Threats to Physical Safety in APIs and Mobile Apps

As if having a vulnerable application running on a mobile device was not enough, cyber criminals have also developed an affinity for attacking application programming interfaces (APIs). Over the last year, API attackers have grown so sophisticated that they are blending into normal human traffic patterns.

Spyware, also known as stalkerware, is also growing increasingly more common. The combined vulnerabilities not only put mobile device security at risk but also pose physical threats to users.

According to cybersecurity and antivirus software provider Kaspersky, commercially available spyware—software that is actually legal—is commonplace, though often unwanted and unknown by the affected user.

An attacker who is able to access personally identifiable information and geo-location poses an obvious cyber risk, but the availability of GPS data also puts victims of domestic abuse or persons of interest at an elevated risk of physical attack.

What APIs Reveal to Potential Attackers

According to OWASP, APIs are a critical part of mobile and web applications in every industry from banks, retail and transportation to IoT, autonomous vehicles and smart cities. APIs are simply sets of definitions, protocols and tools that enable systems to speak to one another. Apps and websites that need to communicate with third-party software to fulfill their purpose to the end user often use APIs to do so.

APIs “can be found in customer facing, partner facing and internal applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers.”

Attackers have discovered that car owners who install hardware GPS tracking devices in their vehicles are relatively easy targets. It’s estimated that tens of thousands of cars have vulnerable GPS trackers installed, which could be highly lucrative for hackers. These devices are accessed and managed using mobile apps, such as the iTrack and ProTrack apps, both of which were hacked earlier this year.

APIs create multiple vulnerabilities, according to Dmitry Sotnikov, vice president of cloud platform at 42Crunch. Whether it’s in web apps or mobile apps, APIs are everywhere, and attackers who know this have started using APIs as their vector of choice.

Users have grown so reliant on GPS location information and increasingly want to see that data. Having a GPS locator in your car helps you find it in the event of a theft. Smart devices are able to access that information, and consumers are willingly using it, but they too often are relying on default passwords to secure that data.

“The information has to be transmitted to the phone or web app through APIs or the cloud system that the vendor is providing, but the vendors aren’t doing a good job of securing those APIs,” Sotnikov said.

If those APIs get breached, attackers could be able to access GPS location information. “An attacker could get car and owner information including location, owner name, phone number, address, model, make, IMEI number. In some cases, an attacker could even send certain models commands such as ‘kill engine’,” wrote in an April 2 blog post.

Understanding Stalkerware

In the same way that APIs are everywhere, it’s not uncommon for spyware to be marketed as a tool for parents who are keeping a watchful eye on their children via mobile devices. However, Malwarebytes’s David Ruiz said, “these apps are commonly used against survivors of domestic abuse. It serves as no surprise. Stalkerware coils around a victim’s digital life, giving abusive partners what they crave: control.”

Stalkerware programs by nature are aggressive. As such, they are typically not found or listed in the App Store or on Google Play. They can, however, be found with a quick internet search. “In some cases, a program’s download page specifically states the software is intended to be used for secretly spying on the user,” Kaspersky researchers noted.

These programs encourage users to enable the app’s installation, yet because they are hosted outside of Google Play, they often put devices at risk. Enabling applications that cannot be found on Google Play makes an Android device vulnerable to malware and goes against Google’s security policies,” according to researchers.

In addition, if a user attempts to discover whether spyware is actually running on a mobile device, the search – on the mobile device with the spyware installed – could actually tip off the attacker. According to Malwarebytes, signs that a device could be running stalkerware include a quick loss of battery life, increased data usage and extended response time.

Malwarebytes added that a new study by the University of Toronto’s research and public policy project, CitizenLab, identified stalkerware apps in the U.S., Canada, and Australia. The most popular are FlexiSpy, Highster Mobile, Hoverwatch, Mobistealth, mSpy, TeenSafe, TheTruthSpy, and Cerberus.

Know the Apps on Your Phone

Though a person needs physical access to the device in order to install the stalkerware, Kaspersky said installation can be done rather easily by downloading the software from a distributor’s website.

“In 2018, Kaspersky Lab products detected stalkerware programs on 58,487 unique mobile devices—proving the severity of the threat. While it seems hard to even imagine that such a blatant privacy invasion can be so common and easily accessible, stalkerware programs have been exposed and publicly criticized multiple times. Yet, in most countries their status remains vague.”

In order to mitigate the risks of an unwanted actor accessing personal information, including your physical location, it’s critical that mobile device users know the apps that are on their devices. Users should change all default passwords and use unique complex passphrases for each application.

To learn more about emerging trends, innovations, technologies and information critical to security, sign up for our complimentary newsletter here.

Article Written by Kacy Zurkus | View all articles by Kacy Zurkus