As a follow up to our BlackHat EU 2015 presentation about benign applications not securing user data in the cloud (Backend-as-a-Service) we also looked into malicious applications whether we can find similar data leakages. In a collaboration with McAfee Security Lab (Intel Security Lab) we analyzed 294,817 malware-laden mobile apps and found that 16 of them are connected with vulnerable Backend-as-a-Service instances implemented in Facebook Parse. Since the malware authors did not secure the backend (BaaS-backend) securely we had access to the complete database including Command&Control (C&C) communications and tasks for victims. This gave us very interesting insights about current state-of-the-art C&C communication/protocols in the context of mobile malware.
The results were presented at VirusBulletin 2015 and AVAR 2015. More details can be looked up from our whitepaper and the corresponding slides. This project is also part of McAfee’s Q4 Threat report.
Media report:
- Darkread [12/15/2015]