Came here from a direct link? Jump to the start of our OWASP Mobile Top 10 series here.
This is also a new addition to the list, and a welcome one.
| Threat Agents | Application Specific |
| Attack Vectors | Exploitability: AVERAGE |
| Security Weakness | Prevalence: COMMON Detectability: DIFFICULT |
| Technical Impacts | Impact: SEVERE Data breach Malware infection Unauthorised access System compromise |
| Business Impacts | Impact: SEVERE Financial losses Reputational damage Legal and regulatory consequences Supply chain disruption |
| Causes | Lack of security in third-party components Malicious insider threats Inadequate testing and validation Lack of security awareness |
| Prevention | Secure coding practices, code reviews and testing through the development lifecycle Secure app signing and distribution process Use only trusted and validated third-party libraries Establish security controls for app updates, patches and releases Monitor and detect supply chain incidents through testing and scanning |
This weakness covers a number of potential entry points which enable an attacker to insert spyware or other malicious code, including backdoors, into an app. This could enable unauthorised access to sensitive data or even loss of control of the mobile device. A threat actor does not need to only consider weaknesses in your app code, they will also consider weaknesses in any third-party libraries and controls that your app uses.
If you’ve ever added the Facebook SDK to an app, you may have noticed that your app was rejected for accessing platform features you had not requested / documented. Several years ago this component would quietly access Bluetooth without giving a reason, meaning that any app using it had to give Apple a reason for this, even though the developers didn’t know what that reason was.
There are also historical cases of the tools used for software development being compromised (Xcode all the way back in 2015). Although this is a aeon ago in the tech world, it does highlight the need to consider all parts of the supply chain.
Lazarus Group infiltrates supply chain with stealthy malware
As if to highlight the criticality of considering this vulnerability, a recent report from SecurityScorecard’s Strike Team details a stealthy malware campaign orchestrated by The Lazarus Group.
A GitHub profile under the username “SuccessFriend” is suspected to be that of a Lazarus threat actor. Created as recently as July 2024 this appears to contain legitimate code repositories up until November last year, at which point malware repositories began to appear. The mechanism employed involved delivery of an obfuscated JavaScript implant referred to as Marstech1. The implant can be embedded into legitimate websites, software packages and even in NPM packages aimed at the cryptocurrency sector. The SecurityScorecard report notes that “it seems to be used in limited targeted attacks on the supply chain”.
The full report can be found here.
If you’ve not come across The Lazarus Group before, we heartily recommend this BBC Podcast series: The Lazarus Heist
Read our OWASP Mobile Top 10 series here.
Or browse our blog for cybersecurity and other IT tips.
Comments are closed