through Q3
Feral apps and Google Play are main sources of blacklisted apps
Q3’s analysis confirmed that feral apps – apps available for download outside of a store on the web – and the Google Play store were the most abundant sources of malicious apps each quarter. Plus, the top developer of blacklisted apps in Q3, Nyi Subang Larang, worked exclusively in the Play store. However, Google’s percentage of malicious apps was overall decreased and fell to a low of 4 percent in Q3 after reaching a high of 8 percent in Q2.
Other leading blacklisted app sources
In third place, secondary store AndroidAPKDescargar had comparable numbers to Google and feral apps. In Q3, it more than doubled its number of malicious apps to 20,907, making up about one-third of its total app count and outpacing all other stores by more than 10,000.
Rounding out the top four, ApkFiles rocketed to a huge number (25,545) in Q1 and then dropped off in Q2 before recovering slightly in Q3. Meanwhile, 97 percent of 9game.com’s 6,052 apps (most of which purport to be games) were flagged as malicious.
Based on this data, RiskIQ concluded that some stores are being created and pumped up with huge numbers of malicious apps in short order. The firm’s researchers speculate that this could be in concert with a particular campaign or to make detection of known bad stores more difficult.
Playing the imitation game
One way malicious apps spread is through imitating others that are well known and popular. The report found that antivirus, dating, messaging, and social networking apps are favorite targets for this game. The Google Play store, in particular, is fertile ground for these attacks. Querying RiskIQ data for apps in the Play store since the start of Q3 – containing the word “WhatsApp” and excluding any from the official WhatsApp developer – returned 497 entries. The same query for Instagram returned 566 entries. Avast anti-virus was copied by a developer, DevTech Inc., which has four other apps in the store since September—including a clone of Waze.
WireX mobile botnet emerges
Coinciding with the increase in dangerous/imitation apps, Q3 also saw the emergence of a massive mobile botnet attack, known as WireX. In August, RiskIQ, Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, Team Cymru, and others collaborated to take down the new threat, affecting the devices of at least 70,000 Android users globally. After a short development stage, on Aug. 17, the botnet struck several content delivery networks (CDNs) – with between 130,000 and 160,000 unique IPs observed from 100+ countries.
Around 300 apps tied to WireX were identified in total, a subset of which was found in official app stores, such as the Play store. Google moved to block these apps and to remove them from all Android devices. These apps masquerade as media and video players, ringtones, and storage managers. Once installed, they activate hidden functionality to communicate with command and control servers and launch attacks, whether the app is in use or not.
In this instance, extraordinary collaboration among security professionals was able to hamstring WireX before it could launch more devastating attacks. However, the botnet is not dead, and researchers are still encountering examples of its malicious apps in the wild. It may not be long before the rise of a new mobile botnet built through the spread of malicious Android apps.
“Securing the mobile app ecosystem continues to be a challenge for app stores of all sizes, but efforts to improve version control, monitor for abuse, employ verification techniques, and offer security education can help,” said Mike Wyatt, director of Product Operations at RiskIQ. “Tracking the use of brand names and likeness is an equally daunting challenge for corporations. Brands should evaluate and implement solutions that constantly monitor their digital footprint online and in mobile app stores.”