Security

Find out which mobile apps are stealing your identity

Mobile device malware is approaching exponential growth. Mobile apps are the vehicle of choice to deliver malware. Michael P. Kassner looks at our options.

Mobile-security pundits preach incessantly about the need to be careful when downloading mobile applications. That's because many are not what they seem. According to TrendMicro's annual report, "Evolved Threats in a Post-PC World":

2012 erased any doubt that the malware threat for mobile devices is real. The number of Android malware shot up from 1,000 at the start of the year to 350,000 by year's end.

Imagine that kind of increase in your pay packet (I digress, apologies). Since TrendMicro was more concerned with types of malware, not what the malware did, I read "A Survey of Mobile Malware in the Wild" by a research team from University of California, Berkeley. What they found is more to the point:

We find that the most common malicious activities are collecting user information (61%) and sending premium-rate SMS messages (52%), in addition to malware that was written for novelty or amusement, credential theft, SMS spam, search engine optimization fraud, and ransom.

That should give you an idea of what the bad guys are looking for. So how does malware find its way onto a smartphone?

Currently, the most efficient way to load malware is through bad-guy designed mobile applications. Where malware developers incorporate their code into what appears to be credible software. So we happily install it, and in the case of Android apps, dutifully grant applications trying to install all the permissions asked for. After which, we become victims of identity or financial theft.

It's hard to get a feel for the number of good applications versus bad ones offered by app stores. I'd guess (guess being the operative word) that most are not malicious. My problem -- I really suck at guessing, so I'd appreciate being able to determine if a mobile application is safe to load or not. Thankfully, there is a way.

ZAP by Zscaler

I briefly touched on the security tool Zscaler Application Profiler (ZAP) in this article about the alarming number of Android applications that are not using SSL correctly.

In preparing that article, I had several conversations with Michael Sutton, Vice President of Security Research at Zscaler. Michael, being a patient sort, put up with all sorts of new questions for this article. Before I get to them, here are some preliminaries about ZAP.

ZAP provides two ways to test mobile applications -- Search and Scan. Zscaler has already tested many existing applications and by entering the app's name into the Search function, you will learn how it behaves.

Here are the results from entering Skype.

Next, the Scan function.

I asked Michael if there was any benefit to running the scan versus searching for results:

Search results provide a high-level overview of a past scan. If you want full details on an app, you'll want to run the scan feature.

In either case, ZAP checks the following:

  • Authentication: Username/password sent in clear text or using weak encoding methods.
  • Device Metadata Leakage: Data that can identify an individual device, such as the Unique Device Identifier (UDID).
  • Personally Identifiable Information Leakage: Data that can identify an individual user, such as an email address, phone number or mailing address.
  • Exposed content: Communication with third parties such as advertising or analytics sites.

Now let's get to the questions.

Kassner: On the webpage introducing ZAP, you mention mobile applications behave like custom web browsers. I have not thought of them that way. Should we be concerned because they are? Sutton: What I mean there is that the apps send network traffic and the protocols of choice are overwhelmingly HTTP/HTTPS. So they behave much like a browser, but do not have the same security protections. For example, you cannot tell what remote site you're sending traffic to as there's no address bar. And, you can't tell if the traffic is being sent securely. There's no padlock to indicate whether the app is using SSL or not. Kassner: Again, on the page introducing ZAP, you mention:

Being an inline security solution inspecting web traffic, it's imperative that we're able to not only analyze traditional web traffic, but also web traffic sent by mobile applications.

What does inline security solution mean?

Sutton: Being inline we can look at content actually sent to and from the application. In doing so, we're able to identify privacy implications and coding flaws. For example, an application may send your password in clear text. As this is a mobile application, and not a web browser, there is no visual indicator to inform you whether your password is sent securely or not. You must blindly trust the application. By sitting inline, ZAP can quickly and easily identify if that is happening. Kassner: When you say inline, you mean ZAP acts like a Man in the Middle (MitM). Correct? Sutton: By design, ZAP is a MitM. It intercepts and monitors the traffic between the phone and the application's remote server. Scanning this way allows us to determine if the app is leaking information.

We ask that you enter fake data into a window like the one shown above. We compare the information given us to any we find leaking from the application -- for example, the password you gave us. You enter the same password when using the app. If we see the password traversing the wire in clear text, we then know the app is sending your information insecurely.

