Wei Yan, Jideng Han, Hualin Zhao, Kunlun Wang {wyan, jdhan, hzhao, klwang}@visualthreat.com VisualThreat Inc. 2901 Tasman Drive, Suite 107, Santa Clara, CA, USA Abstract ---With the fast evolvement of mobile technology, the number of mobile devices grows exponentially. There are many new applications with new features, such as online banking and smart driving. However, those features raise private leakage concerns and require security awareness for users. In order to gauge the risks of mobile apps from more than 1 millions mobile apps from nearly one hundred categories, we have implemented an automatic mobile security deep-analytics platform. In this paper, we share our survey results of two categories: China banks and connected-car apps. The moderate to high privacy leakage issues have been found in more than 87% of 80 Chinamobile bank apps and 50% of 150 connected-car apps can be hacked to attack cars. Also quite a few top Chinabank apps failed to defend against the activity hijack. Index Terms—mobile security, privacy leakage, auto security, connected car. I.INTRODUCTION The number of mobile apps grows exponentially with the fast evolvement of mobile technology. Users are using many apps in their daily life, such as online banking, pay-for-service, and smart driving. However, those features raise private leakage concerns and require security awareness for users. On the other hand, when mobile devices communicate with cars, the connected auto now becomes a new cyber threat target. OEM-endorsed connected car solutions such as Apple’s CarPlay [1] and Google’s Android Auto [2] interfaces will also bring more integrated, but potentially vulnerable, mobile apps into the vehicle. Various examples of such vulnerabilities have now been demonstrated at several security industry conferences. For example, the research works from security conference [3,4] showed that mobile apps could be used to attack cars. We have implemented a cutting-edge cloud-based mobile security platform, which support both Android and iOS apps. The system automatically analyzes mobile apps by going through the following features: privacy leakage detection, static & behavior analysis, and security vulnerability checking. Up to now, more than 1 million mobile apps have been processed from 100+ app store categories, as shown in Fig. 1. The x-axis is how many ten thousands of apps belonging to each category.
Fig. 1 Surveyed App Store Categories. In this paper, we showed our findings of two popular categories: mobile banking and connected car. Android banking apps from more than 80 China banks, and 150+ smart car apps of vendors from both US and China were collected. Four risk behavior types (data leakage, text message activities, file operations, spying, and networking activities) were applied to discover hidden threats based on our cloud-based platform. After the deep-analytics, a comprehensive threat report was generated for each adware app. The moderate to high privacy leakage issues have been found in more than 87% of China bank apps, and around 50% connected-car apps can be hacked to attack cars. In our understanding, it is the most comprehensive security report on mobile banking and smart driving so far. This high peak of privacy leakage matches our findings that major Android app stores only apply either limited or even no security validations [5], thus large volume of popular android apps found to have potential risks. We begin in Section 2 by describing the infrastructure of our analysis system, followed by the description of our findings on China banking and smart car apps. Section 4 describes the firewall scheme to defend against auto attacks. Section 5 presents the conclusion. II. CLOUD-BASED MOBILE SECURITY PLATFORM Given an example of android platform as shown in Fig. 2, the platform fetches APK (the file format of Android apps) files from app stores or by exchanging with other security vendors. For the malicious apps, the system is able to detect each submitted sample which malware family it belongs to, with which other families to share similar codes, which other individual samples have the same or similar malicious activities as the submitted sample. More than 200+ android malware families have been covered.  Fig. 2. Automatic App Processing. For benign apps, we have defined risk behaviors, including data leakage, SMS activities, file operations, and spying activities to categorize the different types of hidden risks that could be lurking in a user’s installed apps. Based on the comprehensive risk report and score, our system can alert users to apps that may be “leaking” data from their mobile devices to unauthorized sources. The risk score is between 0 and 100 that quantifies the level of privacy leakage from your mobile connection. The lower the amount of privacy leakage, the higher the score. Fig 3 is an example of the risk report.   