Brown’s Bytes – Malware Just Won’t Give Up…

Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes

24th August 2018

I’m back from leave and my inbox was full of more alerts about malware on mobile.

One particular one that caught my eye was Anubis Android Malware in the Google Play Store. It’s your typical nasty App trying to steal banking codes, but what makes this interesting is the fact that:

a. It’s on the Play store
b. How it got there

First thing to say is that users (and Enterprises) put a lot of faith in Apple’s and Google’s policing of the App store (Apple more than Google maybe, but the principle stands). In effect, the fact that any App is on the store at all implies a basic level of checking has been done and it should be safe to install.

Most users are now getting savvy enough to know that if they install Apps from un-trusted sources then they’re taking a risk. The bad guys still try to get you to do precisely this, but it must be getting harder to trick or convince people to do it over time.

Therefore, the goal for a Malware writer has to be to get Apps into the App Store. This is the crown jewels for them – if malware has a sheen of App Store legitimacy, then more people will fall for it.

The problem, of course, is that this is precisely what Apple and Google are testing for! What makes Anubis so interesting is that it has done this by effectively mimicking what Malware writers have been doing for years to circumvent Anti-Virus detection on Windows.

The technique that’s been used is based on “Droppers” – the idea being that you have a multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats. In Anubis’ case, this means that the initial App isn’t malware (well not quite), but once activated the Anubis app fetches the main malicious payload from outside the App store ecosystem.

It seems that detection on the Play store wasn’t up to spotting this. At the time of testing, the App isn’t seen as malware. Of course, once it gets into the wild it is…

The key thing for Enterprise is that unless you have further protection on the phone, you won’t even know there is an issue.

I suspect my audience of Apple fans will point to the inferior testing of Google Play compared to the App Store. However, it is only a matter of time before something similar happens on iOS… the bad guys will most likely find a way in the end.

It is an endless game of cat and mouse that won’t stop = look at Windows security over the last 20 years.

As I keep saying, we’re at a tipping point where Mobile Threat Defence is a necessary protection on all Endpoints in the Enterprise. You wouldn’t put a laptop out on the internet without strong Firewall and Antivirus protection and the same now needs to be true for Mobile

If you’d like help with evaluating the best Mobile Threat Defence solution for your company, then please do get in touch.