This post is from the Arxan blog and has not been updated since the original publish date.
Using real-time threat analytics to thwart a serial app attacker
How Arxan helped shut down continuous reverse engineering attack
Operating in the Dark
It started after releasing an app update. A few days after deploying an update to the app store, a copycat version of a prominent financial transaction app appeared. The fraudulent app looked like the real thing, duping users into downloading it instead. Each time the copycat app was discovered and removed. And each time the company updated its legitimate app, a fraudulent one would appear.
The company was unable to determine how the attackers were able to reverse engineer their app or identify the source of the attacks. Attempts to mitigate the attacker’s exploits failed. The business suffered: user adoption failed to materialize, the fraudulent app tarnished the business’ reputation and brand, confused users and impacted revenue.
Copycat Attacks: This type of attack is accomplished by reverse engineering the app in question, exposing the source code of the app or revealing functional endpoints and logic, with the goal to monetize the copycat app. Once an app has been reverse engineered, it can be loaded with malware or fraudulent code and redistributed via the app store to unsuspecting end users. Once downloaded end users can have their credentials stolen, be redirected to fraudulent websites or presented with ads — all designed to enrich the attacker.
Seeing the Light
Without visibility into the attacks on the app in the wild, the company had no way to pinpoint the source of the threat or optimize its defenses to stop it.
Enter Arxan Threat Analytics.
After implementing Threat Analytics, the business had real-time data showing how attackers were targeting their application. With detailed visibility into the techniques and processes the attackers used to reverse engineer the app, the business was able to create an effective defense strategy.
Dissecting the Attack
Threat analytics provided detailed visibility into the techniques and processes the attackers used to reverse engineer the app. The developers used this information to create an effective defense strategy.
On the newly protected app, threat data analysis revealed the attacker first ran the app on a rooted device, familiarizing themselves with its operation. They then attempted an initial attack by manipulating or replacing resource files. When these approaches did not work because of the new protection mechanisms, the attacker moved on and tried to inject code into the binary before resorting to hook processes to exfiltrate the data. These methods were all unsuccessful because of the improved protection, but being able to track the anatomy of an attack in this way is crucial for remediating it immediately and to stay ahead of future attacks.
Being able to rapidly identify the methods used by attackers allowed the business to immediately shut down attackers. Learning how and where in the code the attacker targeted the app provided the security development team insight into where they needed to spend their resources to stop future attacks.
The secondary benefit of knowing where the app was being attacked also revealed where it wasn’t. This attack data enabled the security team to fine-tune performance and deliver a better user experience without having to make protection trade-offs.
Beyond knowing what was happening to the app and where to harden its security, the business also used the threat analytics service to identify specific user accounts associated with the attacker. App-specific data from Threat Analytics combined with user records known to the business allowed the attackers to be identified and have their accounts blocked.
Additionally, other accounts were blocked that displayed malicious behavior and showed signs of originating in an untrusted environment. Any transactions originating from these accounts were flagged to require additional verification steps for account activity to be allowed.
The Bottom Line
Since introducing Arxan, the copycat apps have stopped, and the business can now serve its customers as intended. App adoption has improved, along with the business’s brand image, revenue and customer satisfaction. Arxan Application Protection with Threat Analytics helps assure the business is protected through focused app protection improvements.