By Hank Schless
A popular Android app Barcode Scanner was recently found to be infected with adware. After an update in late 2020, it started pushing advertising to users without warning. The QR code scanning app has been on the Google Play Store for years with over 10 million downloads and a high rating from users. So what happened?
This actually happens pretty often. App developers often integrate advertising software development (SDKs) so they can show advertisements to users, something that’s especially crucial for free apps. We’ve seen cases where the SDKs themselves become too aggressive or even malicious. In this case, it was clear that the Barcode Scanner developer obfuscated their malicious code on purpose to avoid being detected.
The lesson here is that app threats are ever-evolving. In this case, malicious code affected millions of devices with a simple update. Luckily, the intention was to aggressively surface ads. But what if more sophisticated code was added? So whether you’re an individual or run an organization, you need visibility into what your apps are doing on your smartphone, tablet or Chromebook.
As a security researcher, I see this happen the most to apps that have basic functionality. Barcode Scanner is a QR code scanner, but it could’ve been a flashlight app or a wallpaper app. Malicious actors want to use something that has a simple codebase that can easily be altered. Also, these types of apps often have a big user base.
There are two main ways that a legitimate app turns malicious:
Once the buyer has acquired the app and assets, they can quickly implement malicious code. And since they now own the keys, certificates and accounts associated with the app, the actor can quietly push an update without setting off any alarm bells.
Whether it’s scenario one or two, what you need to pay attention to is how quickly an app can flip from innocuous to malicious quickly and stealthily. Your employees are increasingly using their mobile devices for work. Updating apps is something that happens on a daily basis. To secure your employees and your organization, you need to understand what malicious behavior looks like and take action in real time.
This is an impossible task if your organization has a bring-your-own-device (BYOD) program, as you have no control or insight into what is on those mobile devices. This is also a great example of where deploying mobile device management (MDM) would not help. Enrolling your employees’ devices in MDM helps you manage and push updates to apps, but it doesn’t provide enough visibility. When a malicious actor has purchased everything from the previous developer, an MDM will assume the app is still safe as nothing has changed.
With many of us continuing to work away from the office, your perimeter-based security solutions are no longer available. Barcode Scanner should serve as a reminder that, without visibility into the components that make up mobile apps, you’re running with a blind spot in your risk, compliance and security posture.
There are two things you should do to secure against app risks:
To understand app risks and learn how you can keep your organization under compliance, check out the Lookout Risk and Compliance solution.
Find out how you can secure your smartphones and tablets today