The banned apps could have been used for surreptitious activities:
When the Indian government on 29 June banned 59 apps of Chinese origin, including the highly popular TikTok, UC Browser, Weibo, and WeChat, the explanation given by the Ministry of Electronics and Information Technology was that it had received “many complaints from various sources, including several reports about misuse of some mobile apps available on Android and iOS platforms for stealing and surreptitiously transmitting users’ data in an unauthorised manner to servers which have locations outside India.”
It added that the blockage is to safeguard the “sovereignty and integrity of India” and that several citizens had reportedly raised concerns in representations to the Indian Computer Emergency Response Team (CERT-In) regarding the security of data and loss of privacy in using these apps. Obviously, the Government did not mention the standoff with China on the borders is the reason for the ban.
How do Indian CISOs react to this crucial decision? Most of them believe this is a very bold move by the government to ensure the safety and sovereignty of Indian cyberspace. In fact, some of them want further steps like Akhil Verma, CISO, Airtel Payments Bank, who said there should be greater scrutiny of companies, device makers, and other apps which is having exposure to China, which may trigger reactive attacks.
RELOOK AT OTHER AREAS
He pointed out that the Government of India had permitted China for many years to invest in critical infrastructure in India and now that country has keys to such infrastructure and through this, the country can exert influence over the financial sector as well.
Pointing out that nowadays, no country can afford to have physical wars, Akhil says war is now in the form of cyber, trade, and potentially supply chain conflicts. “China has a great investment in Indian companies, and these should be under strict scrutiny, especially the tech platforms,” he adds.
He is of the view that the most malicious activity these banned apps would have been doing is a breach of data privacy. “While installing these apps, most of the users do not bother about the permissions sought by the apps and mechanically grant them. Obviously, the user is compromising his privacy,” he adds.
REAL RISKS REALIZED
Milind Mungale, CISO, NSDL eGovernance Infrastructure, offers a more elaborate view. Says he: “As CISOs, we don’t really know the implications. Never ever was any kind of advisory given, except some by the government and the Department of Defence. The Blue Whale game would target people with weaker psychological profiles and ultimately lead to suicides. Such games did not have an app to download but were publicized through apps. The Government now may have realized the risks these apps pose. Apart from these, there are many other apps. Also, the government has not published what is suspicious about each of the banned apps. However, we should trust the advice given by the government and follow it. I can tell you, CamScanner had certain vulnerabilities and was in fact taken off GooglePlay about 2 months ago. It, however, came back after the vulnerabilities were fixed.”
Mungale elaborates that CamScanner could be used for scanning financial documents, architecture documents, etc, and all those would get stored on the cloud, which could then be scanned using AI. TikTok, which is so popular, can be misused to change faces, etc. The real risk is how some third parties could do with these apps, he adds.
Akhil says these apps can install banking trojans in user mobiles, which could modify user experience or intercept communications in order to steal data, which can then be used to commit financial fraud and other form of cyberattacks.
IMPACT ON TRANSACTIONS
He feels there are high chances that these apps could pose a threat to a customer’s financial transactions and assets. “If these apps can get all unwanted permission to access user data or install malware/ trojans then it is very much feasible to impact financial transaction initiated via that device. Many users are having habit to save their passwords in some file/ text on mobile devices. This can easily be accessed by these apps and compromise the users’ financial transactions, he adds
Mungale feels the ads that appear while using these apps could be malicious. For example, an ad for a party could be a disguised message to the members. And these apps could also be a conduit for ransomware.He maintains that if a scanned document goes on the cloud, the features could be tempting – scanning passport numbers, ATM cards, bank statements, etc. These apps do not have any responsibility for any data privacy, and they are leveraging data as the new oil and gold. “So, if banks’ credit and debit card data are on the cloud, then it is a big threat to the bank. Look at how China banned Facebook, Google, etc,” he says.
APT POSSIBLE
Is there any possibility or evidence of these apps coordinating to pose an Advanced Persistent Threat or APT? “There are sponsored attacker groups who pose APT and try to exploit malicious application’s vulnerability,” says Akhil, adding: “Due to the sophistication of these attacks, attackers are able to bypass existing security systems and largely infiltrate the target network/ applications. There is a high probability that these malicious apps could become platforms for such attack vectors to launch advanced attacks.”
Mungale too believes together all these could mean APT. In fact, he says any app could be an enabler of threats. “Misuser has all kinds of opportunities. These 59 apps gave an opportunity for continuous monitoring,” he points out.
TWIN CONTROLS
Akhil advocates the implementation of controls at the customer’s as well as the organization’s sides for a financial services institution to secure its customers from the risks posed by such apps. “From customer point of view, there should be continuous awareness on usage of any malicious/ suspicious app specially on the device on which they are performing financial transactions. Organizations should continuously educate their customer on this. From an organization’s perspective and that too from a technical control perspective, it should be ensured that a banking application is fully secured to handle any of the unexpected communications from these malicious apps. It must be ensured that security is embedded since design and continuous testing of the application should be performed.
He emphasizes that for a CISO, restricting any malicious app is always a welcome move as such apps could lead to installation of banking trojans in user mobiles, which could modify user experience or intercept communications in order to steal data that in turn can be used to commit financial fraud and other forms of cyberattacks.
He, however, cautions that the ban could cause a reactive approach from China, which can launch various forms of cyberattacks. “In this covid scenario, work from home is the new normal and already there are spurts in cyberattacks on end-points and organizations’ networks. It will be a tough time for entire information security professionals to ensure business continuity and safeguard their organizations’ critical assets,” he adds.
Another threat, he says, is that less technically aware customers could download potentially malware rigged clones of these banned apps from unofficial stores, which could lead to compromise of user devices as well as the threat to banking related apps.
