2022 Global Mobile Threat Report -2

State of Mobile Application Security 2022

Over a relatively short period of time, our usage of mobile devices and apps has changed and grown dramatically. Enabled by evolving mobile and cloud technologies, innovative mobile apps continue to fuel digital transformation for businesses and remove friction from our everyday lives. Today, the scope of the mobile app market is massive. There were over 218 billion app downloads in 2020 alone. By 2023, annual revenue from mobile apps is predicted to reach $935 billion, with categories such as video streaming, gaming, and online fitness all generating billions of dollars in revenues. The payments segment alone accounted for $1.3 trillion globally in 2020.

Application Development Trends

Driven by the profitability of apps, innovation in mobile app development has also accelerated. Here are some of the key application development trends changing the mobile app landscape:

Through hybrid app approaches, developers can work with a single code base that can run on both Android and iOS platforms, which offers a number of appealing benefits. Developers can choose from several modern mobile application architectures. These alternatives support all types of devices (including phones and tablets) and all platforms (including Android and iOS). These hybrid approaches provide significant benefits when it comes to portability, maintenance, and distribution. Not surprisingly, the popularity of hybrid frameworks, such as React, Flutter, Uno, Kotlin, and Xamarin, has grown significantly. Native Hybrid and Web Hybrid Apps both contain a combination of native and web code but in varying degrees. Web Hybrid applications are mostly stand-alone web applications that you can run in a standard web browser. In both these cases, the web code is more challenging to secure due to the lack of security features in the web control and the lower availability of SDKs and tools for web code. Progressive Web Applications are an evolution of traditional web applications but have the look and feel of native mobile applications. A single code base supports multiple platforms for portability but makes it exceptionally challenging to secure data and code.

App vulnerabilities

Repeatedly, the code of mobile app developers exposes employee and customer data, putting privacy and security at risk. Recent examples of compromised apps include the mobile app used by Ring doorbell customers, the Android version of the business communication app Slack, and the Klarna payment app.

Third-party components and developers

Mobile app developers continue to grow increasingly reliant on third-party components and service providers—and this has ushered in a significant level of risk. In 2021, the private data of 21 million customers of ParkMobile, a mobile parking app, was exposed by third-party software the company used. Third-party libraries will continue to dominate mobile apps as they represent ease of development, speed to market, and potential cost savings. But they are a double-edged sword. They expand the attack surface and create over-privileged applications, both characteristics that cybercriminals look for in exploitable applications.

Misconfigured cloud services

One investigation into 23 mobile apps found that data of more than 100 million users was exposed. The culprit? Developers failed to properly configure their third-party cloud services. Based on our analysis of more than 1.3 million Android and iOS apps, we found that 131,000 used public cloud services in their backend, and 14% of those apps had misconfigurations exposing users’ personal information.

Risks and Attacks: Mobile Malware, Bugs, and Profiles

Malware is in every bad actor’s arsenal because it is easy to access and deploy while wreaking havoc on a massive scale. There are millions of unique malware variants, with thousands of new apps created and released daily. Malware has become the single biggest source of profit for attackers, and for this reason, it is a moving target.

In 2021, mobile security analysis uncovered 2,034,217 new malware samples detected in the wild. On average, that is nearly 36,000 new variants of malware a week - over 5,000 a day.

Mobile malware is unique because the mobile attack surface is different. Some mobile malware variants act like traditional endpoint attacks, like spyware and trojans. Others malware can impact users in a way traditional malware cannot, including:

• Stealing 2FA credentials through SMS or app notifications

• Performing overlay attacks where a user enters credentials into a secondary app, believing it to be the legitimate app

• Monitoring other installed apps through Accessibility Service permissions

• User location tracking through GPS services

• Activate the cameras and microphone, recording audio and video

• Access sensitive content like photos, contacts, and personal data

• Capture and track sensor data such as gyroscope and location / nearby devices.

2FA Interception

Disguised as an adult version of TikTok. After installation, it asks for the user’s phone number and immediately sends it to the C&C. The backend starts generating login attempts for a series of services, like Telegram, Google, AliPay, Amazon, MPL, Ludo, Viber, and as well as various Russian services. The app is then responsible for intercepting the 2FA codes. The codes are then sent back to the C&C, completing the account takeover.

Persistent Attacks

A new variation of a classic banker trojan, this app mimics a flash player but doesn’t have any function. This advanced mobile malware heavily relies on the TOR network to anonymously deliver a malicious payload and communicate with the C&C. The flow of the attack starts with the extraction and execution of the payload in memory (no traces on disk). Afterward, the app downloads the TOR binaries for the specific architecture, requesting the C&C address via the TOR network, and downloads the overlay payload from the C&C. From there, additional APK payloads are downloaded, leading to an overlay attack on 238 target applications with the capability to dynamically add support for additional targets. It aggressively asks for accessibility services and cannot be uninstalled or opened again. There is no way to remove the malware after installation and requires a factory reset of the device.

Credential Theft

This credential stealing app disguises itself as an Instagram follower tool. In actuality, it is a Facebook credential stealer, getting the cookies after a legit login attempt. Facebook credentials, injecting malicious JavaScript in the displayed WebView to intercepts a victim’s credentials. Credential theft mobile malware is on the rise due to the common practice of reusing passwords across multiple services, giving attackers access to various tools and logins.

Mobile App Threats: More Than Data Is at Risk

As of the first quarter of 2021, close to 3.5 million apps were available on the Google Play Store and 2.2 million apps on the Apple App Store.

The research found that approximately 81% of those financial applications potentially leaked sensitive information, either directly from the application or indirectly through integrated libraries and SDKs.

Expanding the breadth of applications beyond financial applications to include healthcare, retail, and lifestyle apps, we found that 77% of Android and 46% of iOS apps use, or potentially use, at least one vulnerable encryption algorithm. This can jeopardize data at rest, in transit, or on access in any of these highly critical categories.

Through reverse-engineering tactics, malicious actors can find weak entry points within the application’s code. Therefore, it’s critical to do penetration testing of applications on an ongoing basis. However, 24% of respondents state they perform these tests on their mobile applications once a year.

Mobile Application Risks by Industry

As bad actors continue to exploit mobile apps, compliance and regulatory factors are at play in several industries:

• Healthcare. If health data gets into the wrong hands, healthcare organizations are subject to Health Insurance Portability and Accountability Act (HIPAA) fines and penalties.

• Financial services. Financial organizations are subject to fines for data breaches and compliance failures. Further, breaches have skyrocketed since the COVID-19 pandemic.

• Retail. Poor security practices can leave retailers vulnerable to fines for breaches of the Payment Card Industry Data Security Standard (PCI DSS). These businesses could also face legal fees and penalties if consumers are affected by a cyberattack.