Editor at Large

So-called rogue app stores, once a fringe element, are becoming a serious concern for banks, as subtly altered versions of popular apps are appearing more often on smartphones.

These rogue apps, which are often available for free, in some cases steal mobile banking passwords or redirect text messages containing passcodes.

Several factors are driving the trend: Consumers are drawn to the rogue app stores by the lure of free programs. Companies unwittingly encourage the use of nonapproved app stores by directing their employees to download enterprise apps from alternative sources. Google and Apple are supporting the use of alternative stores.

Meanwhile, rogue app stores are stealing the digital certificates of approved app stores to fool mobile devices into thinking they're legit. And the rogue apps themselves are getting more successful at fooling people and their mobile security software.

"As long as I've been following mobile banking, the most common way mobile malware works has been through rogue apps," said Avivah Litan, vice president at the research firm Gartner. "It's becoming more of a threat. … It just makes sense [that] it's going to become more common as more people use mobile apps."

Reeling People In

Rogue app stores provide hundreds of thousands of fake or tampered-with apps. The apps can steal mobile banking credentials, install adware and other malicious apps, mine bitcoins, or do anything else their creators want them to. To fool iOS and Android operating systems into believing their apps are ok, they steal developer certificates from approved stores.

"The rogue app store is not really hiding so much as it's existing in plain sight as a publicly facing website," said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, a security company.

"It's an app store that has a strong hook: you can get free versions of all the most popular apps in the Apple and Google Play stores," he said. "All 10 of the top 10 paid apps are there, sitting on this rogue marketplace, but none of them are the same versions as the ones on the normal app stores; they've all been modified."

Rogue app stores operate in a legal gray area. "The best you can call them is pirates. It depends on how charitable you're feeling," Kalember said. "We've seen already lots of apps [in the rogue app stores] that are known malware. They're disseminating malware, letting you have free downloads of apps, allowing you to have apps Apple would never approve.

"It's a massive security hole, not something that's easily fixable," Kalember said.

Scope of the Problem

In recent mobile security scans at client companies, Proofpoint analysts said that 40% had at least one app from the vShare marketplace on an employee device. These customers included large banks. (Proofpoint says it has half the Fortune 100 list in its customer base.)

At one Fortune 500 health insurance company, Proofpoint researchers found a Lego "Star Wars" app on an employee's smartphone.

"This is a perfectly fine thing to have on your device … but this was not a 'Star Wars' Lego app that exists in any [legitimate] app store anywhere in the world," Kalember said. "So we had to figure out how this got there."

Researchers traced the app to the vShare marketplace, Kalember said. They looked at other apps in vShare and realized that none of them had been through an app store review process, he said.

"That's the core of the security vulnerability here," Kalember said. "The app stores do a good job of rooting out most bad apps," although some approved apps do questionable things with users' information. (A popular business card scanning app, for instance, uploads the user's contacts to a third-party marketing firm, and says so in its privacy policy.)

Proofpoint told Apple about the vulnerability, and Apple started to revoke some of the certificates that had been obtained by vShare's owners, according to Kalember. Shortly after that, vShare was back up and running with a new set of certificates, he said. (Apple did not respond to multiple requests for interviews. vShare did not immediately respond to a request for comment.)

"The risk from the mobile side is as high as any other mobile attack that has ever existed, simply because there's no normal set of set of security checks these apps go through," Kalember said.

In another case, Proofpoint's analysts found a "one-tap makeover app" called Perfect365 on the smartphone of the CEO of a large retailer. (Perfect365 can be used to retouch photos stored on a smartphone.) The app was infected with XcodeGhost malware, which is a pirated and modified copy of Xcode, the development environment programmers use to create apps for Apple phones and tablets.

This app was in the Apple app store and was downloaded onto a device that had not been jailbroken, meaning it still had Apple's software restrictions in place. And it was capable of stealing all the CEO's credentials, including her email and personal banking username and password. (So this is not an example of a rogue app store per se, but of a rogue app finagling its way into an official app store.)

It's hard to picture a company CEO downloading an app like this. It could have been done by her kids or it could have been her, assuming the Apple app store was safe.

