Preventing Living Off the Land Attacks on iOS and Android Apps
For brands that rely on Android and iOS apps as a key part of their business (which is most brands today), protecting the information stored in or used by mobile apps is critical to protecting your intellectual property and ensuring a secure mobile experience for your users. For many organizations, mobile apps these days are the lifeblood of the business. Mobile apps contain a wide variety of valuable information that can be harvested or stolen, ranging from the user’s personally identifiable information (PII), financial info such as credit card numbers, payments and transaction data, network or identity information that can be manipulated to impersonate trusted entities, users and more. Mobile apps can also be reverse-engineered easily to learn exactly how to create perfectly crafted and highly credible attacks that can trick even the most vigilant and sophisticated users or cyber teams. And the scary thing is that hackers can conduct these nefarious activities simply by leveraging what is already in the app today. In fact, this is what’s known as a “Living off the Land attack”.
What Are Living Off the Land Attacks?
Living Off the Land (LotL) attacks on mobile apps refer to a type of attack that involves exploiting existing software components, features, or tools already present in the target environment to carry out malicious activities. In the context of mobile apps, LotL attacks typically involve abusing built-in features of the app or mobile operating system (such as mobile permissions, intents, accessibility services, developer options, etc) as well as free open-source toolsets (such as Frida, Magisk, ADB, decompilers, and many more) to carry out malicious actions. LotL attacks are often classified as “fileless” because they do not leave any artifacts behind, which also makes them very difficult to detect and prevent using traditional mobile app security approaches. The fact that attackers use existing app components to conduct their attacks does not mean that the damage stops there. LotL attacks can be used to enable new attack vectors or to create malicious artifacts like malware, trojans, and fakes/clones using methods like code injection, swizzling, hooking, dynamic binary instrumentation, and more. Attackers often use LotL attacks as launchpads that allow them to acquire even more powerful attack capabilities or open doors to more harmful attack methods. This is why it’s so important to understand LotL attacks and prevent them from happening in the first place. So keep reading to learn how to do just that. But first, let’s start by exploring a few examples of LotL attacks and understanding their approaches and methods.
Reverse Engineering
One of the first things most hackers will do before starting an attack campaign is research how the app works, by reverse engineering it using Static Analysis and Dynamic Analysis. With static analysis, attackers analyze the app’s source code and control flows (app logic) to understand what the code does and how the app works, without running the app. Dynamic analysis involves executing the app and interacting with the app using tools such as debuggers, emulators, and virtualized environments to observe, analyze or tamper with the app or its workflows using many different techniques.
Hard-Coded Data
Many mobile apps come with default credentials, such as usernames and passwords, that are easy to guess or known to attackers. Other times, developers may hard code sensitive information into the app’s code or store such information as text-based information known as ‘strings’. Attackers can easily find such information using standard pen testing or static analysis tools such as decompilers or disassemblers, especially if the application code and strings are not obfuscated or encrypted.
Man-in-the-Middle (MitM) Attacks
Mobile MitM attacks target the connection between a mobile app and the server it connects to. Hackers use many methods to achieve MitM attacks, including attaching proxies to insecure network or WiFi connections, exploiting stale session IDs, using fake or forged SSL certificates, and more. Using these kinds of attacks, forged can intercept data transmitted between an attacks app and its server, allowing them to access and manipulate the data. They also can use MitM attacks to impersonate or masquerade as a ‘trusted’ party on either or both ends of the connection.
Jailbreaking & Rooting
Jailbreaking and rooting are methods in which the attacker escalates privileges to access the underlying OS and file system. Jailbreak and rooting make it easier for the attacker to compromise any app or to disable/bypass existing security measures.
Mobile App Permission Abuse
Mobile apps require users to grant specific permissions to access features or data on the device. Attackers use malware to exploit permissions by tricking users into allowing permissions to OS features or resources like the camera, microphone, contacts, location, and much more, which the malware can then use for its own malicious purposes or to gain access to privileged resources.
Abusing Accessibility Services
A growing attack trend used against banking trojans and other malware has been their abuse of existing OS features like Android AccessibilityService to improve the effectiveness of the attacks. For example, the BrasDex malware variant which targets mobile banks in Brazil is capable of carrying out devastating attacks, including the ability to enter data on users’ behalf without any user involvement. Among other capabilities, the malware uses Android AccessibilityService to make unauthorized transactions by moving through mobile app screens and entering the recipients’ data automatically. The transactions don’t raise suspicion as they are performed using a legitimate service straight from a user’s account.
The National Institute of Health conducted one of the most extensive studies of the ways Accessibility services are abused and in particular how such attacks use LotL techniques to evade detection and cover their tracks.
How to Prevent LotL Attacks
Mobile app security, as well as protection against mobile malware, and mobile fraud, are fundamental requirements that every mobile app dev and cyber team should implement to protect mobile users, mobile data and the application itself from being compromised or attacked. But Living off-the-land attacks on mobile apps can be challenging to detect and prevent because they often use legitimate components and features of the app or the device, and they are also extremely dynamic and highly customized to the target environment that they seek to attack. On top of that, hackers capitalize on the explosion of innovation in the way apps are developed, often using the same tools and automation techniques that developers use to build, deliver and test apps.
Modern Dev and Cyber teams realize that the only effective way to stay ahead of Living Off the Land attacks is by automating mobile app security. Here at Appdome, we call what we do Cyber Defense Automation, and it all starts with a single platform to automate the process of implementing mobile app security features directly into mobile applications without any coding or dev work. Another important consideration is the need for a “system of record” to track, audit, and version control the security model all within existing toolchains and workflows developers use to build, test, and deliver mobile apps inside the CI/CD development pipeline.
