Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry News

Malicious Apps Bypass Security Tools to Steal Data

Downloading unsigned and unverified applications onto your mobile, laptop and other devices can expose users to potentially malicious code that can steal your private information, like your SSN or bank account information.

To limit the risk of exposure to malicious code, Apple employs Gatekeeper for Mac machines, a feature that checks for verified apps downloaded from the Internet. Gatekeeper lets the app run if it is signed by Apple or created by an Apple-recognized developer.

However, security researcher Patrick Wardle of Synack recently found ways to bypass Gatekeeper, including a way around the most recent patches issued by Apple.

One way involved pairing code with another verified application, which allowed the code to pass through Gatekeeper unsigned, since Gatekeeper only checked the signature of the first app executed by the user. The secondary code could allow an attacker to run programs that steal passwords, capture audio and video, and run botnet software, according to Ars Technica.

But Apple’s patch only blacklisted certain files used to carry out the attacks - bypassing the fix was only a matter of finding other Apple-signed code that could execute the same attack, according to Forbes.

In one example, Wardle included malicious files in a legitimate download of Kaspersky’s Antivirus, which an attacker could use to deliver fake antivirus updates to a user on the same public Wi-Fi network. Apple released an update last week to block those files.

It would appear that Apple did not fixture underlying security issue, and instead blacklisted a small number of apps that exploit the vulnerability. But perhaps that was an immediate fix they could release to ensure user security while they work on the real problem - at least one would hope.

Other Malicious App Attacks

Last year, iOS developers were the target of an attack against Xcode, Apple’s official app development software. Malicious code was spread to unknowing users through many apps downloaded via Apple Store, as a result of being developed in a malicious version called XcodeGhost.

To mitigate the threat, Apple removed apps containing XcodeGhost, and notified affected developers, encouraging them to recompile using the official Xcode and re-submit apps. However, it’s estimated that there are hundreds if not thousands of apps that may be affected, which makes blacklisting an ineffective fix.

Spreading Malicious Android Apps

Meanwhile, when it comes to Android devices, 13 malicious apps in Google Play were removed after researchers found that the apps attempted to gain root privileges and made unauthorized downloads, according to Ars Technica.

Many of these apps were fully-functioning games, and were highly rated by users. But behind the scenes, the apps used compromised devices to download and positively review other malicious apps in the Google Play store in order to keep them in circulation and increase the chances of download.

Rooting devices allows these types of malicious apps to install themselves as system applications, making it harder for users to uninstall or factory reset Android phones to get rid of them.

Users should be more cautious when it comes to downloading apps from the Internet, and be aware of the risks involved with using these type of apps. Users can also reduce the risks associated with stolen passwords by using two-factor authentication to further secure their account logins. Learn more in Why Two-Factor Authentication?