Fig. 3. Mobile App Risk Report   III. CHINA BANK AND SMART CAR APPS A. Bank AppsMany banks in China are now offering online banking services from their mobile apps. However, the loose security audit puts users at risk of compromised privacy and actual financial loss by bank malware. In order to gauge the security of mobile financial apps from 80+ China banks and financial institutes, we evaluated those apps based on two mobile threat sectors: privacy leakage and security flaw. Fig. 5. Risk Scores Fig. 4 and Fig. 5 show the privacy leakage scores of the banks. Every 7 out 10 apps have at least moderate level of leakage. The top three security vulnerabilities are weak encryption, exposed keys and weak communication protocols. The x-axis of Fig. 5 is the bank app and the y-axis of Fig.6 is the score of 0-100. Fig. 6 shows a security flaw existing in a big bank in China. The genkey() function will save both public and private RSA keys into a file called pk.dat and sk,dat, which is a very serious security vulnerability. Fig. 7 is another penetration testing example of bank activity hijacking. Activity hijacking occurs when a potential suspicious app hijacks a return message which is actually intended for another app so that it can fake pages of the victim app for phishing. Due to the lack of application-level protection, it was very easy to injecting a phishing page into the bank app, causing users to input their credential information to the hacker’s third-party website.  Fig. 7. Bank Activity Hijacking B. Smart Car Apps More and more people are talking about connected cars. However, when mobile connects both car and the vehicle cloud via mobile apps, the car becomes the new threat target. Numerous auto mobile apps are capable of collecting personal private information currently without the driver’s awareness. They can also leverage Bluetooth, WiFi, or 3G/4G networks to send potentially dangerous commands into cars to control or change the auto’s systems and/or status. Therefore, drivers may be at risk of being targeted by auto hackers, such as thieves, phishing scams, or nefarious phone attacks. Our research work showed that 60% current commercial vehicle-related mobile apps have more than 3 security vulnerabilities. URI exposing flaw is the most common one, followed by component exposing and code repackaging. Lots of vendors are offering vehicle diagnostic services via mobile apps. Unfortunately, the security vulnerabilities existing inside these products will put users at high risks of personal privacy leakage and even human life!  Fig. 8. Top Security Vulnerabilities of Auto Apps Worry about driver’s privacy leakage from mobile apps? Many auto mobile apps installed on your mobile have low, moderate or even high privacy leakage issues. A very popular auto diagnostic app was analyzed and many security flaws had been founded. From Fig.9, due to no encryption, attackers can easily identify the user driving profile and car information.   Fig. 9. Security Flaws of Android and iOS Auto Apps Lack of anti-debugging is another security issues for auto mobile apps, even for commercial apps. For example, it was very easy to insert a piece of codes into one popular smart key app. After recompiling the updated codes, a new Android executable file, a.k.a. APK file was generated. Once the new app runs, the inserted window pops up.   Fig. 10. Code-repackaging Attack IV. CONCLUSION To summarize, the rapid growth of mobile apps represents exponentially growing opportunities for new features, bringing conveniences for users. However, with that comes increased risk of private leakage, and even car hacking, where personal information, vehicle information, security, and even vehicle safety is subject to increased risks. Our research shows that there are security vulnerabilities inside the majority of commercially available bank and auto mobile apps. Unfortunately, the security vulnerabilities existing inside these products put users at high risks of personal private information leakage and may even put them at risk. REFERENCES [1] https://www.apple.com/ios/carplay/ [2] https://www.android.com/auto/ [3] http://www.syscan360.org/en/speakers.html [4] https://www.defcon.org/html/links/dc-archives/dc-21-archive.html#Miller [5] http://visualthreat.com/blog/20140126.html  Wei Yan is the founder of VisualThreat, a leading mobile security vendor based in Silicon Valley. He previously worked in McAfee, Trend Micro and Symantec joint venture as security architect and research scientist, and has deep understandings of anti-malware, cloud security, mobile threat intelligence and auto anti-hacking. Dr. Yan is also an active referee and serves as Editorial Board member of peer-reviewed professional journals and technique committee member of international security conferences. He has a PhD in computer engineering from New Jersey Institute of Technology.  JiDeng Han is a Master student of Beijing University of Posts and Telecom. His research ares are mobile security and computer networking.  HuaLin Zhao is a researcher of VisualThreat Security Lab.  Kunlun Wang is a researcher of VisualThreat Security Lab. |
E-Letter > STCSN-E-Letter-Vol-2-No-4 >
