McAfee Labs Threat Report – many mobile apps still vulnerable

The McAfee Labs Threat Report: February 2015 analyzes security level of mobile apps and the evolution of principal cyber threats.

Last year the Carnegie Mellon University’s Computer Emergency Response Team (CERT) analyzed the level of security implemented by Android applications, in particular the experts focused their investigation on Android applications that failed to properly validate SSL certificates. The CERT discovered that more than 20,000 Android apps failed to validate SSL certificates, exposing users vulnerable to MITM attacks. The list of vulnerable applications is reported in a spreadsheet shared by the experts.

Poor programming practices adopted by the development team expose mobile users to a variety of SSL/TLS vulnerabilities such as Heartbleed.

One year later a team of researchers at the McAfee has conducted an interesting study starting from the analysis made in September 2014 by experts at the Carnegie Mellon University.

Unfortunately, nothing is really changed, according to the researchers from McAfee Labs, nearly three-quarters of the 25 most downloaded apps listed in the CERT spreadsheet are still unpatched. According to McAfee Labs Threat Report: February 2015, the experts verified that 18 of the 25 most popular vulnerable apps fail to protect the transmission of users’ credentials.

“Specifically, we dynamically tested the top 25 downloaded mobile apps that had been identified as vulnerable by CERT in September to ensure that usernames and passwords are no longer visible as a result of improper verification of SSL certificates,” read a report issued by McAfee. “To our surprise, even though CERT notified the developers months ago, 18 of the 25 most downloaded vulnerable apps that send credentials via insecure connections are still vulnerable to MITM attacks.”

The report cites as an example a mobile photo editor, with a number of downloads between 100 million and 500 million, that is still vulnerable to MITM attacks despite the CERT reported the security issues to its development team.

“The most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads,” the report continues. “The app allows users to share photos on several social networks and cloud services. In late January, McAfee Labs tested the most current version of the app downloaded from Google Play using CERT Tapioca; we were able to intercept the app’s username and password credentials entered to log into the cloud service to share and publish photos.”

McAfee highlights that mobile devices are wide adopted also in the workplace so their security is an important component of the security policy of any enterprise.

“Mobile devices have become essential tools for home to enterprises users as we increasing live our lives through these devices and the applications created to run on them,” explained Vincent Weafer, senior vice president of McAfee Labs. “Digital trust is an imperative for us to truly engage with and benefit from the functionality they can provide. Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programming practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”

The McAfee Labs Threat Report also confirmed a significant increase in the number of mobile malware samples, which increased 14 percent during the fourth quarter of 2014. Another element of interest is the geographic distribution of infections, the highest rates were observed in Asia and Africa. The experts at McAfee revealed that at least eight percent of all McAfee-monitored mobile systems reported an infection in the fourth quarter of 2014.

The Threat Report also identified in the Angler exploit kit, the primary vector used by criminal ecosystem to deliver malicious payloads. After the arrest of the Blacole exploit kit’s author in 2013, criminal crews started to use the Angler exploit kit.

“An exploit kit is an off-the-shelf software package containing easy-to-use attacks against known and unknown vulnerabilities. Very quickly after the arrest of the Blacole exploit kit’s creator in 2013, cybercriminals migrated to the Angler exploit kit to deliver their payloads. Because Angler is simple to use and widely available through online dark markets, it has become a preferred method to transport malware” states the report.

Let’s close this rapid reading of the McAfee Labs Threat Report with a mention to Potentially Unwanted Programs(PUPs), which are applications that could be used for both legitimate and malicious uses.

“Potentially unwanted programs (PUPs) live in the world between nuisance and malicious malware but are becoming more and more aggressive.”

Enjoy the reading of this interesting report.

Pierluigi Paganini

(Security Affairs –  Mobile, McAfee Labs Threat Report: February 2015)