"With millennials coming into the workplace, they have different attitudes toward software piracy," Kalember said. "Even for those of us who grew up with things like Napster, just downloading something even if you have to go through a couple of hoops to do it, doesn't feel that unnatural."

The Dangers of Sideloading

All of this is an unintended consequence of Apple and Google allowing companies to distribute apps through stores other than the official Apple and Google stores, according to Kalember. This is called "sideloading." Apple's agreement to jointly build enterprise mobile apps with IBM, for instance, relies on this function. Google's permitting Amazon to offer Android apps is another example.

"It's not at all clear how they're going to address it, other than continuing to play this cat-and-mouse game with developer certificates that keep getting stolen," Kalember said.

Until recently, rogue app stores could only be used by devices that had been jailbroken. Jailbreaking is a contained risk because it's hard to do.

"That's an act you have to take knowingly," Kalember said. "There's no known technique to jailbreak an iOS device or Android device that doesn't involve a human taking a very specific set of steps." In the past, this gave companies comfort that their employees' non-jailbroken devices were safe.

Banks tend to let employees sideload enterprise apps. They're reluctant to put their employee-facing apps on the public app stores for fear that hackers will mess with them there, perhaps by trying to guess employees' passwords.

"If you are a large bank and you have an internal, employee-only application you want to get to 10,000 people, it's maybe something you don't want to put in the public app store," Kalember noted.

A Low Priority

The list of security threats banks have to worry about is long. Even within mobile banking, there are many threats: mobile banking Trojans, other types of mobile malware and mobile banking app vulnerabilities.

So rogue app stores are not necessarily top-of-mind for the banking industry, yet. At the Financial Services Information Sharing and Analysis Center in Washington, the industry's hub for security threat information, "We are not currently seeing this as a trending 'hot topic' amongst members," said spokesman Andrew Hoerner.

This could be, in part, because banks generally don't see malware on customers' phones. They may realize that a password has been stolen or a text message containing a passcode has been diverted, but they don't know exactly how. The role a rogue app may have played is not traceable.

"The problem is the banks don't see what's happening on the users' phones, so it's hard for them to track that to the reason an account was hijacked," Litan said.

Most of the large banks use scanning services that monitor the public app stores and the web at large for pirated versions of their banking apps (RiskIQ is one example of such a service). So if there's a rogue Chase app somewhere, chances are the bank could find it and tell whoever developed and posted the app to destroy it.

"The banks that spend money scanning for these apps have definitely found rogue apps using their brand," Litan said.

But typically, cybercriminals don't put a bank's brand on their rogue apps. They mimic popular apps such as games to lure consumers to download their malware.

"The bank is not going to figure that out directly," Litan noted. "They can't protect the whole world and the whole mobile ecosystem. They have to assume they're going to have rogue apps on their phones. All they can do is lock down their own patches, and if a password gets stolen or an SMS message is hijacked, try to stop the account from being taken over."

Still More Secure?

Many in the industry argue that despite newly recognized security threats, mobile banking is still more secure than online banking using a desktop computer.

"The security options available on mobile phones are stronger than they are for PCs," Litan said.

Mobile devices can make use of biometric authentication and device ID to check the user's and device's identity. They can provide push notifications, giving the user the chance to catch a fraudulent transaction immediately. They can use GPS to see if a transaction location matches the user's location. They can conduct behavior analytics on user's mobile phone taps.

Yet obviously cybercriminals are training more attention and resources on mobile banking.

In addition to security measures like strict policies about app downloads and app scans, education and warnings about rogue apps may help defeat the problem.

However, as we've seen with phishing, no matter how much awareness training you do, people still get fooled. And some rogue apps, like Perfect 365, don't trigger any red flags.

"It was in the normal app store, it was a five-star app with tens of millions of downloads, there was nothing about it that looked suspicious," Kalember said.

Maybe eventually we'll get to the point where we do serious things like mobile banking on one device and fun things like playing games on another. Meanwhile, bank IT teams should look out for signs of rogue apps.

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.