Arxan's 2014 ‘State of Mobile App Security' study also highlights the widespread targeting of Android apps. It finds 97 percent of the top 100 paid-for Android apps have been cloned, similar to previous years.
The report, which was released on Monday, also reveals widespread copying of financial services, healthcare/medical and retail/merchant apps: 95 percent of Android-based mobile financial apps have been cloned, and 70 percent of iOS financial apps.
Meanwhile, 80 percent of the most popular free Android apps have been copied and repackaged, and three-quarters of the top free iOS apps.
Mark Noctor, Arxan EMEA sales director, told SCMagazineUK.com that the “hacked” apps identified may be infected with Trojans or other malware - or they could equally be games that are being offered for free or with reduced in-app purchase costs.
Arxan did not put a figure on what proportion of cloned apps contain malicious payloads, but Noctor said: “People won't know whether it's got malware or not until it's too late.”
He also said that while Apple is known to strictly control the distribution of iOS apps through its official store - in contrast to Android where many third-party apps stores exists - there are a growing number of sites where iOS apps can be downloaded, even onto non-jailbroken devices.
Noctor told SCMagazineUK.com: “There's been a fairly serious sidestep – in rugby terms – of Apple's defences. If you know where to go, and a lot of people do, that barrier to entry no longer exists. It's actually quite scary. It's clear that somebody has done reverse engineering on those applications.”
He said the incidence of hacked iOS apps being found outside the Apple store “continues to be a security challenge for mobile app developers, as Apple's OS controls are remiss in preventing this occurrence”.
He added: “Over the past couple of years the Android [cloning] has dipped a little bit and is now coming back up again. But there's been a fairly significant rise in the percentages for iOS. And that makes sense.
“There was a time when everybody was targeting Microsoft because it was the big empire. You can't stay off the radar. It would appear from people like WireLurker that the bad guys have worked out how to hack Apple.”
In response to the threat, Arxan advises CISOs to “make application self-protection a new investment priority, ahead of perimeter and infrastructure protection”.
It also recommends developers should make their high-risk apps tamper-resistant and capable of detecting threats at runtime, while payment apps and mobile wallets should be protected by secure encryption and app hardening.
Independent mobile apps expert Rob Miller, a security consultant at MWR InfoSecurity, agreed that the incidence of Apple app cloning is on the rise.
He told SCMagazineUK.com in an email: "Companies like Apple do everything they can to restrict and remove illegitimate copies from their app stores, but it's a constant battle to determine which are clones or just similar products, and to quickly remove these apps before their creators have profited.”
But Miller disagreed with Arxan's use of the term ‘hacked' to describe the cloned apps, telling SC: “This paper focuses on a very specific case where apps have been copied, or code from apps has been copied. However, the personal data contained by legitimate apps or the back-end services have not been compromised, which is what many people would regard as being ‘hacked'.
“By this definition, only a small number of apps on any platform have been hacked.”
Miller added: “MWR recommends users only install apps from the official app stores and to ensure the apps they are downloading are from legitimate organisations. Only installing apps that have been regularly downloaded with high ratings can help protect the data on the phone."
Meanwhile, ESET security specialist Mark James said that iOS attacks are always surprising to hear, because Apple's mobile operating system is believed to be so secure.
“With IOS reported to be the most secure mobile operating system, it is always a shock when we hear this app or that app has been hacked or compromised,” he said in an interview with SC.
“But once a general flaw has been established, tailoring it around a specific app (one in the top 100) is just a matter of aesthetics - and it makes sense to concentrate on that end of the scale.”
James added: “Because of the assumption that Apple is safe and often mobile apps are overlooked as a security risk because of their nature, we often fail to look at securing the app or indeed the ongoing security of the app when downloaded.
“Investing in the right protection to keep an eye on apps already installed is as important as stopping them coming in from the start.”
James also advised: “When it comes to any type of wallet/payment apps, they should be protected by the highest forms of protection available to ensure the customers' data is stored as safely as possible.”
Arxan's findings are based on a study of 360 apps, including the top 100 paid-for apps, the same 20 popular free apps from each platform, and 40 apps in the financial services, retail and healthcare categories (20 per platform).