Researchers from security specialist Check Point have recently launched a new malware campaign that focuses on the Google Play Store. The so-called SimBad malware was found in no less than 206 applications and was downloaded a total of almost 150 million times. The malware now found is a classic example of supply chain attacks.
The malware campaign SimBad, which has now been discovered, has mainly affected games and simulation games in particular, according to the security specialist. In concrete terms, the malware first works as adware that displays countless advertisements outside the app. This exposes affected end users to other infected apps. The developer of the malware can also open a certain URL in a browser. This allows him to generate various phishing pages and open them in his victims’ browsers. Finally, the SimBad malware itself can open apps such as Google Play and 9Apps, which can expose those affected to even more threats.
Operation of SimBad
The infected apps all use the malicious RXDrioder Software Development Kit (SDK) to perform their operation. After installation, SimBad connects to the designated Command and Control (C&C) server. The malware then receives a command to execute. SimBad can perform all kinds of actions on end users’ devices unnoticed, such as removing the icon from the startup program. This makes it more difficult for end users to undo the installation.
Earlier, Check Point specialists discovered a group of apps where malware was hidden in a payment generation SDK called SWAnalytics. This malware was contained in Android apps that were distributed via large Chinese app stores. So far, 12 infected applications have been discovered, which together have been downloaded 111 million times.
Example of supply chain attacks
The infection rate of the now discovered malware was so high, because the hackers could use errors in third part code. This is, according to Check Point Techzine, a characteristic example of the danger lurking in the new way of app development. Apps today are built using a complex chain of external libraries or open source components. Software engineers and DevOps teams use these ready-made codes to build their applications. They trust that the code of these third parties is safe, but that is not always the case.
Hackers often use trusted third party code to infiltrate malware. These are also known as supply chain attacks. Although the software supply chain is crucial for building and rolling out business applications quickly and efficiently, this approach can make the security of companies and organisations very difficult.
Protection against supply chain attacks
Companies and organisations can protect themselves against such supply chain attacks by properly identifying the commercial and open source products they use. In addition, it is wise to use a so-called hygiene first approach for the security architecture, whereby an organisation has a complete overview of the IT environment in order to prevent possible blind spots. Certainly in cases where more and more applications are added to an IT ecosystem.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.