Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12:55 PM

Attackers Turn Struggling Software Projects Into Trojan Horses

While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.

On Dec. 4, users of a simple Android program — a barcode scanner — started witnessing odd behavior when their smartphones suddenly began opening up their browser to display unwanted advertisements.

While the devices exhibited the hallmarks of a malware or adware infection, the compromises puzzled most users since they had not recently downloaded new software, according to an analysis by endpoint security firm Malwarebytes. Instead, the malicious behaviors came from a software update to a popular application — the generically named "Barcode Scanner," with millions of downloads. An enterprising group bought the code and then pushed a malicious update to every user of the application.

Related Content:

Malicious Code Injected via Google Chrome Extension Highlights App Risks

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

The supply chain attack is a new technique — buying applications, along with their software base, and then pushing out updates with malicious code — that will likely grow in popularity among cybercriminals, says Nathan Collier, senior malware intelligence analyst at Malwarebytes.

"Now that this has been done, I can definitely see it happening more in the future," he says. "Honestly, for malware developers it's kind of genius that they can just do this — let someone else build something, have it on Google Play for years. You are buying the ability to update all of the users to a new version of the app."

Already, a second group used a similar tactic to infect millions of users with malicious code through a popular Google Chrome extension. In early February, Google removed the Great Suspender utility for Chrome, which reduces the memory consumed by the browser through shutting down old tab processes, after the original maintainer of the open source project sold the code to an unknown group. Users of the extension noticed in October 2020 that new owners had installed updated code on users' systems without notification — code that appeared to behave similar to adware.

The technique for distributing malicious code comes as developers and security firms are trying to detect attackers who compromise code bases and insert malicious modifications. Skipping the initial requirements of compromising the code base makes the attack simpler, Bishop Fox CEO Vinnie Liu told Dark Reading earlier this month

"The secure development life cycle has for 15 years been focused on preventing the inadvertent introduction of vulnerabilities by developers, and not against identifying and preventing the purposeful insertion of malicious code or behavior into an existing application," he said. "Developers are unprepared for this. Most enterprise security programs are unprepared for this." 

Paying for access to a vulnerable system is not necessarily new, however. Cybercriminals services that sell access to already compromised systems have evolved over the past decade; such services now account for a large number of ransomware infections. In 2016, cybersecurity experts were already warning of the emergence of access-as-a-service sites used by cybercriminals. 

Other gray-market groups use a more subtle approach, creating advertising software development kits (SDKs) used by developers to monetize their applications, but then adding aggressive advertising or even malicious code to the third-party component. In August, for example, researchers at security firm Snyk revealed that an SDK used by more than 1,200 iOS applications had adopted code to spy on millions of users

Compromising the supply chain directly is also becoming more common. Many cybercriminals and nation-state operators have targeted popular software and vendors — such as the software compromise that allowed NotPetya to spread and the attack on SolarWinds — as a way to eventually infect companies using the software.

By targeting struggling but popular software projects, however, cybercriminals have added another door into the supply chain for their code. 

The Barcode Scanner app behind the latest case appeared on the Google Play store in 2017 as a legitimate, ad-driven application with tens of thousands of users, according to Malwarebytes. At the time of its sale to an organization named LavaBird LLC, the application had about 10 million downloads and an extensive user base, according to Malwarebytes. LavaBird says the company then sold it to another third party, who made the malicious modifications, Collier says. 

"The clean version was on there for a long, long time ... so it was growing and growing and growing before it got taken up by LavaBird," he says. "They bought it with the intention of selling it as quickly as they can, but the problem is they did zero verification on who they were selling it to."

Should developers be required to do due diligence on buyers? Collier says he is not so sure. Instead, the company behind the ecosystem — whether Apple, Google, Microsoft, or another — should ensure that security checks on updates are as rigorous as on the original application, especially if the maintainer has changed.

"Google really only looks in depth when the code is first uploaded," he says. "Looking at the code, this would have been an easy one to detect. I downloaded the app, and within five minutes it was opening up Google Chrome and doing redirects."

Yet he acknowledged the security firms have to adapt to the new strategy as well.

"To be fair, in Google's defense, the [mobile security] vendors were not even detecting it right off the bat either," Collier says. "It was sly, slipped in, and it worked."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...