Threat Intelligence Blog

Posted April 28, 2014

Although most businesses only authorize their mobile applications to be distributed on legitimate stores such as iTunes and GooglePlay, you can find thousands of rogue and unauthorized versions on third-party storefronts. But just how pervasive is this problem?

To find out, Cyveillance Security Labs’ researchers looked at 200 different brand and product names and their variations across more than 100 different storefronts. We found a raw total of 14,415 unique versions of those brands over one month. Even after we adjusted for possible “legitimate” versions, i.e., versions that were officially authorized to be distributed, we found 13,666 different rogue mobile app URLs, defined as the exact URL or link that leads someone to the app on a storefront (i.e.,

Cyveillance also found that the third-party storefronts offering rogue versions of legitimate apps often had advertisements that contained malware, too, also known as malvertising. Like rogue apps, these ads trick users into clicking on offers that appear to be from trusted brands, but then prompt them to download files that actually contain malware.

What is Malvertising?

As Blue Coat Security‘s latest report on mobile malware discusses, malvertising occurs when legitimate ad networks unwittingly direct users to malicious sites or serve ads that have malicious code. One reason that malvertisments are so prevalent on third-party mobile app storefronts is that they often have little or no oversight.

Additionally, many third-party storefronts do not have permission to distribute legitimate mobile apps, so these ad networks are their source of revenue. Incorporating malware in seemingly unaffiliated advertisements on their storefront pages allows criminals to steal user information to sell or exploit it without being directly traced back to the storefront. Many times, as shown in our example below, the ads seem connected to downloading the app and can be very hard to spot.

How Prevalent is Malvertising?

The Blue Coat Security report found that malvertising made up about 20 percent of all infections on devices where they were detected. That percentage is not surprising, as 20 percent of mobile malware in 2013 came from users clicking on compromised ads on mobile storefronts and the web. This rate is about triple the rate it was in November of 2013, when malvertising accounted for about 6 percent of mobile malware.

Statistics from McAfee Labs Threats Report: Fourth Quarter 2013 support the concern that malvertising is a growing threat vector. McAfee identified 3.73 million total pieces of mobile malware in 2013, a 197 percent increase of total samples compared to 2012.

However, in the big picture, malvertising is still a growing trend, not the top threat. Although the percentage of malvertising is climbing, in the big picture it still only accounts for 1 percent of all malware threats, according to Cisco.

Our Findings

We conducted additional research, taking a closer look at a third-party storefront where we had discovered one of the 13,666 unique rogue mobile app URLs, and found malware hidden in an ad that was located above the “download” icon for the app.

Cyveillance randomly chose just one of the URLs from the thousands of rogue apps it found. Although the download button appeared to be directly related to the app being offered, it was really an ad. Once we clicked on the “download” icon we were brought to another third-party site, where we were asked to download and install a “virus detector”. As it turned out, the so-called virus detector actually included a malware component itself, which we discovered when we downloaded it and analyzed it in our labs.

The screenshot below shows another app located on a different third-party storefront. The top part of the display is actually an ad that leads away from the third-party storefront onto another site. This sample illustrates how easily a user can be tricked into downloading files that contain malware, especially if this ad is seen on a 3.5″ screen.


This sample is extremely common, as almost all third-party storefronts make money from ads that use Flash content that can easily hide malware.

In order to avoid having your good brand name being used by criminals to proliferate malware, Cyveillance suggests the following:

  • Monitor where your apps are being distributed to be sure they are not being distributed on third-party storefronts that may spread malware
  • Have your apps removed immediately from third-party storefronts that do not patrol for malware
  • Educate your customers to not download any versions of your app that are found on third-party storefronts, and to go to your primary website or an authorized app store instead to download them

Even if your organization has not yet officially deployed a mobile application, you may be surprised to find the number of apps already available on third-party storefronts using your brand name.

Find out how our Mobile Application Monitoring Solutions can help you manage your mobile apps more effectively and prevent unauthorized or malicious applications.

Additional Posts

Heartbleed: Raised Consciousness for Other Vulnerabilities

Heartbleed has been a hot topic for the past few weeks. Heartbleed refers to a bug in the ...

Social Media and Regulatory Compliance: Is Your Company Protected?

By Camille Stewart Proofpoint hosted an excellent webinar a few weeks ago on "Tweets, Feeds, & ...