This is part 3 of a multi-part blog series about mobile malware. In part 1, I explained the different types of mobile malware, and how each variant targets mobile banking apps in different ways. Then in Part 2, I explained how mobile malware adapts to its environment and evolves, using deceit and trickery, abusing normal app functions in unintended ways. In this post, I’ll explain how you can protect mobile apps against malware, without need to code an SDK to your apps.
This blog discussed the specific ways you can use Appdome to protect mobile applications and users against mobile malware. Using Appdome’s no-code mobile security and anti-fraud solutions, mobile developers, fraud specialists and security pros can build protections directly into any iOS and Android apps, which enable the apps to be self-defending against malware.
Before getting into the specific features, it’s important to lay the groundwork on some fundamental concepts. Mobile malware, by its very nature, relies on exploiting or abusing ‘normal’ app or system functionality in order to compromise or harm the application, the user, or the data. Using Appdome, you can build the necessary protections into mobile apps which enable the application to defend itself against mobile malware and the abusive actions that malware conducts against apps. That is, Appdome solves the problem at the root cause level.
Build a Solid Security Foundation with RASP and Code Obfuscation
The first step in any app defense is app shielding (aka hardening) which includes basic building blocks of protection like anti-tampering, checksum validation, anti-debugging and other runtime protections. You couple that with Code Obfuscation, including obfuscating control flows and stripping debug info. That will provide a basic foundation of security to protect against static and dynamic analysis and standard reverse engineering techniques. A key characteristic of just about every piece of malware on the planet is that it works in part by exploiting the environment around it. That assumption is predicated on the fact that malware writers can and do learn and understand a lot about how a given class of mobile apps functions. Armed with this knowledge, they design malware that exploits normal app and operating system functions tailored to the specific type of apps they target. So the more they know about your app, the more targeted and effective the malware will be. So start by securing the foundation, and then layer specific security measures on top.
Protect Apps Against Privilege Escalation and Improper Platform Usage
The next layer to protect mobile apps against malware is to consider hardening the operating environment in which the mobile application runs. Another key characteristic of malware is that it’s usually designed to look for ways to escalate privileges, plant backdoors, and search for ways to spread laterally or horizontally – all while remaining hidden. Privilege escalation, abuse, and permission harvesting are the ways malware stays hidden, gains functionality, and evolves to expand its attack surface. Protecting against this starts with the basics of Rooting / Jailbreak Prevention, and depending on the threat your app is facing, and how determined the adversary is, may require more targeted and specific protections. For instance, if you have a mobile wallet or fintech app with a lot of Android users, then you’ll probably need to defend against rootkits, root cloaking and other evasion techniques by preventing the use of tools like Magisk and Magisk Hide (which are the most powerful tools available today to bypass root detection and conceal rooting Android). You also might need to block use of Magisk Manager, which is a different part of the Magisk framework that malware creators use to assign and manage rooting activities and superuser privileges for other apps that run on the device with escalated privileges. Malware, like a good criminal, rarely works alone. In fact, malware NEEDS outside help in order to be effective, flourish and grow. And that help usually comes in the form of other malware apps, trojan droppers, and the activities of unsuspecting mobile users, who are often tricked by malware to unintentionally enable settings that benefit the cybercriminal. In fraud circles, we call this the ‘weaponization’ of mobile applications.
Prevent the Weaponization of Mobile Apps by Malware
The next step to protect mobile apps against malware is to prevent mobile apps from being ‘weaponized’ and conduct attacks on other apps or users. Cybercriminals trick mobile users to grant them privileged access or excessive app permissions that they use against mobile users and apps. Let’s continue with some examples of how to prevent mobile app weaponization, starting with preventing the abuse/misuse of Accessibility services. Appdome will detect if other apps in the environment are abusing AccessibilityServices or have elevated app permissions that are out of context with the environment. For example, there is no valid reason why a ‘calculator’ app should be able to track a user’s location, intercept touch events, capture events from the mobile clipboard.
