Data in mysterious places – the subtle crisis of data harvesting apps

Recent news stories highlight the danger of unwanted data exfiltration by popular applications. The use of apps is increasingly important across working environments; recognizing the potential threat that they pose and implementing appropriate safeguards tailored to organizational needs is critical.

A recent spike in reports concerning data exfiltration by applications, in some cases by very popular ones or otherwise from trusted sources, has once again highlighted the fundamental issue of information leakage from unexpected places. Even without explicit malicious intent, the response to such incidents (for example, the multiple questions levelled at Trend Micro following the revelation of their apps’ data harvesting behavior, and the company’s obliging decision to issue a formal apology and remove all such functionality1) shows that such data exfiltration can often be unexpected and unwanted.

The use of mobile apps in particular is becoming more popular and prevalent across working environments; the stakes in understanding and responding appropriately to the issue are rising correspondingly. Looking at recent cases provides a number of lessons to draw on and helps to understand what an effective organizational response might look like.

Recent Cases

Over the course of one week in September, concerns that had previously been raised about a number of applications on Apple platforms coalesced in reports highlighting data exfiltration performed by unexpected suspects.

The first of these, an application by the name of ‘Adware Doctor’, claimed to protect browsers from common adware threats; at the time of research, its position as the fourth most popular paid app on the Mac App Store meant that it was prominently featured on Apple’s main website. Static analysis of the app showed that it was indeed capable of functioning as an adware blocker; however, dynamic analysis of the app in action showed that it also exfiltrated browser history on a .zip archive to a server in China. Additionally, the password protection of the .zip was easily bypassed by simply observing the password assigned via the command line, highlighting yet another potential security issue.2

In another case, investigation of an app by the name ‘Open Any Files’ conducting similar data exfiltration found that it was actively promoting another app ‘Dr. Antivirus’. Further analysis of this app showed that it was conducting data exfiltration using the same method to the same URL as the initial app3; of potentially greater concern was the fact that the tool, and two others caught doing the same thing (Dr. Cleaner and App Uninstall), were owned by the major cybersecurity company Trend Micro.4

Within days of the reports being published, Apple had removed the Trend Micro apps in question from its App Store5, ostensibly for violating store guidelines. Meanwhile, Trend Micro themselves had, while stating that the data exfiltration was carried out as a one-time ‘snapshot’ for security purposes, issued an apology in response to the uproar and pledged to remove the data exfiltration function from their apps.

Lessons to Learn

The incidents above are unusual; the popularity of the first app and the fact that a cybersecurity company perpetrated the second incident raised the profiles of such incidents beyond the usual coverage. Their high profile and unusual characteristics have highlighted some standout issues that might otherwise have gone unappreciated:

  • Data exfiltration can come from unexpected places. Highly popular applications and applications made by trusted sources alike were caught in the act over the course of the research detailed above; no app is above suspicion.
  • The apps noted above were both hosted on Apple platforms and had, in theory, undergone vetting to ensure that they were not in violation of the platforms’ terms and conditions. Apple’s decision to remove the Trend Micro apps from their App Store is a tacit admission that their own review processes were not able to detect the apps’ surreptitious data collection. Relying on their vetting process is insufficient, and thus independent review of apps used in working environments is crucial to discover issues such as this.
  • Even if the motives behind the data exfiltration are benevolent, as Trend Micro has claimed with regard to their applications, the generally negative response highlighted above indicates that this is not considered an acceptable reason to conduct it in an unannounced and unclear fashion. A secure cyber environment is not simply a matter of keeping out malware, it is also a question of making sure your software and networks are doing what you want them to do, and not what they want to do.
  • The ease with which researchers were able to log the default password with which data exfiltration archives were ‘secured’ also highlights the significant danger of third party interception of such data during exfiltration. Poorly secured apps (such as the above) could allow attackers to access data post-exfiltration after a dynamic analysis of the apps themselves.

The crucial conclusion to be drawn is the importance of reviewing apps to ensure that they meet your organizational security standards. By conducting a dynamic analysis of what appeared to be popular or legitimate applications, researchers were able to discover surreptitiously included data exfiltration functions.

Integrating processes into your software integration workflows that fulfill a similar function – dynamic analysis of apps, or otherwise monitoring data usage/outflow during the routine use of apps – will allow you to make sure that your apps are not only secure by a third company’s standards, but meet your organization’s specific security requirements.

Above all, it is crucial to remember that as mobile and third party applications become increasingly important in day-to-day organizational workflows, things may not always be as they seem – however popular the app, and however trustworthy its distributor. Caution and awareness are critical and key.

Who we are

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.

1 “Answers to Your Questions on Our Apps in the Mac App Store,” September 10, 2018. Trend Micro. https://blog.trendmicro.com/answers-to-your-questions-on-our-mac-apps-store/
2 Wardle, Patrick. “A Deceitful ‘Doctor’ in the Mac App Store,” September 7, 2018. Objective-See. https://objective-see.com/blog/blog_0x37.html
3 Reed, Thomas. “Mac App Store apps are stealing user data,” September 7, 2018. Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2018/09/mac-app-store-apps-are-stealing-user-data/
4 Nichols, Shaun. “Trend Micro tools tossed from Apple’s Mac App Store after spewing fans’ browser histories,” September 10, 2018. The Register. https://www.theregister.co.uk/2018/09/10/trend_micro_apple_macos/
5 Palladino, Valentina. “Apple takes down Trend Micro Mac apps that collected, stored user data,” September 11, 2018. Ars Technica. https://arstechnica.com/gadgets/2018/09/apple-takes-down-trend-micro-mac-apps-that-collected-stored-user-data/