Supply Chain Attack Trends Involving Apps and Extensions

Then, where was the problem?

• The malicious behavior came from the update to the app, which was downloaded on millions of Android phones.
• A group of malicious publishers with an intent to cause harm had bought the code and pushed a malicious update to each user using the application.

The bigger picture

• This supply chain attack—buying the software, along with their source code and pushing the malformed version—is a new technique that will likely grow in popularity among cybercriminals.
• This can enable attackers to skip the scrutiny process while executing the infected software on users’ systems without their knowledge.

A glance at some similar incidents

• In early February, Google removed the Great Suspender extension from Chrome Web Store for containing adware.
• Users of the extension noticed in October 2020 that new owners had installed updated code on users’ systems without notification - a code that behaved similarly to adware.
• In another incident, the China-linked TA413 threat actor group used an add-on named FriarFox to harvest data and log keystrokes from the Tibetan diaspora.

What’s more concerning?

• A researcher’s investigation revealed that a number of malicious apps present on the App Store are hosting a variety of scams. Most of these apps followed a common formula, which includes fake reviews and ratings to boost the status on the App Store and lure in more victims.
• One of the most prevalent suspects is an app called KeyWatch, which is a copy of the original FlickType Apple Watch keyboard typing tool.
• The scammed apps raked in millions for criminals across the world.

Conclusion