McAfee Labs™ Finds Mobile Apps Left Vulnerable for Months
February 24 2015 - 12:01AM
Business Wire
Report finds 18 of 25 Top Mobile Apps Reported
Vulnerable in September 2014 Remain Unpatched; Unsecured Web
Sessions Leave Millions Open to Man-in-the-Middle Attacks
Intel® Security today released its McAfee Labs Threats Report:
February 2015, including assessments of the mobile threat landscape
and the failure of mobile app developers to patch critical secure
sockets layer (SSL) vulnerabilities, potentially impacting millions
of mobile phone users. McAfee Labs also revealed details on the
increasingly popular Angler exploit kit, and warned of increasingly
aggressive potentially unwanted programs (PUPs) that change system
settings and gather personal information without the knowledge of
users.
McAfee Labs researchers found that mobile app providers have
been slow to address the most basic SSL vulnerabilities: improper
digital certificate chain validation. In September 2014, the
Computer Emergency Response Team (CERT) at Carnegie Mellon
University released a list of mobile apps possessing this weakness,
including apps with millions of downloads to their credit.
In January, McAfee Labs tested the 25 most popular apps on
CERT’s list of vulnerable mobile apps that send login credentials
through insecure connections and found that 18 still have not been
patched despite public disclosure, vendor notification, and, in
some cases, multiple version updates addressing concerns other than
security. McAfee Labs researchers simulated man-in-the-middle
(MITM) attacks that successfully intercepted information shared
during supposedly secure SSL sessions. The vulnerable data included
usernames and passwords and in some instances, login credentials
from social networks and other third party services.
Although there is no evidence that these mobile apps have been
exploited, the cumulative number of downloads for these apps ranges
into the hundreds of millions. Given these numbers, McAfee Labs’
findings suggest that the choice by mobile app developers to not
patch the SSL vulnerabilities has potentially put millions of users
at risk of becoming targets of MITM attacks.
“Mobile devices have become essential tools for home to
enterprises users as we increasing live our lives through these
devices and the applications created to run on them,” said Vincent
Weafer, SVP of McAfee Labs, part of Intel Security. “Digital trust
is an imperative for us to truly engage with and benefit from the
functionality they can provide. Mobile app developers must take
greater responsibility for ensuring that their applications follow
the secure programing practices and vulnerability responses
developed over the past decade, and by doing so provide the level
of protection required for us to trust our digital lives with
them.”
Another Q4 development followed closely by McAfee Labs was the
rise of the Angler exploit kit – one of the cybercrime-as-a-service
economy’s latest contributions to off-the-shelf tools delivering
ever greater malicious functionality. Researchers saw
cybercriminals migrate to Angler in the second half of 2014, when
it surpassed Blacole in popularity among exploit kits. Angler
employs a variety of evasion techniques to remain undetected by
virtual machines, sandboxes, and security software, and frequently
changes patterns and payloads to hide its presence from some
security products.
This crimeware package contains easy-to-use attack features and
new capabilities such as file-less infection, virtual machine and
security product evasion, and the ability to deliver a wide range
of payloads including banking Trojans, rootkits, ransomware,
CryptoLocker, and backdoor Trojans.
The report also identified a number of other developments in the
final quarter of 2014:
- Mobile Malware. McAfee Labs
reported that mobile malware samples grew 14 percent during the
fourth quarter of 2014, with Asia and Africa registering the
highest infection rates. At least 8 percent of all McAfee-monitored
mobile systems reported an infection in Q4 2014, with much of the
activity being attributed to the AirPush ad network.
- Potentially Unwanted Programs.
In Q4, McAfee Labs detected PUPs on 91 million systems each day.
McAfee Labs sees PUPs becoming more and more aggressive, posing as
legitimate apps while performing unauthorized actions such as
displaying unintended ads, modifying browser settings, or
collecting user and system data.
- Ransomware. Beginning in Q3, the
number of new ransomware samples began to grow again after a
four-quarter decline. In Q4, the number of new samples grew 155
percent.
- Signed Malware. After a brief
drop in new malicious signed binaries, the pace of growth resumed
in Q4 with a 17 percent increase in total signed binaries.
- Total Malware. McAfee Labs now
detects 387 new samples of malware every minute, or more than six
every second.
For a full copy of the McAfee Labs Threats Report: February
2015, please visit: www.mcafee.com/February2015ThreatsReport
For a list of safety tips on how individual users can protect
themselves from the threats details in this quarter’s report,
please visit: http://mcaf.ee/5z86x
For guidance on how mobile app developers can address security
vulnerabilities more effectively, please visit:
http://mcaf.ee/ndwei
About McAfee Labs
McAfee Labs is the threat research division of Intel Security
and one of the world’s leading sources for threat research, threat
intelligence, and cybersecurity thought leadership. The McAfee Labs
team of more than 400 researchers collects threat data from
millions of sensors across key threat vectors—file, web, message,
and network. It then performs cross-vector threat correlation
analysis and delivers real-time threat intelligence to tightly
integrated McAfee endpoint and network security products through
its cloud-based McAfee Global Threat Intelligence service. McAfee
Labs also develops core threat detection technologies—such as
DeepSAFE, application profiling, and graylist management—that are
incorporated into the broadest security product portfolio in the
industry.
About Intel Security
McAfee is now part of Intel Security. With its Security
Connected strategy, innovative approach to hardware-enhanced
security, and unique McAfee Global Threat Intelligence, Intel
Security is intensely focused on developing proactive, proven
security solutions and services that protect systems, networks, and
mobile devices for business and personal use around the world.
Intel Security is combining the experience and expertise of McAfee
with the innovation and proven performance of Intel to make
security an essential ingredient in every architecture and on every
computing platform. The mission of Intel Security is to give
everyone the confidence to live and work safely and securely in the
digital world. www.intelsecurity.com.
Note: Intel, Intel Security, and McAfee are trademarks or
registered trademarks of Intel Corporation in the United States and
other countries. Other names and brands may be claimed as the
property of others.
Intel SecurityChris Palm,
408-346-3089Chris_Palm@McAfee.comorZeno GroupJanelle Dickerson,
650-801-0936Janelle.Dickerson@zenogroup.com
Intel (NASDAQ:INTC)
Historical Stock Chart
From Apr 2024 to May 2024
Intel (NASDAQ:INTC)
Historical Stock Chart
From May 2023 to May 2024