Enterprise employees use mobile apps every day to get their jobs done, but when malicious actors start impersonating those apps, it spells trouble for IT departments.
David Richardson, director of product at Lookout, and his team recently researched five families of malware doing just that: spoofing real enterprise apps to lure people to download their malware. The dataset of mobile code shows that these five, active mobile malware families often impersonate enterprise apps by ripping off the legitimate app’s name and package name. These apps include Cisco’s Business Class Email app, ADP, Dropbox, FedEx Mobile, Zendesk, VMware’s Horizon Client, Blackboard’s Mobile Learn app, and other
What does it do? Shuanet automatically roots a device, installs itself on the system partition, and then installs further applications. These applications could be malicious or could be benign apps, pushed to the phone as part of a scheme to get more downloads. Shuanet may also push very aggressive and intrusive advertising to the device.
What is the risk to an enterprise? Rooted devices are in an altered state of security. Often people will root a device to customize it, but they may not know how to properly configure security and also may not receive regular software updates. Also, malware like Shuanet installs itself in the system partition, making it very difficult to remove. Even factory resetting a device infected with malware does not remove the threat. Lastly, malware that installs applications could drop further malicious apps onto the device, putting the device and its data at risk.
Examples of apps it spoofs: ADP Mobile Solutions, CamCard Free, Cisco Business Class Email (BCE), Duo Mobile, Google Authenticator, VMWare Horizon Client, Zendesk, Okta Verify.
What does it do? Originally developed as a university project to create a “remote administration tool,” AndroRAT allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.
What is the risk to the enterprise? Hidden remote access software allows an attacker to easily exfiltrate data, corporate and personal, from the mobile device. Also, having continued remote access to a mobile device allows an attacker to infiltrate corporate Wi-Fi networks and VPNs that the infected device connects to.
Examples of apps it spoofs: Dropbox, Skype, Business Calendar
What does it do? UnsafeControl can collect contact information and download it to a third-party’s server. It also has the ability to spam that contact list or send SMS messages to phone numbers specified by its command and control (CNC) servers. The message content is also specified by the CNC.
What is the risk to the enterprise? Malware like UnsafeControl steals contact information, which can be considered very sensitive information to many enterprises. For example, the contacts within a Chief or VP of sales’ device might be a competitive advantage for a company.
Examples of apps it spoofs: FedEx Mobile, Google Keep, Remote VNC Pro, Sky Drive, PocketCloud, Skype.
What does it do? PJApps may collect and leak the victim’s phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.
What is the risk to the enterprise? Malware like PJApps is generally using its functionality for monetary gain, but the technology itself is concerning. Threats that collect location information is generally concerning, but especially when considering executives’ devices. This could mean revealing information about a business’ plans. The ability to download further applications to a device also opens the device up to new types of malicious software.
Examples of apps it spoofs: CamScanner
What does it do? This application contains an advertising network which may push ads to your notification bar, create pop-up ads, place shortcuts on your home screen and download large files without asking. It may not be clear that this application is displaying these ads.
What’s the risk to the enterprise? If the device an employee performs her job on suddenly starts interrupting her work, that employee is going to send helpdesk tickets to the company’s IT department. Time is money.
Examples of apps it spoofs: Mobile Learn from Blackboard, Evernote, PocketCloud, Remote Desktop, Adobe Reader, aCalendar
Image from iStockphoto.com