Researchers at Appthority and Proofpoint recently came across two threats to mobile devices that present a particular threat to enterprise users and financial institutions. While they both should be easy to block with best practices and user education, both are having a significant impact.
Appthority researchers discovered a massive data exposure vulnerability, which they’re calling Eavesdropper, that impacts 685 apps used in enterprise environments. The flaw comes from the use of hard-coded credentials in mobile apps using the Twilio REST API or SDK.
“By hard-coding their credentials, the developers have effectively given global access to all metadata stored in their Twilio accounts, including text/SMS messages, call metadata, and voice recordings,” Appthority senior director of security research Michael Bentley wrote in a blog post on the findings.
The vulnerability could provide attackers with access to a wide range of sensitive information on a target company’s business activities, leveraging the data either for insider trading or for extortion.
Crucially, Bentley noted, the vulnerability doesn’t require a jailbreak or malware attack — it’s caused simply because the app developers have failed to follow Twilio’s guidelines for secure use of credentials.
The researchers discovered the issue in April 2017 and notified Twilio in July. The affected apps (56 percent iOS and 44 percent Android) were associated with 85 Twilio developer accounts. As of the end of August 2017, 75 of the apps were still available on Google Play and 102 were on Apple’s App Store. The affected Android apps had already seen as many as 180 million downloads.
According to Bentley, the flaw has been present since 2011, and the potential scope of the exposure is massive. “The exposed data could potentially contain anything from contract negotiations, pricing discussions or confidential recruiting calls, to proprietary product and technology disclosures, health diagnoses, market data and M&A planning,” he wrote.
Tim Erlin, vice president of product management and strategy at Tripwire, told eSecurity Planet that the solution for threats like these is simple: don’t use hard-coded passwords for app development. “The challenge is that this advice is not just best practice, yet some developers still haven’t gotten the message,” he said. “App developers really need to educate themselves on secure software development practices in order to prevent vulnerabilities like this one.”
Proofpoint researchers separately uncovered a mobile phishing campaign that’s been using the Marcher Android trojan to target customers of the Austrian banks Bank Austria, Raiffeisen Meine Bank, and Sparkasse since at least January of this year.
While Marcher is often distributed via SMS, this campaign targets victims with a phishing email that links to a genuine-looking bank login page. Once the victim has entered an account number, PIN, email address and phone number, they’re presented with a page asking them to download the bank’s “security app.”
Among the permissions requested for the “security app” are the ability to read and write from external storage, to access precise location, to read contacts data, to read and write system settings, to receive and send SMS messages, and to act as device administrator.
Once installed, the app places a genuine-looking icon on the device’s home screen — and asks for credit card information when the Google Play store is next opened.
“As our computing increasingly crosses multiple screens, we should expect to see threats extending across mobile and desktop environments,” the researchers write. “Moreover, as we use mobile devices to access the Web and phishing templates extend to mobile environments, we should expect to see a greater variety of integrated threats like the scheme we detail here.”
NuData Security vice president Robert Capps said by email that it makes sense that the campaign was launched right before the holidays. “Cybercriminals know that consumers are using their phones now more than ever, and what better time to go after people than when they are in a hurry,” he said.
“The key to cutting down on fraud is authentication and identifying a real customer versus an impostor by tracking online behavior instead of passwords, credentials or security questions, which have all been up on the Dark Web for sale,” Capps added.