In 2020, the global COVID-19 crisis forced millions of Americans online, with remote work and e-learning becoming the new normal. Due to the increase in mobile usage, companies across all sectors rushed to develop apps that could replace in-person activities. These factors presented a variety of opportunities for hackers to use mobile apps as an attack vector.
Mobile app threats in 2020 ranged from direct exploitation of app security flaws to reverse engineering and spoofing apps to target users unaccustomed with or overwhelmed by using apps. These mobile app threats were recognized by law enforcement agencies, with the FBI noting a major spike in reports to its Internet Crime Complaint Center, from 1,000 a day pre-COVID to 3,000-4,000 a day.
It remains uncertain whether the move to mobile and remote working will become permanent. But in terms of app security, the expertise and malware developed by hackers in 2020 mean that mobile apps continue to face major risks in 2021. To understand the security challenges ahead for mobile app developers and distributors, we’ll take a closer look at the notable mobile app threats that arose this year.
Mobile app security threats: 2020
Banking and financial services
Amidst the COVID pandemic, banks and financial institutions moved many services online to reduce physical footfall and contact at branches. As a result, mobile banking apps saw a 50% increase in usage from the start of 2020. Along with the potential value of stolen information, the rise in inexperienced mobile banking users made them a major target for hackers. The FBI even released a statement declaring that they expected “cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.”
Various mobile banking app threats represented new approaches and older malware that was updated to circumvent security measures. The two main variants of mobile app threats to banking and financial institutions are 1) the creation of fake banking apps that look just like trustworthy ones and 2) trojans that infect real banking apps and use them to gain access to devices.
A prime example is the Cerberus banking trojan. A malicious app distributing the trojan was discovered on Google Play, masquerading as a legitimate currency converter. The complex malware has a number of features to avoid detection and once deployed, it creates an overlay screen where users enter their banking details. In response to advised security measures such as two-factor authentication (2FA), a new variant of the trojan distracts users while it steals 2FA codes sent by SMS. The malware attacked hundreds of apps, including Bank of America Mobile Banking and Capital One Mobile.
Other attack varieties included the mass collaboration of hackers to attack Latin American banking users, banking malware that exploited Android’s Accessibility services, and an evolution in the widespread Anubis banking malware that allows attackers to avoid detection by recognizing when a user is looking at the screen.
Attacks on healthcare
Health service providers were already a major target for hackers due to the multiple endpoints that could be used to gain entry, along with the high value of stolen medical records. But with health services stretched to a breaking point by the global pandemic, one of the ugliest tenets of cybercrime came to the fore: organizations that are stressed or in crisis are more likely to pay data ransoms.
Over the past year, this trend increased, with hackers taking advantage of the health crisis to infect hospitals and other points of care with ransomware. These attacks encrypt health records and files and demand payment to decrypt them again. Ryuk ransomware hit the hardest in 2020, with attackers using a variety of vectors to infiltrate systems before dropping their payload. Last year also saw an evolution to double extortion ransomware, where attackers not only encrypt, but steal the data, using it to pressure the victim organization into paying the ransom. In one example, a fraudulent COVID tracking app was used to deliver a double extortion attack.
Legitimate contact tracing apps also gave cause for concern, with their development rushed in many cases. Apps from the US, the UK, and across the world were found to contain a large number of vulnerabilities, putting user data at risk and potentially giving attackers backdoor access to devices.
The need for socially distanced healthcare and subsequent explosion in telemedicine brought its own set of risks in 2020. A recent study by Security Scorecard of the 148 most-used telehealth vendors found a 30% increase in security alerts.
Pharmaceutical mobile app threats
Related to the assault on healthcare providers was the rise in mobile app threats facing the pharmaceutical industry. Intellectual property and data theft attempts rose due to the global race to discover effective vaccines against COVID. Research found that attacks on pharmaceutical mobile devices led to a 106% increase in malware delivery. This could then be used to infect any networks they were connected to and steal data on pharmaceutical research and intellectual property.
Some threats come from coding flaws in the pharma apps themselves. Walgreens disclosed a major data breach due to an internal error in its mobile app messaging, which exposed private data including names, prescription information, store numbers, and shipping addresses.
Communications apps under attack
As millions of people moved to remote working, communication apps became even more important. Cybercriminals took note and sought to attack apps like WhatsApp, Telegram, Skype, and Zoom. A new variant of Rana malware included the ability to spy on victims’ Skype, Instagram and WhatsApp messages. Another surveillanceware discovered last year, Monakle, was delivered by reverse engineering a popular app such as Skype or Signal, injecting the malware, and repackaging the app for distribution. This malware could then be used to read victims’ messages, track their movements, and steal personal information.
Other attacks, like Charming Kitten, were designed to detect and exfiltrate the login details of mobile apps like Telegram, which could then be used to steal data or commit fraud.
How to protect against mobile app threats
Mobile app threats rose significantly in 2020, and will likely continue to do so post-COVID as cybercriminals seek to exploit the malware they’ve developed for further profit. Embedding defense mechanisms into mobile apps has become essential to a defense-in-depth security strategy.
At Intertrust, we have extensive experience and an industry-leading suite of application security solutions. Learn more about how we protect your apps, your business, and your customers through advanced application and key protection here, or get in touch with our team.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.