Mobile apps are convenient and easy to use, but sometimes the developers do not put enough focus on the back end. Big Internet companies, such as Amazon, Facebook, and Google, provide back-end services for many apps with secure data storage and data management features, but it is up to the app developer to implement access to those services with security in mind.
Earlier this year, McAfee Labs teamed up with Technische Universität Darmstadt and Fraunhofer SIT to explore the back-end exposure of two million mobile apps. We found that they are often insecure, allowing unauthorized access to their associated cloud storage, including full names, email addresses, passwords, photos, financial transactions, and health records. This information could be used for identity theft, malware distribution, and financial fraud.
According to the November 2015 McAfee Labs Threats Report, some mobile app developers do not follow the documentation and security guidelines provided by the back-end services. Because most mobile apps have a secret key embedded in the app, one of the most important recommendations is to use a different channel for important data record manipulation from the basic app activity. Otherwise someone with minimal technical knowledge can readily extract the key and read, update, or delete records.
Ironically, some malware-carrying mobile apps also do not follow the security guidelines of the back-end services they use, enabling our researchers to investigate their malicious activities. We analyzed 294,817 mobile malware apps and found 16 using poor security coding practices when connecting to the popular Facebook Parse back end. These were associated with two mobile banking Trojan families, Android/OpFake and Android/Marry. Facebook has been notified, and these accounts have been shut down.
We decompiled and analyzed these Trojans to understand how they operate and what information they gather. After installing, typically from a malicious link in a text message purporting to be from a popular Russian instant-messaging app, the malware hides its icon and starts a service in the background to intercept SMS messages and send user information to its control server. Malware agents used the back-end service to queue up and manage commands for each infected phone, waiting for SMS messages from banking apps that they could modify and reuse.
During June and July, just these two malware families intercepted almost 170,000 SMS messages, most of them personal, impacting the privacy of those infected. However, within these messages were a number of banking transactions such as querying credit card numbers, account balances, and making fund transfers. More than 20,000 malware commands were executed during this time, mostly for financial fraud.
By counting the number of unique device identifiers in the malware data store in the back-end service, we determined that almost 40,000 users were affected by these two Trojans.
The take-away from this investigation is to be very careful with the mobile apps that you download onto your phone. Because it is very difficult to know how secure a particular app’s back-end implementation, we recommend that you stick with well-known apps with third-party security validation. Also, either avoid rooting your device or make sure to unroot it after using any necessary admin privileges, as the malware often abuses privileged access to silently install apps without consent.
For more information on mobile app vulnerabilities, please visit http://www.mcafee.com/November2015ThreatsReport.