Mobile app stores still source of malicious content, says report

CISOs looking for ammunition to remind employees of the dangers of downloading apps for mobile devices can cite the latest report from digital threat management vendor RiskIQ.

In its latest quarterly report (registration required), which analyzed 120 mobile app stores from around the world and more than 2 billion daily scanned resources of customers, found some app stores are being created and pumped up with huge numbers of malicious apps. Researchers speculate that this could be in concert with a particular campaign or to make detection of known bad stores more difficult.

As experts know, the safest place for users of Android devices to download apps is the Google Play store, because Google tries to hunt down malicious applications. In Q3 the percentage of malicious apps in the Play Store fell to a low of four per cent after reaching a high of eight per cent in Q2, the report said. Obviously that means there is still some risk.

Monthly numbers of malicious mobile apps up to Q3 2017. RiskIQ graphic

To cut down that risk infosec leaders need to remind users to watch for apps that are clones of legitimate software from an official developer but have malware buried inside. The report found that antivirus, dating, messaging, and social networking apps are favorite targets for this game. For example, querying RiskIQ data for apps in the Play store since the start of Q3 containing the word “WhatsApp” and excluding any from the official WhatsApp developer returned 497 entries. The same query for Instagram returned 566 entries. There’s a clone of Avast anti-virus software and of the Waze GPS navigation app.

The danger of malicious apps isn’t only that they can be used for breaching personal or enterprise data. The report notes malware helped create a massive mobile-based botnet  a number of security vendors called WireX that affected an estimated 70,000 Android users globally. After a short development stage, on Aug. 17, the botnet struck several content delivery networks with between 130,000 and 160,000 unique IPs observed from over 100 countries.

Around 300 malicious apps helped create WireX, some of which were found in official app stores, including Google Play. These apps masquerade as media and video players, ringtones and storage managers, the report said. Google has blocked and removed these apps from user devices.

RiskIQ, Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, Team Cymru and other companies have co-operated to take down part of the botnet. However, it is still running. For more on the WireX takedown see this column from security writer Brian Krebs. 

The advice that can be passed on by infosec pros to employees is encapsulated in the report: “Just because an app appears to have a good
reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.

“Make sure to take a deep look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be enormous red flags—threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads