Back in 2017, Google launched Play Protect on their Android Play Store. The problem had been that malware and viruses on the Android ecosystem had become rampant, with few checks in place.
Play Protect was Google’s answer to the lack of security on the Android app network. So how has it fared?
A 2020 report by AV-TEST found that Google’s Play Protect doesn’t do nearly enough to filter out malware. In fact, when compared to third-party solutions to block malware, Play Protect spots and blocks just over 79%, compared to 98% for other solutions.
So what does this mean for the average smartphone user or app developer?
What is Malware on Android?
Phone malware can be installed for a variety of different reasons, from Trojans designed to steal banking credentials or backdoor vulnerabilities to adware.
In 2021 alone, there were just under 3.5 million malware installation packages globally - with the majority of these in countries such as Iran, China and Saudi Arabia. This number is also down from 5.68 million installs in 2020, according to a report from Kaspersky.
As mentioned, adware is the most common phone malware. This usually comes in the form of intrusive pop-ups on your phone screen. But it can also be ad fraud clickers such as DrainerBot and 404Bot.
DrainerBot is an interesting example of Android malware, which is designed for viewing video ads without the knowledge of the device user - a process known as ad fraud. As well as siphoning off the ad budget of app marketers, it also zapped the battery and sucked up users’ data allowances, using around 5GB per month in fraudulent views!
It would be easy to say that Android is the issue here; however, the problem isn’t confined to Google’s App store.
Malware on iOS
In late 2020, AppSec firm Snyk.io spotted a security flaw in the Apple App Store. Nicknamed SourMint, the team at Snyk released a report stating that SourMint was responsible for a number of fraudulent processes, including ad fraud and data logging.
At the time, Apple denied there was a problem, but they have since silently carried out a number of updates to the App Store.
Although there might be an argument that Apple’s security is tighter than Google’s, the truth is that this isn’t the first instance of malware on the App Store.
In fact, malware remains a problem for Apple devices just as much as Android and Windows devices too.
So how is this still a problem?
How malware gets installed
Apple and Google both have processes to vet and monitor what gets distributed on their respective apps stores. Although Apple’s is by far the most strictly controlled, Google’s Play Protect has added a secure layer to what was notorious for poor quality software.
But neither of these have stopped the constant drip of malware-loaded apps.
So how does malware get into software such as apps and extensions?
The malware is installed onto the software by ‘side-loading.’ Essentially, this means a packet of data is added after the initial download, which adds in the malicious code.
Another vector is installing apps from the internet and bypassing the app stores checks. Confusingly, this is also referred to as side-loading, meaning the main two methods of installing malware are via side loading or side-loading.
In effect, this additional element is injected into the software, which can happen anytime after the initial install. It might be on first run of the software, or the next available update.
But where do these malware elements come from? Who is installing them into these apps? After all, many of these apps are genuine software created by different companies. They can’t all be fraudulent?
The problem with SDKs
In most cases, the malware elements are packaged into SDK, or software development kits. These kits are used to develop apps by different developers, meaning that anyone using this SDK is effectively building on software that can be injected with malware.
Drainerbot, mentioned above, was built on an SDK from a company called TapCore. And the SourMint malware came from an SDK from a company called Mintegral.
There is also the famous case of two companies JediMobi and LionMobi, that were both accused by Facebook of adding click-injection elements to their app kits.
In most of these cases, the developers behind the SDK’s denied all knowledge of the presence of malware. Although LionMobi and JediMobi both denied involvement with any form of click fraud campaigns, they did eventually settle with Facebook.
So if these app kit developers aren’t intentionally packaging up their software with malware, where is it coming from? And who is getting the ill-gotten gains?
Who gains from app-based malware?
Malware within apps and software kits is thought to be added in by fraudulent actors. These SDKs are available to download, sometimes for free. The most likely explanation for the infiltration by malware coders is a hack or bot which inserts the offending code.
The fraudster, who is often completely unrelated to the owners of the SDK, will then have access to a growing database of devices. And from their own command and control center, they can perform whatever forms of mobile fraud they want: From ad fraud, one of the most common methods of digital fraud, to keylogging and data theft.
Increasingly, developers are turning to application security, known as AppSec, which ensures vulnerabilities are not exploited within these software kits. Although they’re often seen as ‘yet another security product,’ the truth is that blocking fraud at this level can eliminate much more damaging fraud higher up the digital food chain.
And with the total cost of digital fraud already estimated at over $100 billion each year, preventing malware and fraudulent apps is a top priority for app developers. A vulnerability assessment is the most effective way for app developers and SDK builders to reduce the chances of phone malware on their software.