Other times fraudsters use tools like ADB or Android Developer Options to escalate privileges for their malware or even to control apps remotely or intercept, inject or alter key events. Appdome can detect and prevent apps that engage in permission harvesting, or key injection by detecting events that are out of context with the environment, such as touch events not triggered by a UI source, or malicious keyboards that have made their way onto user devices through trickery, drive-by downloads or previously planted backdoors.
Then there’s overlay attacks, where the attacker uses multiple transparent or opaque layers to trick a user into interacting with malicious content – such as a button, link, window or another UI element that is hidden from their view. The real button is covered by the malware, which is controlled by the attacker, usually placed on top of the real screen. So when the victim clicks or interacts with the elements that they can see, they are actually clicking on the hidden (malicious) element (which performs an action that serves the hacker’s purpose). Cyber-criminals often use malware, fake apps, and social engineering techniques in combination with Overlay Attacks to make the attack more believable and more effective.
If you’re a mobile bank that’s facing pressure from regulators to prevent screen overlay attacks, then you might want to check out this article, or simply implement the Appdome Overlay prevention feature that will enable your app to detect and prevent malicious screen overlays.
Protect Against Dynamic Code Injection and other Runtime Abuses
You can also protect mobile apps against malware by blocking the tools and methods cybercriminals use to modify apps dynamically during runtime. For example, fraudsters are known to abuse developer tools like Frida and ADB (Android Debug Bridge) to dynamically modify the code of mobile apps during runtime. This process involves using methods like function or method hooking to attach to a running app’s processes, and then respond to that process depending on what gets returned. In this way, fraudsters modify the app’s behavior dynamically, by injecting their own malicious code to replace the app’s existing code (using JavaScript injection, memory injection or other forms of code injection). If this is done on a jailbroken or rooted device, the damage can be even worse, since the cyber-criminal would be able to take control over the entire environment using root privileges and even send fake signals or messages from or to the app. Appdome’s Malware prevention blocks the use of dynamic runtime tools like Frida, ADB and other frameworks that are abused and used maliciously against Android and iOS apps to conduct runtime attacks. Other Appdome fraud prevention features allow you to block malicious methods carried out with dynamic hacking tools, such as memory injection and method/function hooking.
Protect Against Fakes, Clones, Mods and Trojanized Apps
Then there’s fake apps that masquerade as legitimate apps to trick consumers into downloading them. They look just like the ‘real thing’, but they’re actually imposters. Fraudsters download apps from public app stores and create clones (this is pretty simple to do if the app doesn’t have strong security defenses). They embed the clones with hidden malware, which is ironically obfuscated to stay hidden. Then the malware makes its way onto the user’s mobile device through the clone (which is really a trojan). Sometimes the bad guys build these clones/trojans with the necessary ‘app permissions’ to conduct abusive actions when they arrive on the user’s device. Other times the malware inside the apps acquires additional app permissions from users once it’s on the device (another way malware morphs over time to become more potent). These malicious apps usually stay hidden in the background and listen for events or activities, then spring into action based on certain ‘triggers’ that have been pre-programmed by the malware writers. Or the malware might interact with low-level system settings or files that benefit the attacker. You can prevent this secretive, malicious activity using Runtime Bundle Validation, which ensures the integrity of iOS and Android apps by running checksums on every file included in the app bundle. Appdome saves cryptographic hashes of the files in the application and compares them to the actual files that are used during runtime.
Or maybe you’re worried about your own app being ‘trojanized’ due to its popularity? Apps with high download numbers are frequently cloned and embedded with malware by fraudsters who use your app as a distribution mechanism for their malware. Prevent distribution to non-approved app stores, and prevent re-signing of apps by unauthorized developers to keep your apps from being weaponized against others.
Use Appdome to Protect Mobile Apps Against Malware
If you want to learn more about you can use Appdome to protect mobile apps against malware, feel free to request a demo. You can protect any iOS and Android apps – all app frameworks – No coding, No SDK, No separate apps required.
