ESET researchers warn that augments mobile applications plus open source platforms like Google’s open could be a recipe for clever malware to come, in a recent security post.
Currently, Google only requires developers to make a onetime payment of $25 and within 24 hours they can have an application in the Google Play Store compared to Apple which requires a yearly license which costs more than $100 and a vetting period of up to two weeks.
Although researchers applauded Android 7.0 Nougat for what they described as remarkable improvements in mobile security researcher still said that Google would benefit from better vetting and there are still things developers need to take into consideration when developing applications for these platforms.
Researchers warned that the low barrier of entry for developers could provide even more attack methods as augmented reality application which offer more features and may request more permissions presenting more opportunities for cybercriminals to exploit existing applications with weak APIs or for cybercriminals to upload their own malicious apps themselves.
This could open the doors to ransomware that is more convincing and other new attack methods, according to ESET Security Researcher Cameron Camp.
“We’ve long posited ransomware hitting automobiles computer systems, the same could be said of AR in mobile,” Camp said. “If there’s a way to stick scary messages on the screen that will prompt a user to pay, it will happen.”
He said that users aren’t thinking about security in an augmented reality context, so with their guard down its easier for attackers to make their move.
“For every new use of a technology, scammers try to find the “killer app” that they can exploit, whether it be breaking Java as an entry point to your computer, dumping ransomware on the mobile, or using IoT devices for a mass DDoS, camp told SC Media. “Expect scammers to start playing with proof-of-concepts to attack AR apps until they find the sweet spot, then the doors will be open once again but on a new target.”
To combat these threats, researchers recommend that developers watch their API as it is often overlooked from a security standpoint in the rush to market, but promoted to other developers as a clever way to interact with your app.
“Scammers love busted API security,” he said adding the programmatic low level access can allow other applications to run amok, and lead to security exploits.
Researchers said developers should design a security model that is inherent in the development process and will be factored into the process whenever developing new applications. Currently only a few applications have mandated security standards and many developers aren’t concerned about running vulnerability assessments and code auditing from independent experts before releasing their products public, researchers said in the post.
Researches also recommend developers check advertising libraries for unsafe API’s that could be exploited to install malware.
Until developers start to take these risks more seriously researchers recommend consumers do their part to ensure their safety by monitoring product reviews and only buying from official app stores.
“Trying to get a paid app “free” from a third party site may also mean you’ll load a lot more than you bargained for, whether advertisements, information theft or backdoors for later use,” Camp said. “Of course, security software is having quite a spike on the platform to combat these situations.”