Kassner: Getting set up to run the Scan function is not for the faint-hearted; do you have pointers to make it easier? Sutton: There is some basic setup involved in using ZAP, namely, changing the proxy settings on your phone. We've tried to make this as intuitive as possible by providing a video walkthrough. Also, during the scan, a popup window will automatically show you step by step what is required. Kassner: Why should we trust your results? Sutton: We try to be as transparent as possible. When you scan an app, we show you the captured data. That way when we say an application was leaking your password, you can also see the data packet where that occurred, and know definitively the password you provided was sent in clear text.

Final thoughts

I have used both the Search and Scan functions. I like how the Scan results display the captured traffic as individual packets, something I haven't been able to do easily when testing mobile devices. To see what I mean, I'd recommend watching the video; it is extremely helpful in setting up the Scan function, and when trying to interpret the test results.

I would like to thank Michael Sutton for answering my questions, and Zscaler for providing a way for us to steer clear of malicious mobile applications.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

33 comments
viProCon
viProCon

Sorry to be all over the place on this thread, sometimes at TR I click the latest Reply just to keep things sequential, then sometimes I end up replying directly to earlier posts.

viProCon
viProCon

Well, I'm not a mobile app developer but it would seem to me that code is code essentially so while in the PC world, malware has evolved greatly, I don't see what that would be very different in the mobile world, yet, the mobile security products seem to be only in their infancy thus it will be easy for malware developers to overcome it. For example, does ZAP have solid tamper protection? But how can it, when other Android apps are given full priveldges on the device, thus malware can remove ZAP before it even gets to be involved. Don't get me wrong I applaud that we are starting to see security at some level for mobile, because mobile is a security hole the size of Jupiter, but I fear it's not evolved enough. And the problem is that, for example, a rootkit in the PC world often never goes away even if you've run updated scans that "clean" the latest file running in ..\local settings\temp or what not, so you have the wipe the machine and re-install the OS. Not something people know to do on a mobile, so we'll have millions of rooted mobile devices out there, and by the time robust security is available those devices will already be owned and part of a botnet or whatever. I do plead ignorance about ZAP though and have no idea what other things are out there. Example: I know Symantec has a Mobile security platform but no idea what it does.

Flawless Cowboy
Flawless Cowboy

I was replying to SgtPappy above. At present the 'reply' and indeed even the 'edit' links are unresponsive here.

Flawless Cowboy
Flawless Cowboy

I recall recently reading the account of an IOS app dev, explaining how trivial a matter it is to get around Apple's cursory scan of newly submitted apps.

SgtPappy
SgtPappy

Does anyone know where I can get one of those Giant Cell Phones with a huge battery pack from the 1980's that only made voice calls? Until the Android store does a better job at reviewing the software that it allows to be distributed on their network I think one of those old phones will be safer.

mbrello
mbrello

First of all - great article. Very informative both from a "what's wrong?" aspect and from a "what you can do" aspect. Your article cites Android applications as the major offenders. What about iOS apps?

JCitizen
JCitizen

to your previous article Michael. I'm sure all of us in the TR community feel obliged to you! v/

radleym
radleym

... by security firms trying to sell something. I've still yet to see anybody quoting actual infections of real malware from any of the "official" apps stores. Reminds me of the "sky is falling" approach taken by many so-called security experts when 1 (that's right, 1) infection made it onto OSX machines. I'll take all of these reports with a large grain of salt until I hear about actual infections of real malware. But I'm not holding my breath.

JCitizen
JCitizen

We value your input regardless! :)

Michael Kassner
Michael Kassner

ZAP is a web tool on a Zscalar server that intercepts traffic from the application on your phone on its way to the application's home server. It then looks to see if traffic is sent in the clear and what traffic is being sent.

Michael Kassner
Michael Kassner

I have been getting reports about each version. I suspect it's security versus convenience again.

JCitizen
JCitizen

those old phones don't work on the cellular standard anymore - even out here in the desert, they ditched the old infrastructure equipment years ago.

Michael Kassner
Michael Kassner

I used to have one of those phones, and I will keep my SIII. I think we can stay ahead of the game as long as we stay alert and reading TechRepublic (shameless plug).

Michael Kassner
Michael Kassner

It is my understanding that they do as well. If you have a particular app in mind, enter it in the search function and wee what comes up. Or you could try the app in ZAP's scan function and "for sure" see if it is leaking any information.

Michael Kassner
Michael Kassner

I hope it helps people as it is the only way many of us can tell what's going on.

