How insecure are app stores?

Google Bouncer beaten, Apple walled-garden breached, Candy Crush compromised

Brand name app stores are not as secure as we might hope
Brand name app stores are not as secure as we might hope

It has not been a good week for lovers of apps, which is pretty much anyone with a smartphone. Both Android and iOS apps have been infected with malware, apps that were available through the official app stores rather than illicit third parties. Millions of users are at risk from the resulting malware infections, despite the Google 'Play Store' Bouncer and Apple's iOS 'Walled Garden' which were meant to prevent such breaches. So what went wrong, and how can it be prevented from happening again?

A simple IQ testing application called Brain Test has, according to Check Point researchers, made fools of even the cleverest downloaders. Twice. It would appear that the malware was removed by Google following the Check Point discovery, only to reappear days later with a different name but the exact same code. Multiple methods were used to evade detection, including by the Google Bouncer which is meant to keep Google Play clear of such infections. In this case it seems that the code was able to bypass the Bouncer altogether. Amazingly, just by using an off-the-shelf obfuscator in the form of the Baidu packer, the malware was able to be resubmitted to Google Play and evade detection again. Yet this was no harmless adware, rather it contained four privilege escalation exploits giving root on the infected device, and installed persistent malware as a result. With an infection rate of between 200,000 and 1 million between the two instances, and a payload of third party app installations, a rootkit and the potential for credential theft, questions will be asked as to how secure Google Play really is.

Especially considering that ESET also recently uncovered Trojans in illigitimate versions of popular games such as Plants vs Zombies and Candy Crush, infected, this time with a Trojan dropper, and also available for download through the official Google Play store. The malware was, ESET says, capable of taking control of your device and adding it to a remote botnet. The games came bundled with the Trojan dropper in the form of another app called systemdata or resourcea, and placed onto the mobile device during unpacking/installation of the game itself. It does, of course, require user permission to install but this is made for an app called 'Manage Settings' which could easily be mistaken for a genuine part of the installation if you were not paying close attention. After installation it runs in the background, as a service, and eventually takes control of your device to add it to a remote botnet. It appears, according to ESET, to have used an execution delay mechanism in order to evade detection by Google Bouncer; the malware waits three days before asking to install the Trojan.

Ah well, you are probably saying if you are an Apple user, that's Android for you. After all, it's not as safe as the walled garden approach to app stores that iOS apps have to agree to. Apart from the fact that it has also recently come to light that more than 4,000 iOS apps appear to have been infected with malware known as XcodeGhost and all of them were available for download from, you guessed it, the official App Store. Targeting the legit Apple application development tool 'Xcode' the malware creators repackaged the Xcode installers with malicious code and managed to fool Chinese developers into downloading it. The scam was an easy one, by using the third party links the tool downloaded much faster than via Apple within China. The end result was a development tool that compiled malicious code alongside genuine code, and simply walked into the Walled Garden as a result.

David Richardson, the iOS manager at Lookout, told SCMagazineUK.com that there's no silver bullet for app malware. "Discovery of malware on any platform is a very hard problem to solve and we're seeing malware authors adopt increasingly sophisticated tactics" he said, continuing "the behaviour of these recent malicious apps is actually similar to the behaviour of ad networks and analytics SDKs." As XcodeGhost proves, it's not enough to just cover an app store itself, the entire chain has to be secure. "In relation to XcodeGhost," Richardson says, "it would be very tricky for Apple to tell the difference from code that developers voluntarily introduced to perform this functionality." To improve security, Richardson reckons that Apple should consider only allowing apps with legitimate versions of Xcode into the App Store, but admits  that is likely to be an unpopular decision with the developer community, which wants to write open source tools to develop iOS apps and write Xcode plugins to speed up the development process.

Paco Hope, principal security evangelist at Cigital, agrees that sometimes the security lapse is in the developers themselves. "Making software secure is fundamentally the developer's job" Hope insists, adding: "There is little that an end user can do if developers themselves are subverted." Apple's secure architecture (incorporating its singular app store, the signing certificates and procedures around signing code, as well as its app review process) suppresses massive amounts of malware that simply doesn't exist. That is, the malicious app never got written because its author knew it could not get into the app store and onto many devices.

"If one compared the total number of downloaded iOS apps ever to the total number of iOS app downloads that contained malware," Hope explains, "one would need scientific notation to express the percentage of downloaded apps that were infected with malware. Zero is simply not possible while maintaining a platform that users want to use. A non-zero number of malicious iOS apps getting through is not an indicator that more must be done." Indeed, malicious code being inserted into an app by a trusted app developer is one of those risks that end users simply cannot protect against.

On the positive side, Hope told us, while some legitimate apps get wrongly flagged as malicious (false positive) illegitimate apps rarely get through (false negatives). And as for Android, Hope says the advice for protecting against malware is "fundamentally the same as we gave people in October 1996 about protecting Windows 95" and can be summed up as don't believe every email or install random stuff. "App developers must diligently hunt for malware-infected versions of their apps on many app stores, and app store curators must create their own policing techniques to hunt for malicious apps." Hope concludes: "One cost of diversity in the Android ecosystem is the extra security work that end users themselves perform instead of the platform itself."

So is Apple's store safer than Androids? "One might argue that Apple's vetting process is more mature since they've done in from the beginning," admits WatchGuard CTO, Corey Nachreiner, who continued, "...but it doesn't really matter; hackers will always find holes in our security. Both companies will have to stay vigilant, and constantly update their vetting processes to plug newly discovered gaps." That said, Nachreiner did confide to SCMagazineUK.com that he felt, "Google's open environment is still more dangerous simply because they allow users to sideload apps," concluding: "In Apple's environment, the only way you can load an app without actually jail-breaking your device is through Apple's app store. On the other hand, Android devices offer an option for users to load apps from third-party locations, or directly from a potentially untrusted APK file. They do not force you use the official marketplace." This means even if Google and Apple's official marketplaces are equally secure, Android users still have the option to bypass the official marketplace, and get themselves into trouble with unofficial apps.

Stephen Coty, chief security evangelist at Alert Logic, meanwhile looks to the app stores to do better with toolkit security. “The app stores are largely contributed to by the community and application companies. They use toolkits that are distributed by the stores to be used to develop applications," he told SCMagazineUK.com. "These toolkits need to be certified by the manufacturer and deployed in a safe and secure manner. Once applications are developed, they need to be scanned and dissected to make sure that there is no malicious code installed as part of the application being uploaded to the store." Coty insists this needs to be done, not in an automated fashion that finds known threats, but through a manual sandbox to uncover the unknown.

As Winston Bond, European technical manager at mobile application security provider Arxan concludes: "The recent XcodeGhost and Brain Test incidents drive home the fact that there will always be bad guys out there, and they are endlessly inventive when it comes to finding a way to attack users. Criminals always go after easy targets, and apps are seen as increasingly vulnerable sources of sensitive data."