Combined, the Russia-Ukraine war and the COVID-Pandemic have brought about an increased level of cyber-attacks against mobile applications, globally. The nature of the attacks is widening quickly. The hardest-hit include mobile banking, financial services, and other consumer-facing transactional apps. All Android and iOS mobile apps are experiencing an elevated number of attacks.
Appdome is advising mobile brands, mobile banks, consumer-facing transactional apps, and enterprise-workplace apps to upgrade their mobile compliance initiatives and embrace active, mobile app cyber defense to protect mobile apps, data, connections, and users. To be effective, mobile app cyber defense programs should emphasize dynamic attacks, and on-device malware attacks, in addition to protecting data and connections. In addition, mobile app cyber defense programs should include (1) Security Release Management, (2) Shift Left in Dynamic Attack Prevention, (3) Certified Mobile App Protection, and (4) Cyber Defense Messaging to End Users. Mobile brands and consumer-app publishers relying on static protections (such as obfuscation), and enterprise apps relying on UEM/MAM face the greatest risk at this time.
Mobile App Cyber Defense Advisory
In 2022, people use mobile apps to stay safe while living, buying, exploring, and sharing. The dramatic shift to the use of mobile apps for all parts of daily life and work, including accessing and sharing news and alerts, sending support, offering financial assistance, claiming benefits, offering humanitarian or social gestures, and more presents an increased vulnerability of mobile application users, globally.
Over the past weeks, several major governments and agencies including the US-FBI CISA, US-White House, in EMEA and APAC, as well as independent cyber-security organizations have issued their own mobile cyber-defense advisories to organizations of all types. Each advisory urges organizations to assess and increase the level of cyber-defenses in the context of the Russia-Ukraine War.
In partnership with Appdome customers globally, Appdome has begun to leverage its Threat-Event technology to monitor aggregated, app-level, mobile application threats and attacks across 100s of millions of mobile app installations. The data provides global attack and threat intelligence across Android and iOS apps. It contains the nature and class of attacks, the identity of malicious packages, as well as the tools and methods used against mobile apps. The data reveals a quickly escalating level of attacks and exploits against mobile apps. The data also reveals the potential for weaponized malware on mobile devices targeting mobile apps.
The Number of Attacks on Mobile Apps is Increasing
Since the start of 2022, the number of attacks on mobile applications is rising sharply. Overall, the data reveals a 10x+ increase in the number of on-device threats, cyber-attacks, malware exploits, and other attacks against mobile applications and users. Transactional apps, including Android and iOS apps for banking, financial services, crypto, payment, and consumer brands are experiencing the largest increase in new, dynamic mobile attacks.
Several factors may impact the severity of the increase in cyber-attacks, including geography, brand prominence, and the lack of protection in the target mobile app. Appdome anticipates that organizations participating in sanctions against nation-states could be easily targeted, as the mobile apps of these organizations are readily available on public app stores.
Dynamic Attacks Against Mobile Apps on the Rise
Since the start of 2022, dynamic attacks against Android and iOS apps are on the rise. Dynamic attacks come from the growing ubiquity of malware, trojans, sample malicious code, and tools available to malicious actors. The relative ease and availability of these tools and methods result in new and growing threats from:
- Overlay attacks, keylogging (many variants), and auto-clickers (non-human interactions)
- Dynamic hooking, malicious debugging, emulators, and dynamic binary instrumentation (DBI)
- Trojan mobile apps masquerading as legitimate apps (all types)
- Man-in-the-Middle attacks on mobile applications
- Malware with advanced permissions (SU, permission escalation, jailbreak/root, etc.)
The list above is not exhaustive. Static protections for mobile apps, including obfuscation and encryption in Android and iOS apps are no longer sufficient to protect mobile apps and users.
Mobile App Cyber Defense Best Practices
Mobile brands and enterprise apps are advised to adopt proactive mobile app cyber-defense programs emphasizing protections against dynamic on-device attacks, malware, emulated or scaled exploits, as well as Man-in-the-Middle attacks.
The best practice for mobile app cyber defense programs include the following:
Mobile App Security Release Management
The best mobile app cyber defense programs are built around a growing trend called mobile app Security Release Management. Security Release Management offers visibility, management, and control over the protection model used in Android and iOS apps. Security Release Management allows teams to create, version control, and rapidly deploy new security and dynamic defense protection to Android and iOS apps without coding or SDKs.
Shift Left in Dynamic Attack Prevention
Dynamic attacks against mobile apps occur as soon as the Android or iOS app is installed on the user’s mobile device. To protect Android and iOS apps, connections, and users, in-app protection against malware, instrumentation, emulators, etc. should be built into the mobile app prior to the first launch of the app. Defenses should be maintained, build-by-build, and release-by-release, to ensure consistent protection for users, data, and connections.
Certify Mobile App Protections Prior to Each Release
DevSecOps teams understand the value of pre-release security certification for mobile apps. Mobile developers and cyber security teams should leverage tools and systems, such as Appdome’s Certify Secure, to certify protections in Android and iOS apps build-by-build, and release-by-release.
Cyber Defense Messaging to Mobile End-Users
Dynamic attack prevention in mobile apps is unique as it has the ability to interact with Android and iOS end users. Mobile brands and enterprise mobile apps should ensure that defense features can initiate brand-relevant UX/UI messaging, and integrated enforcement options, to communicate with mobile app end users when defenses are initiated.
While there is no generic or all-purpose security recommendation for all Android and iOS apps, the contents of this advisory are intended to provide general guidance on the cyber defense initiatives mobile brands and mobile banks should take in the context of the Russian-Ukrainian War and the COVID-Pandemic. Appdome advises that, given the nature and duration of the war and the Pandemic, these recommendations are not limited to the short term. App-specific recommendations in each of the security, anti-fraud, and malware prevention categories may vary depending on the app, frameworks, methods, systems, and platforms used by the app. For specific recommendations on cyber defense initiatives, please contact Appdome.
On behalf of the entire Appdome team, we are honored and humbled by the trust and responsibility our customers have placed in us and continue to fulfill our mission of helping to protect every mobile app and mobile user in the world.