HijackRAT Shows off a Bag of Tricks While Facebook Offers Bags of Money to Mobile App Developers

Malicious app development continues to be an alarming issue as cybercrooks continue to challenge themselves by cooking up bigger and badder mobile malware. This week, we learned of HijackRAT, a remote access Trojan (RAT) that attacks mobile devices and steals banking information by disguising itself as an Android icon named “Google Service Framework.” The RAT runs its course on the compromised device by disabling the anti-virus application, forcing an undetected update to the banking app and then replaces it with a fake banking application. To sum it up, the RAT’s bag of tricks consists of: data theft, banking credential theft, spoofing and remote accessing. Impressed? You should be! However, it’s nothing we haven’t seen before…

Cybercriminals are obviously expanding their skill sets. This attack appears to use a combination of old attack techniques we’ve seen on desktop. In this case, old malware techniques are catching up to mobile. In the past year, there’s been a steady acceleration in the development of mobile malware. In some countries, such as Russia, Austria and Sweden, the percentage of malware attacks on mobile devices have outpaced the rate of attacks on computers. As such, it’s important for large enterprises to understand that threats, such as HijackRAT, pose a security and privacy risk not only to employees, but also to corporate data. This is especially true as bring your own device (BYOD) programs continue to become more commonplace in companies. And, let’s be honest, BYOD should really be BYOA – Bring Your Own Apps.

That being said, mobile security threats to users are not always the result of a direct attack from malicious app developers. There are plenty of innocent actions made by mobile users and employees that may expose sensitive and private information. For example, the single sign-on (SSO) option for mobile apps is now widely used. SSO enables mobile app users to sign in via integration with a social networking site’s login (such as Facebook or Twitter). While handy, this can pose a risk in the context of BYOD, BYOA or Mobile First. If a user’s social login is hacked, all of the apps that a user has accessed using those same credentials might be compromised as well. Furthermore, when using SSO, the user is agreeing to share data not only with the app developer (and by default with the ad networks associated with the app), but also with the social networking site as well. That’s quite a bit of sharing. In Appthority’s Winter 2014 App Reputation Report, we found that 69 percent of free apps and 47 percent of paid apps utilize the SSO function.

In related news, Facebook recently launched FbStart, a program that funds small companies by offering free services and products to help them develop mobile apps, and provides them with services such as app testing and user research. One of the main products Facebook wants to promote to developers is the single sign-on feature (#bewareofSSOrisks). While the feature may encourage app use and speed up user adoption, it may also pose a threat to mobile users and their employers if a hacker gets a user’s social login.

This SSO feature can be especially risky in the BYOD atmosphere, as highly sensitive corporate data demands high security. Appthority advises enterprises to create a safe and secure mobile workforce by:

–  Discouraging SSO activity among employees

–  Encouraging employees to create separate passwords for each system and change them often

And, of course, by:

–  Implementing a mobile app risk management solution (hint hint)

Thoughts or comments on this week’s news? Reach the Appthority team on Twitter at @Appthority.