Posted on February 23, 2018 at 4:51 PM
Hackers Now Sell Legitimate Code-Signing Certificates that Allow Malware to Bypass Security Detection
More and more code-signed apps are becoming available on app stores making it increasingly difficult for most malware and antivirus software to detect any threats in new apps.
Security researchers have recently discovered that hackers are now using a new technique which involves utilizing code-signing certificates. This ensures that an app infected with malware is more likely to evade detection by the majority of antivirus and anti-malware software available on the market.
Legitimate certificates for illegitimate use
This new trend was discovered by a division of Recorded Future, Insikt Group. The group of cybersecurity researchers discovered that hackers have now managed to get access to legitimate certificates from their issuing authorities, which they later use to infect with a dangerous sign code.
So far, the majority of certificates were always stolen from legitimate companies. These certificates, in turn, were used to extend some facade of legitimacy to malicious apps.
Code-signing certificates are essentially used to make an app, smartphone or PC based, look more authentic. It is a way of establishing trust between the user and the manufacturer of the app. Once the user opens up a code-signed app, it gives you details about the developer and lends an extra dimension of integrity to the app. Some operating systems, such as Mac or iOS, only accept code-signed apps by default to protect their users.
Code-signed apps go a long way in ensuring that users trust the app before downloading it. Moreover, code-signed apps make it easy for the app to evade detection from antimalware software as the most software automatically trust code-signed apps. According to Insikt Group, most hardware are not equipped to scan for threats in code-signed apps, as their scanning capabilities are significantly less effective if the app demonstrates code-signed properties.
Code-signed apps exploited
Hackers are now exploiting the trust provided by code-signed apps and are making code-signing certificates widely available for only $299. While this definitely is not pocket money, it’s much cheaper than the alternative. Legitimate code-signed certificates often involve a rigorous testing phase to determine that the app is trustworthy and often comes at prices tags starting at $1,599.
According to researchers, the fraudulent code-signed certificates were taken from leading experts in the industry such as Symantec and Comodo, who are both owned by DigiCert.
Apple certificates are also for sale.
Apple apps in the firing line
According to Cybereason’s security researcher and Mac malware specialist, Amit Serper, even though Mac prohibits you to run any program that is not code signed, many hackers have found their way around it. For example, for a developer to distribute their apps on Apple’s App Store, they have to apply for a developer’s account, pay a fee of $99, and motivate your application to get your apps certified. This process, however, is very easy since Apple’s network is flooded with developers asking for certification.
Serper added that there are several fraudulent Mac and iOS-based apps available that contain malware. For example, the security researcher recently discovered, Pirrit, an adware virus that injects ads into the user’s browser. According to Serper, Pirrit was code-signed which allowed it to evade detection.
Insikt Group’s researcher believes that certification firms are unaware that their code-signing certificates are being abused. According to Recorded Future’s director of advanced collection, Andrei Barysevich, hackers accessed these stolen certificates by stealing the companies’ login information. Barysevich added that Recorded Future had no reason to believe that the hackers received any inside help.
The researchers estimated that this campaign has been active for the last six months wherein which the hackers sold over 60 certificates