Top 6 Cyber Attacks on Payroll Apps

This blog post will cover the top 6 attacks on payroll apps, as well as how to defend against them and avoid breaches.

What Are Payroll Apps?

Payroll apps are mobile app-based commercial solutions that assist businesses in paying employees accurately and on time while adhering to all applicable tax rules. Employee payroll apps include functions like salary and bonus management, paycheck issuance, time & attendance tracking, PTO & sick pay, payroll tax services, payroll accounting, and other matters related to employee compensation.

The market for mobile payroll apps and services is large, dynamic, and growing rapidly, fueled mainly by the massive migration to mobile and remote work patterns of the past several years. The market includes many different companies, ranging from large established vendors like ADP, Paychex, Intuit, and Oracle NetSuite, to growing startups like Gusto, Onepay, Deluxe, and many more.

Every business needs payroll services, and these days many companies are using commercial off-the-shelf solutions because it saves them time and money and allows them to focus on their core business, all while maintaining compliance. This is all good for businesses and employees alike. Everyone likes to get paid on time and accurately! On the flip side, moving to an app-based payroll system brings a set of unique security challenges.

Why Are Payroll Apps Targeted by Cyber-Criminals?

Enterprise payroll apps store and process a lot of highly sensitive financial and HR-related data about employees. This includes personally identifiable information (PII) such as full name, address, DOB, social security #, employee ID #, tax rate, salary, bonus, marital status, gender, and even account information for the employee’s bank (for direct deposit).

Not only that, payroll apps usually connect to multiple critical back-end systems (HR, HCM, Finance, etc).

These dynamics make payroll apps and systems attractive targets for cybercriminals, who seek to capitalize on the rich set of data stored in and handled by payroll mobile apps and the systems they connect to.

Below I will cover the Top 6 attack techniques cyber-criminals use to compromise employee payroll apps.

Payroll Cybersecurity Checklist – Top 6 Cyber Attacks on Employee Payroll Apps

• Jailbreaking & Rooting

One of the first techniques an attacker will perform to compromise a payroll application is Jailbreaking iOS or Rooting Android mobile operating systems. The reason is simple: Jailbreaking and Rooting make it easier for attackers to compromise mobile applications by escalating and abusing administrative privileges. In short, Jailbreaking and Rooting inherently compromise the security model of the OS and device and pave the way for attacking/compromising any application running on the device. For example, Jailbreaking and Rooting make it easier to bypass anti-tampering, disable security SDKs, modify system calls, change source code or binaries. Further, advanced hacking tools and frameworks like Checkra1n, mobile substrate, filza,  Magisk, and Liberty Lite enable attackers to conceal their activities, bypass or disable detection capabilities, enable root access for other malware, and send fake signals to or from the app, and much more.

• Reverse Engineering (Static & Dynamic Analysis)

Another common and effective way to attack payroll apps is to reverse engineer them to figure out how the apps work on the inside. Like Jailbreaking/Rooting, reverse engineering is not an attack per se, but a set of methods and techniques cyber-criminals use to give themselves advantages that allow them to attack and compromise mobile applications more effectively. Namely, the attackers use reverse engineering to gain knowledge and information about apps – by analyzing the source code and application logic to understand what the code does (static analysis) and/or by running apps in controlled, simulated, or virtualized environments to understand how the app behaves as it runs. For employee payroll apps, attackers can decompile the app to read the application strings and search for hard-coded information such as passwords, API keys, or authentication tokens. Or they might scan for weak encryption algorithms or even data stored unencrypted in shared locations, preferences, and resource files, which might allow them to impersonate a legitimate user to gain unauthorized access to a restricted system that contains confidential payroll data. They also can use static analysis to understand how payroll applications share data internally or with other apps via carelessly implemented intent filters, and then marry that with dynamic techniques such as debugging, emulation, dynamic binary instrumentation, or hooking to modify the behavior of apps in malicious says while the app runs. Consider this article by security researchers that discusses the many different ways that Android intent filters can be abused by threat actors to intercept or harvest sensitive data, redirected to malicious URLs or apps, or used as an attack vector to target other apps on the victim’s device.

