In an era dominated by mobile technology, the threat landscape has evolved to include insidious dangers lurking within seemingly innocuous applications. Harvester and Privileged (Backdoor) Apps represent two significant categories of these threats, exploiting user permissions and embedding data-collection mechanisms within mobile devices, respectively. The ramifications extend far beyond mere inconvenience; these apps serve as conduits for mass data collection, facilitating targeted attacks with alarming ease.
Harvester Apps
Unlike complex network breaches, obtaining data through apps requires merely requesting permissions, which users often grant without much consideration. Harvester apps collect information such as contact details, texts, photos, location information, and more. Harvesting data with a mobile app is legal and simple, making it ideal for mass data collection from billions of users. Furthermore, knowledge of users’ preferences and behaviors facilitates spear phishing campaigns, allowing attackers to target exactly who they want with the exact prompts that will resonate with them.
Privileged (Backdoor) Apps
Data-collection mechanisms can be embedded within mobile devices, intentionally or inadvertently, along the supply chain. This allows for comprehensive data access at a lower level on the device, granting advantages such as complete compromise of all data on the device, persistence without being affected by updates, and difficulty in detection due to operating below the level of protection provided by operating system providers. Unlike apps that require user permission, these mechanisms operate at the base level of the device upon purchase, bypassing controls imposed by operating system providers.
Real-World Examples of Harvester & Privileged (Backdoor) Apps
In 2016, Quokka, then Kryptowire, discovered a $50 phone, the top seller on Amazon, that was extracting users’ text messages and GPS coordinates every 72 hours and sending the data to China. This device also had remote command and control capabilities, enabling searches for specific information on users’ devices. Despite being sold under Amazon’s brand and distributed in the US, the phone was manufactured in a location where security risks were present in the supply chain.
The #1 document scanning app in the App Store is a seemingly trustworthy app with high ratings and millions of users. Despite its popularity, deeper inspection reveals alarming findings: the app communicates with high-risk locations, including numerous connections to China. Moreover, its privacy policy openly states that user-generated content, such as scanned documents, is collected. Despite being readily available on app stores and having seemingly transparent privacy policies, these apps often exploit user data for undisclosed purposes. In this case, the data collected would provide plenty of information for a thoughtful spear phishing attack.
A spam call blocking app is another example of a seemingly trustworthy app, boasting millions of downloads and a high rating. The app accesses sensitive data like SMS messages and phone calls, as one would expect. However, upon closer inspection, it’s revealed that the app programmatically leaks this data. This flaw likely stems from development oversight rather than intentional malice.
How can organizations protect themselves from app threats?
Quokka’s Q-scout solution provides this app security intelligence and integrates with Mobile Device Management (MDM) solutions, enabling IT teams to set and enforce policies to secure their mobile environments. By updating network defenses such as firewalls and VPNs to block IP addresses and domain names associated with these apps, organizations can mitigate potential threats. And finally, organizations should educate users about the risks posed by such applications, as awareness is key to preventing data theft.
How can app developers be sure they don’t unintentionally include risky code?
Quokka has discovered instances of Russian or Chinese connections found within government-developed applications, highlighting supply chain vulnerabilities. These connections arise from developers sourcing code from online stores and repositories, providing opportunities for attackers to infiltrate the development process. Quokka’s Q-mast delivers defense-grade mobile app scanning capabilities, leveraging extensive threat research to identify zero-day vulnerabilities and deliver unsurpassed insights. Q-mast enables security and development teams to proactively mitigate issues early in development, saving costs and minimizing exposure to zero-day attacks.
To learn more about Harvester & Privileged (Backdoor) apps, watch Chris Gogoel’s presentation from GITEC 2024 here. To learn more about leveraging Quokka’s solutions to protect your organization, contact us.
