BlackBerry has not pulled any punches in publishing a heavyweight report into the “prolific and pervasive” government spyware it says is being spread far and wide by the official Android and iOS app stores. Setting out to paint the “big picture” on mobile malware, BlackBerry’s Cylance research team has collated examples—some old, some new—to emphasise the point. “Consumers are labouring under a false sense of security with the app stores,” BlackBerry exec Brian Robison told me as we discussed the report. “I don’t trust apps,” he said, “period.”
Learn more from our latest magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
According to Robison,“hundreds” of such apps have circumvented Apple and Google security measures. Now BlackBerry wants consumers to be in no doubt that they cannot trust as safe everything available on the official stores. “I would advise them to to keep their spidey senses active,” he told me.
Apple and Google did not respond with comments on this story before publishing, but Apple emphasised the company’s security credentials, the safety of its App Store, its efforts to detect and avoid malware from being published, to prevent untrusted apps being installed and launched on devices. Apple also pointed out that the report does not include any specific evidence related to apps on the App Store.
What the report does include is examples of mobile cyberattack vectors going back years, charting the early days of China’s APT groups, Iran’s recent rise through the ranks, North Korea’s attacks on its southerly neighbour, and, more surprisingly, a raft of activity in Vietnam. Almost all the examples have been published before, but not together as here. There are some new findings—attacks on Pakistan’s military, for example, but the detailed chronology is not the point of the exercise.
Some of the cyberattack campaigns covered in the report are state to state—China spying on Mongolia and Russia, North on South Korea, Vietnam on its neighbours, China and Iran on internal and external dissenters. Others focus on industrial targets—many in the U.S., covering chemical, oil and gas, pharmaceutical, defense. But when I asked Robison for his summary of the most compelling findings, he immediately moved past “the detail in the report” to the “bigger picture that the report highlights—today, as consumers, we live in this false sense of security that the app stores are doing significant due diligence to protect us.” Consumers, he said, don’t appreciate the risks.
Most reported examples of mobile malware are click, advertising and subscription fraud. Irritating for users and costly for advertisers, but not usually dangerous. There are much more malicious strains of commercial malware—credential theft, scrapes of login screens, exfiltration of data, tracking and logging—which are rarer, but can still impact large numbers of devices. “We’ve seen lots of mobile malware thats trying to drive ad revenue,” Robison acknowledges, “but malware that’s malicious, trying to track you or turn on your camera and microphones, that’s what this report highlights.”
BlackBerry’s researchers warn that the immaturity of the mobile security market has left it wide open to attack, notwithstanding the efforts of Google and Apple to lock down their ecosystems. The report points out—as other recent reports have as well—that the willingness of organisations to allow employees’ personal mobile devices to connect to corporate systems, networks and services presents a huge risk.
“People don’t have their guards up as much with mobile devices as with their laptops or desktops or with attachments from unknown people,” Robison told me. “They are very cavalier about downloading apps from app stores onto their devices.” The same caution now being applied to attachments and emails, “people seem to throw out the window when talking about their phones or tablets.”
Robison explained that this was the driver for the report. “Public research into the mobile malware threat posed by governments has been scattershot at best and maladroit at worst.” Governments, the report says, have developed “native Android and/or iOS mobile malware… employed in both stand-alone campaigns targeting mobile devices as well as incorporated into cross-platform mobile/desktop espionage campaigns.” And it’s not new. These activities “have been ongoing for a decade or more… but have only recently garnered attention.”
According to Robison, the prime targets for such mobile malware attacks are political dissenting groups and individuals, but the attacks can be more widespread, keeping tabs on citizens at scale—although when I asked what that scale might be there is no data available. “The biggest thing it means to us as consumers,” he explained, “is we’ve been living with this false sense of security that everything on the app stores is safe and therefore anything you install is good to go.” But it isn’t. The malware, the government spyware, he says, “it’s pervasive—it exists in the real world.”
Inevitably, social engineering figures heavily in the discussion. “Why attack you at work, where you’re likely surrounded with security tools, when I can attack you on the personal side where you’re much more cavalier about installing random apps from an app store,” Robison said. Government spyware apps “are designed to look legitimate and make you excited to install them, whether it’s a dating app or a graphics driver.”
Blackberry says it has seen “hundreds of malware samples,” some of which have been around for more than a decade. “They’re happening today,” Robison says, “with live threat actors.” He also told me that during the research the team communicated with one such threat actor, trying to get access to. the malware, “but they broke off the communication—probably because we didn’t fit their target profile.”
BlackBerry warns that “the ability of state and state-sponsored APT groups to develop and deploy mobile surveillance campaigns, within their existing cyber espionage efforts, has outpaced the security industry’s ability to detect and deter this malware on the endpoints.” The same point is also true for malware more broadly.
“As consumers,” Robison told me, “we need be aware that things on the app stores can harm us. I don’t think general consumers, especially in the U.S. understand that. We all know that if you jailbreak you device or side load apps it can be questionable, but the public stores are also a problem.” Although BlackBerry focuses on government spyware, the point is wider. There is more commercial malware being pushed out than government spyware. The channels are the same. The apps look the same. And the sophistication, for all but the highest level attacks, is ballpark the same.
Ultimately, what this report does is highlight in one document what the raft of recent disclosures have shown in the round—that the mobile malware landscape is real and getting worse. The dark web is overrun with malicious code for sale. And while most of this is relatively benign for users, there are plenty of examples that are not. And as long as consumers glibly install trivial apps without a thought to the safety of their devices the issue will continue to get worse.
The use of such mobile malware by governments is not new—the report acknowledges that such attack vectors date back years. What is new, though, is an increasing level of public awareness—the recent WhatsApp hack, China’s campaign against its Uighur minority, NSO’s spyware for hire. And while not making us any safer in itself, if that awareness leads to more caution in what we download then we will be safer for it.
In the meantime, Google and Apple continue to fight to prevent thousands of dangerous apps from hiding in amongst millions of legitimate ones. And within those thousands of unsafe apps, there are hundreds of truly malicious ones. The haystack and the needle have both been defined, but that doesn’t make the challenge any less difficult or the threat any less real.