5 min read

Beware Malicious Software Updates for Legitimate Apps

Graham Cluley

June 25, 2018

Beware Malicious Software Updates for Legitimate Apps

What’s the world’s most common security vulnerability?

If I was a betting man, I’d put money on it being out-of-date software.

On too many occasions, a security breach has occurred because systems had not been properly updated with the latest patches.

Just think of the massive Equifax data breach, for instance, where the personal details of over 140 million consumers (including their names, dates of birth and social security numbers) were exposed.

In that notorious hack, the attacker breached an Equifax web portal by exploiting a vulnerability in Apache Struts… a vulnerability that had been discovered and made public months before.

There are thousands of other examples where hackers have successfully exploited vulnerabilities for which patches are available, but organisations have simply not applied the updates.

So, if you’re a security-savvy IT department, you’re no doubt grateful when software manufacturers make it as easy as possible to update their software.  In some cases, you may even welcome automatic updates that ensure the software your users are running is always the very latest version available.

And if you’re getting the updates for your legitimate apps from the genuine software developer, and if they don’t contain an unpleasant bug or incompatibility, what is there to fear?

Well, in some unusual cases, there might still be some valid concerns.

A new advisory by the ACLU (American Civil Liberties Union) warns of the risk that malicious code in legitimate software products could compromise security.

The ACLU’s report, entitled “How malicious software updates endanger everyone”, warns software developers that “government agents may try to force you to create or install malicious software in products to help them with surveillance.”

You see, a poisoned software update for a legitimate app could be an excellent opportunity for an intelligence agency to plant spyware onto a target’s computer.  And what’s more, law enforcement may try to compel a software developer to install the malicious code on a target’s computer through a court order.  And if they’re worried that the software maker will protest, they may even include a gag order, stopping firms from telling anyone what they have been compelled to do.

The  ACLU’s report explains that such government demands may only increase as companies embrace encryption and software vulnerabilities are ironed out:

“The likelihood that government actors may attempt to force software makers to push out software updates that include malware designed to obtain data from targeted devices grows as more companies secure their users’ data with encryption.”

“As companies close other technological loopholes, there will be increased pressure on law enforcement to find alternate vulnerabilities to exploit.”

As a result, software developers would be wise to check out the ACLU’s guide as to how to “plan ahead” in case a government agency comes-a-knocking.

And realise this - the threat is not just government agencies who may tamper with the updates of legitimate applications for the purposes of surveillance.  For instance, a year ago, a crippling ransomware attack crippled businesses and critical infrastructure in Ukraine at breathtaking speed.

The malware (variously named as Petya, NotPetya or GoldenEye by security vendors) was initially spread through a poisoned automatic update to a popular accounting software program called MeDoc.

Quite who was behind the NotPetya attack is open to speculation, but there’s no reason to believe that the software developers had their arms twisted to poison the update to their developers.  Instead, it appears that someone hacked into the company’s infrastructure and planted the malicious code in the update.

There is a real risk that public trust in software updates will be lost, and systems will be updated less frequently because of exploitation by government agencies or criminal hackers.

And that would be bad for the security of all of us.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like