Exposure Management
3 Min

The Hidden Risks of Coexisting Malicious Apps in Non-Rooted Android Devices

The common belief that limiting app installations to non-rooted Android devices ensures comprehensive security is a significant oversight in enterprise mobile security strategy. Although non-rooted devices come with inherent security features, they remain prone to sophisticated cyber threats, particularly from malware-infected or malicious applications that might not require root access to perform damaging activities.

Rooted vs. Non-Rooted Devices: Assessing the Security Landscape

  • Rooted Devices: The security architecture of rooted devices is compromised as they grant "superuser" privileges to users and apps. This level of access facilitates profound system modifications, including the deactivation of security protocols and alteration of system data, rendering these devices highly vulnerable to diverse malicious exploits.
  • Non-Rooted Devices: Contrarily, non-rooted devices adhere to standard security protocols and operate within sandbox environments, which theoretically offer better protection. However, these devices are far from impervious. Malicious apps can still infiltrate through deceptive tactics or third-party installations, bypassing traditional security measures. Once installed, these apps can perform a range of harmful activities—they can mimic legitimate applications, snoop on user interactions, capture keystrokes, and access data stored insecurely within other apps. Such capabilities are particularly perilous in the context of mobile banking applications, where they can lead to significant financial losses and data breaches.

Emerging Threats from Malicious Apps in Non-Rooted Devices

Malicious applications on non-rooted devices can employ various techniques such as overlay attacks, exploitation of system flaws, or unauthorized permission usage to eavesdrop on sensitive data and harvest credentials. These tactics allow malicious actors to execute actions like:

  • Credential Harvesting: Capturing user inputs, including usernames, passwords, and transaction PINs, through covert keyloggers or phishing overlays.
  • Session Hijacking: Using stolen credentials to take control of active banking sessions and conduct unauthorized transactions without the user’s knowledge.
  • Data Exfiltration: Transmitting stolen data to remote command-and-control (C2) servers, which might further direct the compromised device to partake in additional malicious activities.

Notorious Examples of Banking Malware Exploiting Non-Rooted Devices

Several sophisticated banking malwares such as BankBot, FakeApp, IcedID, and BazarLoader have been specifically designed to exploit non-rooted devices. These malwares leverage their stealth capabilities to bypass security detections and perform financial theft:

  • BankBot: Targets banking apps to steal login credentials and intercept SMS for two-factor authentication circumvention.
  • FakeApp and IcedID: These malwares impersonate legitimate banking applications or inject malicious scripts to siphon off financial details directly from the user’s device.

Comprehensive Mitigation Strategies

To safeguard against these evolving threats, a multi-layered security approach combining native Android OS level, Mobile Application Server (MAS) side and compensatory security solutions are essential:

1. Useful Android Native Controls

  • Input Field Security: Utilize the android:inputType="textPassword" attribute for sensitive fields to obscure data during entry.
  • Secure Coding Practices: Employ tools like ProGuard for code obfuscation to complicate reverse engineering. Runtime integrity checks can identify if an app runs on a rooted device, with libraries like RootBeer enhancing this assessment.
  • Keyboard Security: Implement an in-app keyboard for critical input fields to mitigate risks from third-party keyboards. Additionally, setting the inputType to textPassword ensures that custom keyboards cannot capture input.
  • Application Behavior Monitoring: Monitor input speeds to detect automated scripts or malware, and use Android's SafetyNet API to check for tampering or repackaging of the app.

2. Runtime Application Self-Protection (RASP)

RASP provides a robust defense by embedding directly into the application’s runtime environment, offering real-time threat detection and mitigation:

  • Real-time Protection: RASP detects and blocks unauthorized access attempts by keyloggers in real-time.
  • Context Awareness: Integrated directly within the app, RASP can distinguish between legitimate and malicious actions.
  • Active Intervention: RASP actively intervenes during detected threats, potentially altering the application's operation to prevent data breaches.

3. Mobile Application Server (MAS) -Side Protections and User Education

  • Anomaly Detection and Rate Limiting: Implementing these on the server side can prevent brute force attacks and detect irregular user behavior.
  • User Education: Educate users on the risks associated with third-party apps and emphasize the importance of downloading apps from reputable sources like the Google Play Store.

By understanding that both rooted and non-rooted devices are susceptible to advanced threats, adopting a comprehensive security strategy that includes both proactive and reactive measures is crucial. This multi-layered approach ensures the security of mobile banking applications against the sophisticated tactics employed by cybercriminals, protecting individual users and larger financial systems from significant threats.

Related posts

BLOG
Exposure Management

Email Security Controls: Levels of Security & Preventable Attack Scenarios

Over the last few weeks, we have received numerous support requests from our enterprise customers and had interactions with teams regarding early notification alerts sent from our side about their application servers' susceptibility to the HTTP 2 Rapid Reset DDoS attack. It was interesting to listen to the Blue team's stance and views on the shared responsibility aspect of DDoS mitigation. There is a widespread misbelief that any single-layer protection, whether at the ISP level or gateway, offers adequate defense against all types of DDoS attacks. Most large enterprises have multi-disciplinary, defense-in-depth practices in place to prevent such attacks. Nonetheless, it was notable that we were able to demonstrate the actual impact to customers with meaningful proof of concepts (POCs) despite the presence of many such security solutions. While the most favored and recommended method of remediation is the actual patching of the application server, there may be issues related to application compatibility or other factors that could delay this action. Therefore, it is crucial to verify the presence and effectiveness of security controls at various levels to establish a virtual patching defense for the affected application servers. A multi-layered DDoS defense strategy integrates measures from ISPs, WAFs/WAAPs, CDNs, ALBs, SLBs, and Application Servers to provide comprehensive protection

See NST Assure in action! Contact us for a Demo

email us : info@nstcyber.ai
Proactively predict, validate & mitigate risks