RiskIQ’s Q1 Mobile Threat Landscape Report finds cryptocurrency and feral apps dominate; malicious apps in global app stores decline

Key Findings:

• Cryptomining apps are on the rise
• Feral apps are down but still the most blacklisted type of app
• Total apps increase, but the blacklist gets shorter
• Certain permissions are indicators of threat activity

RiskIQ, the global leader in digital threat management, today released its Mobile Threat Landscape Q1 2018 Report, which analysed 120 mobile app stores and more than two billion daily scanned resources. The findings showed that taking advantage of the popularity and volatility of the cryptocurrency landscape is paying off for threat actors via the mobile attack vector and that malicious apps leveraged by nation-state actors are becoming more prominent.

In March, an app called Calendar 2, which appeared in the Apple App Store, began mining Monero digital currency on user devices. Although the app disclosed this activity and offered the option for users to pay fees instead — or use the app with all advanced features disabled — the app developers set mining as the default option, which meant users would have to opt-out rather than opt-in. The app described mining as “free” for the user, which is misleading because of the significant energy and computing costs associated with mining activity. Ultimately, bugs that caused the app to continue mining, despite users opting out and used excessive CPU usage, caused the developer to pull the app from the store after a short period.

Also in Q1, RiskIQ issued an alert warning of blacklisted apps masquerading as or associating themselves with Bitcoin exchanges, Bitcoin wallets, or just “cryptocurrency” in general. These are indicative of the rise of digital currencies and their attractiveness as an income stream for both crooks and legitimate businesses.

The report also showed that malicious mobile apps continued to decline, despite the number of total apps observed by the company increasing over the last four quarters. In Q1, 21,948, or 1.4%, of the total of 1,508,825 newly observed apps were blacklisted, which is a lower percentage than in the previous four quarters.

The numbers of blacklisted feral apps declined for the fourth-straight quarter, from 3,507 in Q4 2017 to 1,981 in Q1 2018, but still represents a significant portion of all blacklisted apps; forty-six percent of feral apps were blacklisted in Q1 2018. Meanwhile, Google hosted 8,287 blacklisted apps in Q1, which is consistent with previous quarters and outpaces the next most blacklisted store, AndroidAPKDescargar, by 4,595. Although the Play Store consistently had high numbers of blacklisted apps between Q3 2017 and Q1 2018, its rate of blacklisted apps has hovered around a relatively modest five percent.

The report found that many blacklisted apps shared several of the same permissions. Eighty-six percent of apps blacklisted in Q1 claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication. Most of the apps that can read messages can also track location, read and write to the call log, generate alert windows, change settings and other dubious requests. Among apps blacklisted in the Google Play Store, 1,207 access the phone’s camera, nearly 800 of which also record location data and about 600 record audios.

For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q1 2018 Report here: https://www.riskiq.com/research/2018-q1-mobile-threat-landscape-report/

Key Findings:

• Cryptomining apps are on the rise
• Feral apps are down but still the most blacklisted type of app
• Total apps increase, but the blacklist gets shorter
• Certain permissions are indicators of threat activity

RiskIQ, the global leader in digital threat management, today released its Mobile Threat Landscape Q1 2018 Report, which analysed 120 mobile app stores and more than two billion daily scanned resources. The findings showed that taking advantage of the popularity and volatility of the cryptocurrency landscape is paying off for threat actors via the mobile attack vector and that malicious apps leveraged by nation-state actors are becoming more prominent.

In March, an app called Calendar 2, which appeared in the Apple App Store, began mining Monero digital currency on user devices. Although the app disclosed this activity and offered the option for users to pay fees instead — or use the app with all advanced features disabled — the app developers set mining as the default option, which meant users would have to opt-out rather than opt-in. The app described mining as “free” for the user, which is misleading because of the significant energy and computing costs associated with mining activity. Ultimately, bugs that caused the app to continue mining, despite users opting out and used excessive CPU usage, caused the developer to pull the app from the store after a short period.

Also in Q1, RiskIQ issued an alert warning of blacklisted apps masquerading as or associating themselves with Bitcoin exchanges, Bitcoin wallets, or just “cryptocurrency” in general. These are indicative of the rise of digital currencies and their attractiveness as an income stream for both crooks and legitimate businesses.

The report also showed that malicious mobile apps continued to decline, despite the number of total apps observed by the company increasing over the last four quarters. In Q1, 21,948, or 1.4%, of the total of 1,508,825 newly observed apps were blacklisted, which is a lower percentage than in the previous four quarters.

The numbers of blacklisted feral apps declined for the fourth-straight quarter, from 3,507 in Q4 2017 to 1,981 in Q1 2018, but still represents a significant portion of all blacklisted apps; forty-six percent of feral apps were blacklisted in Q1 2018. Meanwhile, Google hosted 8,287 blacklisted apps in Q1, which is consistent with previous quarters and outpaces the next most blacklisted store, AndroidAPKDescargar, by 4,595. Although the Play Store consistently had high numbers of blacklisted apps between Q3 2017 and Q1 2018, its rate of blacklisted apps has hovered around a relatively modest five percent.

The report found that many blacklisted apps shared several of the same permissions. Eighty-six percent of apps blacklisted in Q1 claimed the READ_SMS permission, which allows the app to read messages and can be used for any number of nefarious purposes, including circumventing two-factor authentication. Most of the apps that can read messages can also track location, read and write to the call log, generate alert windows, change settings and other dubious requests. Among apps blacklisted in the Google Play Store, 1,207 access the phone’s camera, nearly 800 of which also record location data and about 600 record audios.

For specific metrics or to learn more, download the RiskIQ Mobile Threat Landscape Q1 2018 Report here: https://www.riskiq.com/research/2018-q1-mobile-threat-landscape-report/