• Exploit Insecure APIs for Unauthorized Access or Data Harvesting  

There’s a growing trend to open up employee payroll app interfaces using APIs. Consider this article by Andreessen-Horowitz which advocates making private employee payroll data accessible via open APIs to fintech, lenders, insurance companies, and other financial institutions to deliver value-added financial services to employees. This means the points of exposure for payroll apps can affect not only employees but also their employers as well as the ecosystem of partners who may be offered access to the employee’s data. Every interface or integration offering access to payroll data represents an opportunity for data to be leaked, exfiltrated, intercepted, or accessed/read by unauthorized parties – who have multiple ways to compromise users and data, using a plethora of tools in malicious ways.

Not only that, many mobile apps expose more information than is necessary for API calls to the app’s backend. Here’s a recent example of how dozens of organizations using Microsoft Power Apps inadvertently exposed 38 million records containing sensitive information about employees. The breaches were a result of misconfigured mobile APIs which allowed public access to private data and even impacted Microsoft’s own global payroll systems. Some of the more common types of API-based attacks involve API calls that allow authentication bypass, unauthenticated access, exposing too much information within the API response, or insufficient encryption. It’s critically important to follow mobile security best practices, such as the OWASP API Security Top 10, when using APIs in payroll apps, especially given the sensitive data involved.  

• MiTM and Network-Based Attacks

Interacting with an employee payroll app may require users to enter highly personal or sensitive information about themselves, or the app may link to their 401k account or bank account for direct deposit. These are prime interfaces for attackers to intercept or harvest data using any number of network-based attack techniques – MitM attacks, session hijacking, fraudulent digital certificates. Such attacks could allow attackers to impersonate the user or the payroll provider, extract confidential data, or even modify the information being transmitted.   

• Weaponizing Payroll apps – Fakes Clones, and Trojans

Attackers create fakes, clones, or Trojan versions of payroll or other enterprise apps and trick users into downloading the fake version from public or alternative app stores, or even websites. The user thinks they are downloading a legitimate payroll app, but they are actually downloading a fake replica of the real app which looks and behaves just like the real app, except that it has hidden malware embedded inside.

The malware is sometimes obfuscated/hidden by the attacker so that it evades Apple and Google security scanners. These types of attacks are typically ‘blended’ with social engineering, phishing, masquerading, or other attack techniques to increase the illusion of authenticity.

• Malware That Targets Payroll Apps

Once the malware is on the mobile user’s device, it can perform any number of malicious actions such as escalating privileges, tricking the user to approve permission requests that the malware then abuses, logging keystrokes, monitoring user behavior, extracting data, auth tokens, or user credentials, scanning for other target apps to attack (eg: banking apps, payment apps, cryptocurrency apps, e-wallets), and more.

How to Prevent Cyber Attacks on Payroll Apps

For DEVELOPERS of enterprise payroll apps (and other enterprise apps), to prevent your app from being cloned or trojanized, it all starts by protecting apps against static and dynamic reverse engineering techniques. To do this effectively requires code obfuscation (multiple methods), as well as dynamic protections such as anti-tampering, anti-debugging, preventing static binary patching, Additionally, you can layer additional anti-piracy features on top of this (prevent app resigning, prevent app store redistribution other than official app stores).

On the flip side, both developers of payroll apps as well as the enterprise IT and Security departments that deploy these apps should understand the threat of malware that targets payroll apps.  malware that may already be deployed on users’ devices that targets other apps, targets your mobile users, or attempt to infiltrate your backend.

The protections required to prevent this type of attack are different and may include:  overlay prevention, keylogger prevention, block accessibility abuse, and permissions.

The flip side of that are protections For ENTERPRISES who use 3^rd party payroll apps, in addition to ensuring that the developer prevents the payroll app from being weaponized, you also need to be concerned about

Payroll app makers should utilize Data Encryption, such as AES 256 encryption, to secure and safeguard all API data (keys, secrets, URLs, tokens, payload, and so on), as well as data in the App Sandbox and Preferences, to safeguard mobile user privacy and protect the confidential data of the employee and employer alike.

Conclusion

Employee payroll apps allow enterprises to save time and resources and streamline their payroll operations to pay employees on time and accurately. However, due to the high risk of attack, developers of payroll apps and the enterprises who use them need to take proactive measures to safeguard the very sensitive and valuable data that payroll apps handle and store.

Want to learn how to build mobile app security into any payroll app in minutes?

Reach out for a live demo.