Symantec Report: 1 in 5 Android Apps Is Malware

April 24, 2015
Comment

Image is taken from (Thinkstock)

According to Symantec’s latest Internet Security Threat Report

17% of all Android apps (nearly one million total) were actually malware in disguise.”

In 2013, Symantec uncovered roughly 700,000 virus-laden apps. Well, not malware per say. They refer to these apps as “grayware” or “madware” – mobile software whose primary purpose is to bombard you with ads.

According to Symantec it’s pretty easy to avoid infection if you;

obtain your apps from a trusted source, like the Google Play Store.

This isn’t entirely accurate as you will see below. I will describe a new kind of threat on the app-layer and not yet picked up by other security companies.

Symantec doesn’t say how many of the 1 million+ malware apps were found in the Play Store, but Symantec’s Director of Security Response Kevin Haley (Kevin’s Twitter page in case you want to follow him) says the number is probably quite low.

Google does a good job of keeping malware out of the Store, And if a malicious app does make it in there, they do a good job of finding it and getting rid of it. On the other hand, if you visit alternate Android app markets, download apps from app maker’s Websites, get them via email links, or find them on Bit Torrent sites, you run a much greater risk of infecting your phone.

Like other legacy security companies, Symantec has left out a very important element within the mobile stack; the WebView.

100% of all hybrid apps use a WebView, while almost every native app built today uses a WebView so end-users can view webpages without having to close the app to open a native browser.

A Google search for Secure Webview shows results that indicates a serious problems with the security of WebView. There’s one specific security threat that I’m concerned with; malicious links and links to unwanted content such as websites that are labeled as nsfw. Before I go into this, I’d like to explain what a WebView is and how it can be used to encourage end-users to follow malicious links that either steal their personal and corporate data, or worse, install malware, spyware, ransomware, grayer or madware in the background and without the end-user’s knowledge.

A closer look at WebView

A WebView is an essential component on mobile operating platforms such as Android and iOS. A WebView is a class used to access or display content from the Web on any mobile device using anything other than a commercial web browser. A WebView enables web content to be displayed inside mobile apps. For example, application developers can use WebView to display web content inside an app instead of redirecting users to the native browser. This also allows developers to offer users an integrated experience because they don’t need to close the app and open a web browser in order to view the web content.

WebView was originally designed only to display web content inside an app and so their security infrastructure didn’t support many of the things that developers are using them for today. There is an increasing trend towards developers building “hybrid” apps made to look like native apps but are in fact, built entirely around a WebView, using technologies such as HTML and CSS – thereby giving us hundreds of thousands of apps that have browser-like capability, most of which are not developed by well recognized companies and their trustworthiness may be questionable.

Since WebView was first created, app usage is growing exponentially, leading to WebView being used by an increasing number of users.

A Browser is a critical component in the Trusted Computing Base (TCB) of the Web: Web applications rely on the client side of browsers to secure their cookies, HTTP requests, JavaScript code and so on. We use selected browsers such as Firefox, Chrome, Safari and Opera because we trust that they can serve as a TCB. When using hybrid applications that act like “browsers”, the trust is gone. Therefore, WebView has weakened the TCB of the Web infrastructure.

However, the design of WebView also changes the landscape of the Web, especially from the security perspective. As a result, many attacks can be launched inside legitimate apps and not just by them. The Web’s security infrastructure can be weakened when a WebView and its Application Programing Interfaces (APIs) are used because WebView does not have security related identity indicators. In other words, end-users cannot identify whether a link has taken them to the expected web page or web application. Thus, when a user is accessing web content through WebView and the web page asks the user for confidential information such as username, password or credit card number, the confidential information entered by the user will be vulnerable to phishing attacks. Attackers can spoof users using illegitimate applications with high accuracy, meaning that there is high risk of phishing attacks on mobile platforms.

Fueled by widespread adoption of employee-owned devices in the workplace and the explosion of mobile applications, mobile device security is an increasing threat to personal privacy. Businesses and government agencies are at risk with employees using their own devices to access some of the most sensitive data in an organization.

Accordingly, there exists a need for an improved method which not only allows users of WebView to readily identify whether a web page is safe, but also allows them to readily identify the level of security, thereby increasing users’ confidence in performing secure transactions over WebView.

There is a need for improved security method which protects users and their personal data from malicious web sites or phishing attacks while they are accessing a web page through WebView. And there is a need for improved security method which offers users the ability to block content that they deem inappropriate for themselves or the people for whom they are responsible while using WebView.

Zero protection against malicious links on mobile

As Symantec suggests, end-users can download malicious apps from various locations via a store, email or browser, it doesn’t matter where they are hosted. But, it’s very easy for cybercriminals to install them in the background through legitimate apps with at WebView without their knowledge.  Desktop browsers provide good protection against malicious links. So when you click on a link inside your email, you have some protection.

There is zero protection against malicious links on mobile. Apps don’t provide protection. And no mobile browser offers any form of protection against malicious links or unwanted content.

This is the reason MetaCert makes it easy for developers to make their apps more secure. MetaCert provides a thin but powerful layer of security with the Security API serviceAppMakr.com, a DIY app building platform with over 2 million apps published by 1.5 million publishers, was the first app platform to integrate our API service .

Publishers are now offered MetaCert’s security services for blocking malicious links and links to sites that have been classified as nsfw.

Last month, 44% of apps published on AppMakr signed up for at least one of MetaCert’s Security API services. Of those, 74% signed up for both malware & phishing protection and pornography blocking. This tells us that publishers want to add security to their apps in order to protect their end-users from malicious attacks and unwanted content.

Appery.io, a leading app making platform with over 200,000 developers, just launched with our Security API – now offered to developers as a “Security plug-in“, making it easy for developers to protect end-users from malicious attacks. You can read their blog post about the plug-in and watch a short video on how easy it is to integrate the Security API inside an app.

MetaCert was the first company to offer a security service on the app-layer to help protect consumers from malicious links and unwanted content. Google announced it’s Safe Browser API for apps only a few weeks ago. And for some reason, they don’t use their own Safe API for Chrome. Weird.

If you were interested in this post you might be interested in 

Read more about the MetaCert Security API here.