No quería centrarme por completo en la seguridad de los dispositivos de Apple durante la mayor parte de esta semana (ver aquí y aquí), pero la nueva investigación de Sophos debería ser de interés para cualquier empresa que trabaje para mejorar la conciencia de seguridad.</p><h2><strong>Breaking Bad</strong></h2><p>La investigación cubre 167 aplicaciones falsas utilizadas para estafar a los usuarios de iOS y Android. Los que impactaron en el sistema operativo móvil de Apple se destacaron particularmente, ya que muestran la creciente sofisticación de los creadores de malware.
Sophos found that these sophisticated attacks combined a variety of weapons, ranging from social engineering, fake websites, fake iOS App Store pages, and even an iOS app testing website to deliver these fake apps to the devices of the community. victim. Sophos warns that the attacks can be exploited by the same group and that all identified apps purport to be crypto, stock and banking apps that steal from those who use them. It is important to note that Sophos has shared details of these applications and they should now be detected by malware detection applications.
What attack vectors were used?
What is important for corporate users to identify is what attack vectors were used to distribute these applications. Above all, they are good examples of social engineering combined with sophisticated identity theft attempts. For example, researchers identified one instance where an attacker found a victim on a dating app that he ultimately rigged into installing a fake app that then attempted to steal a person's cryptocurrency details. The attacks also used fraudulent websites that appear to be legitimate sites for well-known brands, and used some rather attractive App Store download pages and ad hoc app distribution, accompanied by fake customer reviews.
Humanity is vulnerable
What makes these compelling feats dangerous is constructed authenticity. This means that people, including your employees, can easily fall prey to it. Once again, these attempts focus on the weakest link in any security chain: the humans using the equipment. What can companies do to protect themselves? It's an argument in favor of Zero Trust, I think. Passwords not only do not sufficiently protect personal data, but also corporate information and services. As I would recommend to any iOS user, companies should at least implement multi-factor authentication to bolster existing security protocols, even if that's not enough. Another obstacle to mitigating the impact of such attacks is network-based zero-trust security models. Since security today is a moment and not an if, the adoption of blended security protections makes it more likely that data will remain secure even if a component of that protection is breached.
The ad hoc distribution was also used
It's also worth noting that, in at least some of these cases, the criminals used ad hoc distribution (Sophos is referring to super signature development services) to bypass Apple's App Store process. This allowed them to create what appeared to be real apps distributed by fake App Store pages, but built and managed entirely outside of the App Store process. These are the kinds of facilities you'll see a lot more of if mobile developers are forced to run App Stores in the same way as a multi-store mall, rather than high-end department stores. But I digress. The apps are malicious and act like real apps, but are distributed via a fake App Store page. They never actually interact with Apple, and the development services used are likely to violate Apple's developer license agreements. App store providers can take steps to mitigate these attacks. Sophos suggests that stores should add reputation and trust scores to app ratings, for example.
Apple must...
We know that Apple monitors such attempts through the App Store. It terminated 470,000 developer accounts and rejected more than 200,000 registrations due to fraud issues last year. It also removed 95,000 apps from the App Store for fraudulent violations, such as manipulating users into making purchases. But the use of ad hoc app distribution in these breaches has led Sophos to recommend that Apple create a new iOS warning message that lets users know if they are installing ad hoc apps outside of iOS. Apple App Store. I totally agree with this approach. I don't think beta testers are turned off by such warnings when installing test apps. I also don't think companies that use small distros of internally developed apps would have any trouble explaining such a warning to employees. The broader benefits of adding a barrier to the installation of distributed criminal apps through clever social engineering and convincing forgery far outweigh the friction of receiving such a warning in the first place. However, the game of cat and mouse between online services, entities, users and companies against cybercriminals continues to become more complex and humans remain the weakest link in the security chain. On any platform. Follow me on Twitter or join me in the AppleHolic's bar & grill and Apple Discussions groups on MeWe.
<p>Copyright © 2021 IDG Communications, Inc.</p>