Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12:55 PM

Attackers Turn Struggling Software Projects Into Trojan Horses

While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.

On Dec. 4, users of a simple Android program — a barcode scanner — started witnessing odd behavior when their smartphones suddenly began opening up their browser to display unwanted advertisements.

While the devices exhibited the hallmarks of a malware or adware infection, the compromises puzzled most users since they had not recently downloaded new software, according to an analysis by endpoint security firm Malwarebytes. Instead, the malicious behaviors came from a software update to a popular application — the generically named "Barcode Scanner," with millions of downloads. An enterprising group bought the code and then pushed a malicious update to every user of the application.

Related Content:

Malicious Code Injected via Google Chrome Extension Highlights App Risks

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

The supply chain attack is a new technique — buying applications, along with their software base, and then pushing out updates with malicious code — that will likely grow in popularity among cybercriminals, says Nathan Collier, senior malware intelligence analyst at Malwarebytes.

"Now that this has been done, I can definitely see it happening more in the future," he says. "Honestly, for malware developers it's kind of genius that they can just do this — let someone else build something, have it on Google Play for years. You are buying the ability to update all of the users to a new version of the app."

Already, a second group used a similar tactic to infect millions of users with malicious code through a popular Google Chrome extension. In early February, Google removed the Great Suspender utility for Chrome, which reduces the memory consumed by the browser through shutting down old tab processes, after the original maintainer of the open source project sold the code to an unknown group. Users of the extension noticed in October 2020 that new owners had installed updated code on users' systems without notification — code that appeared to behave similar to adware.

The technique for distributing malicious code comes as developers and security firms are trying to detect attackers who compromise code bases and insert malicious modifications. Skipping the initial requirements of compromising the code base makes the attack simpler, Bishop Fox CEO Vinnie Liu told Dark Reading earlier this month

"The secure development life cycle has for 15 years been focused on preventing the inadvertent introduction of vulnerabilities by developers, and not against identifying and preventing the purposeful insertion of malicious code or behavior into an existing application," he said. "Developers are unprepared for this. Most enterprise security programs are unprepared for this." 

Paying for access to a vulnerable system is not necessarily new, however. Cybercriminals services that sell access to already compromised systems have evolved over the past decade; such services now account for a large number of ransomware infections. In 2016, cybersecurity experts were already warning of the emergence of access-as-a-service sites used by cybercriminals. 

Other gray-market groups use a more subtle approach, creating advertising software development kits (SDKs) used by developers to monetize their applications, but then adding aggressive advertising or even malicious code to the third-party component. In August, for example, researchers at security firm Snyk revealed that an SDK used by more than 1,200 iOS applications had adopted code to spy on millions of users

Compromising the supply chain directly is also becoming more common. Many cybercriminals and nation-state operators have targeted popular software and vendors — such as the software compromise that allowed NotPetya to spread and the attack on SolarWinds — as a way to eventually infect companies using the software.

By targeting struggling but popular software projects, however, cybercriminals have added another door into the supply chain for their code. 

The Barcode Scanner app behind the latest case appeared on the Google Play store in 2017 as a legitimate, ad-driven application with tens of thousands of users, according to Malwarebytes. At the time of its sale to an organization named LavaBird LLC, the application had about 10 million downloads and an extensive user base, according to Malwarebytes. LavaBird says the company then sold it to another third party, who made the malicious modifications, Collier says. 

"The clean version was on there for a long, long time ... so it was growing and growing and growing before it got taken up by LavaBird," he says. "They bought it with the intention of selling it as quickly as they can, but the problem is they did zero verification on who they were selling it to."

Should developers be required to do due diligence on buyers? Collier says he is not so sure. Instead, the company behind the ecosystem — whether Apple, Google, Microsoft, or another — should ensure that security checks on updates are as rigorous as on the original application, especially if the maintainer has changed.

"Google really only looks in depth when the code is first uploaded," he says. "Looking at the code, this would have been an easy one to detect. I downloaded the app, and within five minutes it was opening up Google Chrome and doing redirects."

Yet he acknowledged the security firms have to adapt to the new strategy as well.

"To be fair, in Google's defense, the [mobile security] vendors were not even detecting it right off the bat either," Collier says. "It was sly, slipped in, and it worked."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.