Experts said expired domains are often purchased with the intent of advertising, but researchers noted these domains...
and abandoned SDKs present an opportunity for threat actors to target mobile users.
Zhi Xu and Tongbo Luo, researchers for Palo Alto Networks Inc., based in Santa Clara, Calif., described the risks during a talk at the Virus Bulletin International Conference in Denver. According to the Xu and Luo, many third-party app software development kits (SDKs) have been abandoned, but the apps are still available to users. These apps will attempt to contact command and control servers at expired domains, which could be repurposed for malicious activity.
"Hundreds of these SDK companies were startups existing at one time, but many of these startups died, and no one is maintaining this infrastructure. A large part of this infrastructure is unmaintained," Xu said at the conference. "If unmaintained, the apps including these SDKs will try to talk to the master server for instructions and get no response. As domains expire, attackers can take over these domains and infrastructure, and [then] send malicious instructions and content."
The researchers described these expired domains as zombies. They studied 2.8 million Android apps using 575,000 unique root domains, 65,000 of which were considered zombies, and 33,000 expired domains were available for purchase. If those expired domains were bought with the intent of malicious activity, the original communication channel, in some instances, could be reactivated under the same admin privileges dictated by the SDK.
James Pleger, director of threat and security research at RiskIQ, based in San Francisco, said he sees this type of takeover every day.
"Most times, these domain takeovers aren't malicious, but focused on advertising. However, there have been some confirmed cases of bad actors taking over expired domains to inject malicious code into webpages," Pleger told SearchSecurity. "From the perspective of mobile, this likely isn't the first step an attacker would take, but given a sophisticated-enough attacker, this is a very plausible scenario. Understanding an enterprise's attack surface, in addition to the resources that they own, is critical to preventing these types of attacks."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity the risk of such an attack may be relatively low.
"While this does pose some interesting questions on abandonware applications and domains, it's also likely that these applications don't have a huge number of current users," Arsene said. "Hence, the chances of having these domains used by malicious attackers to infect a large pool of users are relatively small."
Pleger said security companies do scan for misused domains, which leverage "trusted brand names to drive monetizable traffic to other sites, phish for sensitive data, distribute malware, sell counterfeit goods and more."
"By searching WhoIs registrations and passive DNS [domain name system] data, you can identify third-party-owned domains, and then intelligently distinguish between company-owned versus infringing domains and subdomains, and thus detect any malicious redirect and other illicit behaviors from multiple geographic locations and browser types -- just as a real human user would," Pleger wrote in an email. "This can provide the additional context needed to determine how threat actors may be using each domain and the risk it poses to the associated organization."
Arsene noted it might be more difficult to find a risky expired domain, depending on the malicious activity perpetrated via that domain.
"If, for instance, one of these applications starts redirecting the user's browser toward websites that have been known to disseminate malware, the security solution would be able to warn the user about a potential threat," Arsene said. "However, if the [command and control server] is being used to simply collect the information from victims via these apps, that's an entirely different story."
In September, Apple announced a new policy to remove abandoned apps from its iOS App Store in order to ensure apps are "functional and up to date." It is unclear if the risks of expired domains played a part in this decision. Apple had not responded to questions at the time of this post. Google also did not respond to questions about its policy to remove abandoned apps from the Google Play Store.
But Pleger and Arsene agreed this policy was a good first step to mitigating risk.
"Legacy and nonmaintained software is not only a security risk to users, but creates an issue with perception of the brand maintaining the app stores," Pleger said. "Given this, it makes absolute sense to sunset applications after a certain period of time if they aren't updated, or if there are significant vulnerabilities identified inside them."
Arsene noted this was a good start, but wouldn't completely remove malicious activity.
"Removing abandonware apps from marketplaces would be a first step toward preventing this from happening again. However, a similar process like the one vetting applications for malware could be set in place for vetting adware SDKs," Arsene said. "It's not the first [time] we've seen applications riddled with highly aggressive ads or, in this case, potential malware. While adware SDKs do provide revenue for app developers," the purpose of the SDK is to make it a simple matter of cutting and pasting when developers connect their apps to the services, meaning this has often been carried out with "little curiosity about what's being served to users."
Learn more about preventing preinstalled malware on mobile devices.
Find out if analyzing motion works to detect mobile malware.
Get info on why mobile malware may be overhyped.