One of the most dangerous things about malware is that you might not even know it’s there.
Take a trojan, for example. It doesn’t come to life straight away. Once it’s installed within your mobile, it can hide there for months, waiting for the most opportune moment.
Like when you open your mobile banking app, for example.
Then the trojan gets to work. In milliseconds it slides a fake login screen over the top of the real one. To you, the login screen looks exactly the same as it always does. So you go ahead and enter your banking details.
This is followed by a barely-perceptible switch back to the login screen for the actual app. And you log in, completely unaware that the trojan is now following your every move and harvesting your details.
A trojan is just one form of tampering attacks - one of the most common threats facing mobile apps today.
Tampering attacks are particularly dangerous because of a fundamental truth - that most consumers simply trust the apps they come across on app stores.
The concept of some of them being fake or containing harmful trojans doesn’t register with the average end user.
A fear of tampering attacks might not keep the typical customer up at night. But if an attack were to succeed, then the company whose app had been compromised would definitely know about it. The impact on a business’s reputation would be almost impossible to recover from.
That’s why it’s so important to know how to prevent this type of attack.
Defining tampering attacks
Trojans often come into being because an attacker gets hold of the install packages for a legitimate app. Then, once they have them, they can decompile the app, introduce the trojan, and then generate a new install package.
They often find their way onto a user’s device via a seemingly harmless app that they’ve downloaded. This might be a weather app, a battery conservation app, or even a game. In other words, something innocent or fun.
But trojans aren’t the only form of tampering attack that can threaten a user’s device.
Tampering often goes as far as a bad actor repackaging an app and publishing it on the app store in the hope that an unsuspecting user will download it. There are more modified versions of apps on app stores than you’d think. So many, in fact, that there’s an entire industry dedicated to finding and removing them.
The starting point for creating and then publishing a fake app is to reverse engineer it. And that itself is only possible if a hacker has been able to run a static or dynamic analysis on the original app.
If an app is completely unprotected, then a hacker doesn't even need dynamic tools to carry out an attack.
The goal, then, is to stop hackers from carrying out a static attack (like decompilation, analysis, and injecting malicious code) or a more dynamic attack on your app. Do this and you’ll go a long way to preventing tampering attacks.
As we’ll explore in more detail later, you'll also want to check that nothing has been modified within the app at runtime.
Who’s at risk from tampering attacks?
The FinTech and Banking industries are particularly vulnerable to tampering attacks. They’re obviously attractive to bad actors because of the financial rewards that come with reverse engineering such apps.
Imagine if a hacker were able to repackage and then publish a mobile banking app. From the moment the unsuspecting user logs into this fake app, they’re being watched. Bad actors can harvest their account information. They can even manipulate accounts so that when the end user makes a transfer, it’s the attacker’s account the funds land in.
Typically these fake apps would present the user with an error message after they try to log in. Then they would use smartphone permission requests to bypass the authorization texted to the user.
Research suggests that around 65,000 such apps were found on app stores in 2018. Clearly this is bad news for individual customers. But it can also be damaging to the bank itself.
As we’ve said before on this site, the damage to a bank’s reputation can be catastrophic if their defences are breached.
The video game industry has also been targeted with tampering attacks. Hackers sometimes modify the code inside mobile games - especially those with freemium content. That way they’re able to trick the app into thinking they’ve paid for additional content when they haven’t.
Worryingly, we’ve also seen recent examples of hackers tampering with industrial control systems. This is the type of attack that can put lives at risk as well as livelihoods. One malware attack against the German company Rheinmetall affected plants in the US, Brazil, and Mexico. It took the company almost a month to get its systems running back at normal capacity.
Attacks like this one are a reminder of how high the stakes are for stopping tampering attacks.
How to prevent tampering attacks
One way businesses are working to stop tampering is to sign their code. It’s now pretty much a requirement for companies to do so whenever they share code, app, or firmware updates. And it’s a solid strategy. Code signing gives businesses the ability to validate the authenticity of the code. It helps to detect if any changes have been made to the code before the app arrives at the end user’s device.
By signing their code, a company is effectively tying its reputation to the product.
Businesses typically use a cryptographic key to sign their code. This could be inside the organization itself or it might be on a developer’s computer for APKs on the Android platform or cloud signing for Android and iOS.
Local signing means you retain full control of the process and the keys you use. But keys can still be accidentally leaked or stolen. Some legacy keys can be weak, too. A huge number of apps on the Google Play Store - particularly the older ones - use weak keys from years ago.
One alternative is cloud signing in an app store itself. Keys are more robust this way, but it means your app will be signed on the servers of Google or Amazon.
App signing is a great start. But it isn’t enough on its own to protect against tampering attacks. That's because there's nothing to stop bad actors from simply signing malicious or tampered-with apps with their own random keys.
A wider issue is that your average app user doesn't pay any attention to the signature under an app. Most wouldn't be able to tell you what it is or how it might protect them from malicious apps. It's similar to a HTTPS certificate. Honestly, when was the last time you checked it on a site where you enter your personal or banking details?
There's a need for more education about these protective measures.
Until then, as we touched on earlier, you also need additional security to counter the dangers posed by tampering. For example, you have to run environment checks and integrity checks at runtime. Do this, and you can spot the most common tools hackers use to reengineer apps. These include hooking, rooting, debugging, and using emulators.
Alongside these checks, you can use code and content protection to harden your app and make it tougher to read and decompile. As a general rule, the harder it is for a bad actor to read your app, the harder it is for them to tamper with its code.
Threat intelligence can help, too. If you have a system in place that keeps you informed of the types of threats in your industry, you can shore up your defenses to meet them.
Tampering threats like trojans can do a lot of damage. But you can defend against them.
And once you do, it frees you up to concentrate on doing what you do best - providing a great experience for your end users.
At Licel we help some of the world’s biggest banks to counter tampering attacks.
Find out more about the risks we help to stop.