Social engineering, fake App Stores, hit iOS, Sophos warns

I didn’t entirely mean to focus on Apple device security for most of this week (see here and here), but new Sophos research should interest any enterprise working to enhance security awareness.

Breaking bad

The research looks at 167 counterfeit apps used to scam iOS and Android users. Those that impact Apple’s mobile OS particularly stood out, as they show the increasing sophistication of malware authors.

Sophos found these sophisticated attacks combine a range of weaponry, from social engineering, counterfeit websites, fake iOS App Store pages, and even an iOS app-testing website to get these fake apps to victim’s devices.

Sophos warns the attacks may be operated by the same group and all the apps identified purport to be crypto, stock, and banking apps that steal from those using them. It is important to note that Sophos has shared details of these apps and they should now be picked up by malware detection apps.

What attack vectors were used?

What’s important for enterprise users to identify is what attack vectors were used to distribute these apps. Primarily, these are good examples of social engineering combined with sophisticated attempts at spoofing.

For example, researchers identified an instance in which an attacker found a victim in a dating app who they eventually manipulated into installing a fake app that then attempted to steal a person’s cryptocurrency details.

The attacks also used spoof websites that appear to be legitimate sites for known brands, and made use of ad hoc app distribution and quite-convincing App Store download pages, complete with fake customer reviews.

Humanity is vulnerable

What makes these convincing exploits dangerous is the constructed authenticity. It means people, including your employees, can easily fall prey to them. Once again, these attempts focus on the weakest link in any security chain – the humans using the equipment.

What can enterprises do to protect themselves? It’s an argument for Zero Trust, I think.

Not only are passwords insufficient protection for personal data, this is certainly so for corporate services and information. Just as I’d advise any iOS user, enterprises should at least deploy multifactor authentication to harden existing security protocols, though even this isn’t really enough. Network-based Zero Trust security models form another barrier to blunt the impact of attacks of this kind.

Given that security today is a when, not an if, a move to adopt combined security protections makes it more likely data will remain secure even in the event one component of that protection is penetrated.

Ad-hoc distribution was also used

It’s also worth noting that in at least some of these cases, criminals made use of ad-hoc distribution (Sophos refers to Super Signature developer services) to evade Apple’s App Store process. This let them create what seemed to be real apps distributed by phony App Store pages, but built and managed completely outside the App Store process.

These are the kinds of installations you’ll see a lot more of if mobile developers are forced to run App Stores in the same way as a multi-storefront shopping mall, rather than as high-class department stores. But I digress.

The apps are malicious, and act like real apps, but are distributed via a fake App Store page. They never interact with Apple in any genuine sense, and it’s likely the developer services used are violating Apple’s developer license agreements.

There are steps app store providers can take to mitigate against such attacks. Sophos suggests stores should add reputation and trustworthiness scores to app rankings, for example.

Apple must…

We know Apple watches out for such attempts made via the App Store. It terminated 470,000 developer accounts and rejected more than 200,000 enrollments over fraud concerns last year. It also removed 95,000 apps from the App Store for fraudulent violations, such as manipulating users into making purchases.

But the use of ad-hoc app distribution in these violations led Sophos to recommend Apple create a new iOS warning message that lets users know if they are installing apps ad hoc outside Apple’s App Store.

I completely agree with this approach. I don’t think beta testers would be turned off by such warnings when installing trial apps. I also don’t think enterprises who use small distributions of internally developed apps will have problems explaining such a warning to employees.

The wider benefits in terms of adding a barrier to the installation of a criminal apps distributed through smart social engineering and convincing fakery far outweighs the friction of receiving such a warning in the first place.

All the same, the cat-and-mouse game between online services, entities, users, and enterprises against cybercriminals continues to become ever more complex, and humans remain the weakest link in the security chain. On any platform.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.