Beware Malicious Software Updates for Legitimate Apps

Reading time: 6 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

What’s the world’s most common security vulnerability?

If I was a betting man, I’d put money on it being out-of-date software.

On too many occasions, a security breach has occurred because systems had not been properly updated with the latest patches.

Just think of the massive Equifax data breach, for instance, where the personal details of over 140 million consumers (including their names, dates of birth and social security numbers) were exposed.

In that notorious hack, the attacker breached an Equifax web portal by exploiting a vulnerability in Apache Struts… a vulnerability that had been discovered and made public months before.

There are thousands of other examples where hackers have successfully exploited vulnerabilities for which patches are available, but organisations have simply not applied the updates.

So, if you’re a security savvy IT department, you’re no doubt grateful when software manufacturers make it as easy as possible to update their software.  In some cases you may even welcome automatic updates that ensure the software your users are running is always the very latest version available.

And if you’re getting the updates for your legitimate apps from the genuine software developer and if they don’t contain an unpleasant bug or incompatibility, what is there to fear?

Well, in some unusual cases there might still be some valid concerns.

A new advisory by the ACLU (American Civil Liberties Union) warns of the risk that malicious code in legitimate software products could compromise security.

The ACLU’s report, entitled “How malicious software updates endanger everyone”, warns software developers that “government agents may try to force you to create or install malicious software in products to help them with surveillance.”

You see, a poisoned software update for a legitimate app could be an excellent opportunity for an intelligence agency to plant spyware onto a target’s computer.  And what’s more, law enforcement may try to compel a software developer to install the malicious code on a target’s computer through a court order.  And if they’re worried that the software maker will protest, they may even include a gag order, stopping firms from telling anyone what they have been compelled to do.

The  ACLU’s report explains that such government demands may only increase as companies embrace encryption, and software vulnerabilities are ironed out:

“The likelihood that government actors may attempt to force software makers to push out software updates that include malware designed to obtain data from targeted devices grows as more companies secure their users’ data with encryption.”

“As companies close other technological loopholes, there will be increased pressure on law enforcement to find alternate vulnerabilities to exploit.”

As a result, software developers would be wise to check out the ACLU’s guide as to how to “plan ahead” in case a government agency comes-a-knocking.

And realise this - the threat is not just government agencies who may tamper with the updates of legitimate applications for the purposes of surveillance.  For instance, a year ago, a crippling ransomware attack crippled businesses and criticial infrastructure in Ukraine at breathtaking speed.

The malware (variously named as Petya, NotPetya or GoldenEye by security vendors) was initially spread through a poisoned automatic update to a popular accounting software program called MeDoc.

Quite who was behind the NotPetya attack is open to speculation, but there’s no reason to believe that the software developers had their arms twisted to poison the update to their developers.  Instead, it appears that someone hacked into the company’s infrastructure and planted the malicious code in the update.

There is a real risk that public trust in software updates will be lost, and systems will be updated less frequently because of exploitation by government agencies or criminal hackers.

And that would be bad for the security of all of us.