Facebook: A new command and control HQ for mobile malware
Pretty neat way to smuggle evil code past Apple, Google app store guards
RSA 2016 Researchers have shown off a new way to evade the security mechanisms in Android and iOS – by using social networks as command and control servers.
The team, from Israeli security firm Skycure, said Google and Apple have made great strides in keeping malware out of their official software stores by scanning submitted code for malware and bad practices.
Part of the scanning operation checks which backend systems the app contacts. Applications that reach out to suspicious servers are flagged up for further inspection – but contacting to Facebook looks legit. So the team created a Facebook profile and posted lines of malicious code. When the innocent-looking app logs onto the social network and downloads the payload, it can execute it on the device.
In effect, it smuggles bad code onto a gadget from a Facebook profile, thus bypassing Google and Apple's app store censors.
It's a very cunning trick, and one that would be very difficult to protect against just by scanning the surface of the app's code. Miscreants are already exploiting this technique, and similar methods, in the wild to bypass Google and Apple's scanning systems, we're told.
There have been examples of "time bomb" apps that include unactivated malicious code hiding from scanning engines in kosher-looking software; this bad code will unpack and run once the app has been used for a set period of time. The Skycure team said that this could also be activated by a target's location, or if they'd reached a certain point in a game.
That said, Skycure praised Google for its work cleaning malware out of its Play Store, and Apple for getting it right first time and blocking almost all malware from invading its App Store. But Apple's walled garden is not impervious, they said.
The team gave a talk at RSA 2015 and showed that they had found almost 150 security vulnerabilities in iOS in 2014, and predicted the number could reach about 170 for 2015. The actual figure for the year hit 374, showing there are plenty of ways for crooks to potentially subvert our iDevices. ®