So-called rogue app stores, once a fringe element, are becoming a serious concern for banks, as subtly altered versions of popular apps are appearing more often on smartphones.
These rogue apps, which are often available for free, in some cases steal mobile banking passwords or redirect text messages containing passcodes.
Several factors are driving the trend: Consumers are drawn to the rogue app stores by the lure of free programs. Companies unwittingly encourage the use of nonapproved app stores by directing their employees to download enterprise apps from alternative sources. Google and Apple are supporting the use of alternative stores.
Meanwhile, rogue app stores are stealing the digital certificates of approved app stores to fool mobile devices into thinking they're legit. And the rogue apps themselves are getting more successful at fooling people and their mobile security software.
"As long as I've been following mobile banking, the most common way mobile malware works has been through rogue apps," said Avivah Litan, vice president at the research firm Gartner. "It's becoming more of a threat. … It just makes sense [that] it's going to become more common as more people use mobile apps."
Reeling People In
Rogue app stores provide hundreds of thousands of fake or tampered-with apps. The apps can steal mobile banking credentials, install adware and other malicious apps, mine bitcoins, or do anything else their creators want them to. To fool iOS and Android operating systems into believing their apps are ok, they steal developer certificates from approved stores.
"The rogue app store is not really hiding so much as it's existing in plain sight as a publicly facing website," said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, a security company.
"It's an app store that has a strong hook: you can get free versions of all the most popular apps in the Apple and Google Play stores," he said. "All 10 of the top 10 paid apps are there, sitting on this rogue marketplace, but none of them are the same versions as the ones on the normal app stores; they've all been modified."
Rogue app stores operate in a legal gray area. "The best you can call them is pirates. It depends on how charitable you're feeling," Kalember said. "We've seen already lots of apps [in the rogue app stores] that are known malware. They're disseminating malware, letting you have free downloads of apps, allowing you to have apps Apple would never approve.
"It's a massive security hole, not something that's easily fixable," Kalember said.
Scope of the Problem
In recent mobile security scans at client companies, Proofpoint analysts said that 40% had at least one app from the vShare marketplace on an employee device. These customers included large banks. (Proofpoint says it has half the Fortune 100 list in its customer base.)
At one Fortune 500 health insurance company, Proofpoint researchers found a Lego "Star Wars" app on an employee's smartphone.
"This is a perfectly fine thing to have on your device … but this was not a 'Star Wars' Lego app that exists in any [legitimate] app store anywhere in the world," Kalember said. "So we had to figure out how this got there."
Researchers traced the app to the vShare marketplace, Kalember said. They looked at other apps in vShare and realized that none of them had been through an app store review process, he said.
Proofpoint told Apple about the vulnerability, and Apple started to revoke some of the certificates that had been obtained by vShare's owners, according to Kalember. Shortly after that, vShare was back up and running with a new set of certificates, he said. (Apple did not respond to multiple requests for interviews. vShare did not immediately respond to a request for comment.)
"The risk from the mobile side is as high as any other mobile attack that has ever existed, simply because there's no normal set of set of security checks these apps go through," Kalember said.
In another case, Proofpoint's analysts found a "one-tap makeover app" called Perfect365 on the smartphone of the CEO of a large retailer. (Perfect365 can be used to retouch photos stored on a smartphone.) The app was infected with XcodeGhost malware, which is a pirated and modified copy of Xcode, the development environment programmers use to create apps for Apple phones and tablets.
This app was in the Apple app store and was downloaded onto a device that had not been jailbroken, meaning it still had Apple's software restrictions in place. And it was capable of stealing all the CEO's credentials, including her email and personal banking username and password. (So this is not an example of a rogue app store per se, but of a rogue app finagling its way into an official app store.)