Michael Kassner
Michael Kassner

Malware today is not designed to be damaging. It sits in the background, quietly sending your information to some remote site. And, your phone's security measures do not consider it malware as you willfully loaded it.

viProCon
viProCon

Just something that occured to me, but it's quite common as I'm sure you know, that when somebody hears that a website or a content provider of some kind has some kind of scanning of said content on their server, that everythign is safe. As we all know, you can lump 15 malware scanners running all on the same system and there will still be rootkits they can't find and so on. So what makes people think these scans done by app stores are any better? Of course apps are less complex than full applications found on PC's, generally speaking that is, so there are maybe less behaviioral traits or signatures to look for but again I defer to my own ignorance of app development so who knows. After all if it's got a network stack it's exploitable, one way or another.

viProCon
viProCon

Geez, even after reading the article it seems I got it stuck in my head that it's an app when I posted. My mistake. But perhaps the idea still stands. Malware develoopers can code their app to look for traffic sent to ZAP and redirect it into oblivion, or I would assume there is some form of code installed on the phone itself that acts as the front-end forwarder to this back-end server, which cduld also be comprromised. Btw if I'm confused yet again, I'll just re-read the dang article so I can my facts straight :)I read so many things in a day, sometimes with a pause between reading an article and posting about it, that I am prone to my own personal version of EMI I think.

viProCon
viProCon

Just FYI, the original mobile phone cell network in the US was called AMPS (Advanced Mobile Phone System). You mght be surprised to find out that the FCC only required the discontinuation of AMPS in 2008 so up to that point you could in fact have used this old phone. Speaking of which, this phone in particular was the Motorola Dynatac 8000X, which interestingly, now belongs to Google as part of their acquisition of Motorola. So, Android users out there, voila! there's a lineage to be proud of. The 8000X weighed 8 pounds by the way and had a 30 minute talk time battery life. And one thing about Android platform and why they're so more highly prone to malware is that it's an open market, many many apps are not piped through the Google service but can be grabbed from bittorrents and the like. I realize anybody can put apps on their iOS device and get around the Apple Store but that's nowhere near the level of Android's open...ness. Whatever the word is.

dogknees
dogknees

I would certainly classify sending my information to a remote site as "damaging".

radleym
radleym

And no, I didn't miss the point, but apparently you missed mine. I was commenting on the data manipulation and exaggerated malware claims coming from those trying to profit from stirred-up malware hysteria.

Drew@Omaha
Drew@Omaha

I guess THAT is the problem then. On my PC, if I "willfully" click "OK" and allow malware to be installed my malware detection software will still detect it as such.

Michael Kassner
Michael Kassner

Most people get into trouble when using other than the main-stream stores or have their phones unlocked.

viProCon
viProCon

If the malware has full admin rights on the same device as is using SSL to send to the server, couldn't they compromise the root certificate store on the device? Or somehow intercept the data on the device before it tunnels into the encryption engine? I don't know, I just remember reading about SSL archetecture a bit once and basically it's good security unless either of the two endpoints in the session is compromised. Speaking of stupid apps sending cleartext, I think it was even on TR I saw this but WhatsApp got a slap by the Canadian and Dutch authorities for colelcting unauthorized address book info and sending that in the clear to their server(s). The fact that anybody, anywhere, thinks it's ok to code an app to send data in the clear is not a good sign. JCitizen: You're right, but the object-oriented nature of Quirbles makes it difficult to adjust the magnometer curve. Oops sorry, wrong thread. ;) Ok ok....viProCon

Michael Kassner
Michael Kassner

If you use the scan feature, you provide what information is sent. And if the traffic is supposed to be encrypted (SSL) no one will be able to learn what you provided. The problem is that developers are doing a poor job of SSL and or not using SSL, sending your provided information in the clear, which ZAP looks for.

JCitizen
JCitizen

It seems like my brain gets packed with too many interesting subjects, and just can't handle it all! :p

JCitizen
JCitizen

If the FCC made it a requirement to change; I always figured they did. I am surprised anyone was still using it as late as 2008. My old phone when dead way before then, in fact about at the turn of the century, or there abouts. I got my 1st phone in 1998 or so.

Michael Kassner
Michael Kassner

I should have been more clear. Earlier malware clearly signaled its presence, usually be doing harm. Today's mobile malware does not.

radleym
radleym

Got lost in the nesting for a moment there. But yes, I was referring to your reply to my reply to yours.

Michael Kassner
Michael Kassner

You have the option to test it yourself. Pick an app Zscalar has marked as one that sends your information to the developer's server. Load it, scan it using Zscalar's tool. See what the tool says. Finally, see if your phone's antimalware app finds it. I have done this with apps known to leak information and antimalware apps did not recognize them as malware.

Editor's Picks