When Good Apps Go Bad

Several high-profile issues regarding software updates have shown some critical security weaknessess involved in update mechanisms.

These security issues don’t just happen to individual users – they can also effect tech giants.

Here are three stories about how a “minor” software update can turn a good app into a vector for viruses and malware.

Malware Provider Buys 10 Million Victims

The app was simply titled “Barcode Scanner” and had been on the Google Play store since 2017 (or maybe earlier). It was owned and maintained (but not originally developed) by a software company called Lavabird LTD. And it seemed to work well.

At the very least, the app’s features (and functional name) were good enough to allow it get over 10 million installations.

A simple (free) app with this kind of userbase is pretty appealing for a malware creatior, though. According to some good digging by the security firm MalwareBytes, it looks like Lavabird sold the app to a new developer (called “The space team”) in late 2020.

This new developer was a bad actor, though, and uploaded a new version with malicious code in late November of 2020. The new, infected version of Barcode Scanner would essentially take a over a user’s phone with ads.

This version was taken down by Google fairly quickly, but even if only a small percentage of active users updated, that is hundreds of thousands (or millions) of infected phones.

This Technique Isn’t Just for Apps

This kind of practiceisn’t unique to mobile apps, either.

A very popular Chrome/Chromium plugin – The Great Suspenderwas taken over by a bad actor last year too.

This allowed one bad actor to infect thousands of machines at once. Most people don’t notice when Chrome plugins update, and even if it requests new permissions, most people are fine with clicking on “Accept” and not giving it a second thought.

Once again, this plugin was eventually deactivated and removed from Chrome browsers (and the Chrome Extension store). But this plugin had a huge (and fairly technical) userbase. A smaller-volume plugin or one without such an “involved” community may be able to sneak under the radar for much longer.

It doesn’t just happen to individuals, either.

When Dependencies Attack

A new (but long-feared) attack vector for large tech companies was sucessfully pulled off earlier this year.

The attack involves software “dependencies” – small software packages that allow developers to easily introduce and share common features between programs. These drastically cut back on development time and improve security. Of course, anytime you’re installing software you didn’t write, that comes with some caveats.

Dependencies can come from a few sources. They can either come from public package repostiories or private repositories. Putting aside the dangers of public repositories, a clever attack by Alex Birsan showed dangers even in private repositories.

Using some clever sleuthing, Alex was able to find the names of private dependencies used in big companies. These dependencies are not available to the general public, and often contain sensitive or specific functionality for a company or program.

By creating public packages using the private package names, though, Alex was able to leverage a weakness in many companies development pipelines. Apparently most companies will check for public packages first. If a package is not found in the public repositories, than a private package will be installed. If that wasn’t bad enough, if the package name is found in both public and private repositories, then whichever package has a higher version number will be installed.

So, by knowing the names of some company’s private packages, Alex was able to create versions with absurdly high version numbers – thus ensuring that during the building of a companies app, Alex’s “bad” packages would be installed instead of the intended “good” package.

To see how bad this situation actually was Alex had created a way for the compromised computers to “ping” his server. This would let Alex keep a record of which company’s machines downloaded the “bad” packages without risk of exfiltrating any sensative or propreitary data.

These newer “bad” dependencies were integrated into the software when – you guessed it – things are updated!

The list of companies that got caught by this is astounding. Apple, Shopify, Paypal, Netflix, Yelp, Uber, and more. All told, more than 35 companies were affected by this.

The Beginning of Supply-Side Attacks

These are all variations of “supply-side” attacks.

Instead of an attacker infiltrating your computer directly, they comprime software that’s already installed on your computer, and wait for a simple update to infect your computer. Since they’ve been (somewhat) successful, you can expect these sorts of attacks to continue for the foreseable future.

There are a few ways to mitigate these attacks, but no way to prevent them. A few things to keep yourself safe(r):

  1. Install the minimum number of apps/browser extensions/etc. that you need.
  2. While it may be unpopular, pay for your apps. If you don’t pay for the apps (or browser extensions) in money, you may be paying in other ways. Developers need to eat, too.
  3. Regularly update mission-critical apps. Despite the dangers above, auto-updating is still a good idea for most apps. If you don’t trust auto-updates, then make sure you regularly check for updates – especially for mission-critical apps.