New software will detect scam apps

Read time 2min 40sec
Eleven percent of mobile apps access personal information, unknown to end-users.
Eleven percent of mobile apps access personal information, unknown to end-users.

Mobile applications have become a way for fraudsters to access consumers' personal data easily. RiskIQ, an IT security-software company, recently examined 350 000 apps that offer monetary transactions, and found more than 40 000 of these specialised programs were scams.

RiskIQ employees had downloaded the apps from around 90 recognised app stores worldwide, and analysed them. They discovered a total of 11% of these apps contained malicious executable functions, meaning they could read personal messages, or remove password protections, without being noticed by the user.

At the CeBIT computer fair, which starts on Monday in Hannover, Germany, computer scientists from the Saarbr"ucken Research Centre for IT Security (CISPA) will demonstrate software that allows users to detect malicious apps at an early stage.

CISPA researcher and Saarland University PhD student Erik Derr says this is achieved by scanning the program code with emphasis where the app is accessing or transmitting personal information.

"The monitoring software will detect whether a data request is related to the subsequent transmission of data, and will flag the code sequence in question as suspicious accordingly," explains Derr.

An important feature of the software he developed is its ability to monitor precisely which Web sites an app is accessing, or which phone number a text message was sent to. To conclusively detect these functional relationships between the data source and the recipient, the researchers use contemporary methods of information flow analysis.

They set their program up in advance, with a list of suspicious code combinations that access programming interfaces, so it would learn to differentiate between "good" and "evil" apps, and additionally fed it with details of currently known attacks.

"So it can be helpful, for instance, to know the telephone numbers of these expensive premium services. Say one of these numbers is dialled without the consent of the user, then the fraud is obvious," Derr notes.

ITWeb Security Summit 2015

Don't miss the definitive event for security professionals:
26 to 28 May, Vodacom World, Midrand
Book today!

Since his method is computationally demanding and also requires a lot of memory space, the software is run on a dedicated server. "It takes our software an average of 25 minutes per app."

So far, his research team has tested around 23 000 apps.

"The app could be analysed on our server, and the results would be displayed on your smartphone. Or ideally, the evaluation process could be integrated directly into the app store Web sites."

Derr says the researchers are already discussing the issue with US online retail company Amazon. "But Google would certainly be an option as well."

In South Africa last year, consumers were warned about software designed specifically for holiday shopping. This software was designed to steal or send out the user's personal data. When using these apps, criminals can redirect incoming calls and messages, allowing them to bypass two-step authentication systems.

See also