Take these numbers from September 2023, for example:
Malware attacks – 302,004
Debugging attempts – 55,298
Hooking attempts – 42,148
So, what is this data telling us (apart from the frightening numbers alone – particularly for malware attacks)?
Before we dive in, a quick note:
This data is from September 2023 and comes from the 10 apps secured by DexProtector with the greatest number of users or installations. So, we’re not claiming these numbers are representative of all attacks mobile apps are facing. But it’s an interesting pointer to what attackers are looking to target.
Early prevention is the key to stopping sophisticated attacks
Typically, attackers will actively use debuggers as well as Frida and other hooking frameworks like it to perform a dynamic analysis of target apps. This is the first step they take before actually implementing their findings in malware.
This is true for both Android and iOS. And it helps to explain why DexProtector’s runtime engine protection mechanism is so important. Being able to stop dynamic attacks in their early stages prevents more severe, sophisticated attacks later on. Malware being a particularly pertinent example.
The resurgence of Xposed
The Xposed module has started to become one of the most popular Android modification frameworks on the market alongside Magisk. And this is something of a surprise because, until recently, attacks involving Xposed (one of the oldest modules of its kind) were rare.
What we’ve seen in recent months is Xposed often being used as an add-on module for Magisk in a number of related incidents. Of 40,000 attacks successfully prevented by DexProtector’s Runtime Engine, approximately 97% had active Xposed or LSPosed modules.
The danger of fake GPS modifications
DexProtector’s built-in anti-malware functionality enables us to observe the potentially harmful threat landscape visible on end users’ devices. In addition to well-known malware aimed at stealing user data, there are more subtle dangers. One of these involves fake GPS modifications such as com.rosteam.gpsemulator, which was responsible for 15,000 attacks.
While these modifications might not seem hazardous at first glance, their presence can have critical consequences for the security of authentication apps and financial apps. That’s because they often use geolocation as part of their "know your customer" (KYC) checks or fraud-prevention algorithms.