heavyweight release! 2016 annual report of aliju security

Posted by fierce at 2020-03-19

The 2016 annual report of aliju security was released heavily. This report focuses on the security risks presented in the mobile security and data risk control that aliju security focuses on in 2016. In terms of mobile security, it focuses on three parts: virus, counterfeiting and loopholes to help users understand the risks that should be paid attention to in terms of business security. Later, it will describe aliju security in terms of business security Some efforts and opinions on overall prevention and control help enterprises consider which part of the security strategy and protection should be inclined to when building Internet business security.

One out of about 10 Android devices is infected, with a 10% infection rate

In 2016, one of about 10 devices on Android platform was infected with virus, with a 10% infection rate. Aliju security virus scanning engine killed 120 million viruses in total. The killing of virus Trojans helped users resist a large number of potential risks.

Nearly 9000 new mobile virus samples are added every day, and one is generated every 10 seconds

In 2016, aliju security mobile virus database added 3284524 new virus samples, with an average of 9000 new samples per day, which is equivalent to generating one virus sample every 10 seconds. We also see a relatively obvious increase in virus samples after September. Although the security of the original Android system is getting higher and higher, mobile viruses use many ways to spread, such as repacking well-known applications, pretending to be living and pornographic applications. In the malicious environment where so many viruses are added every day, Android users must always be vigilant to download applications in the official field.

In 2016, we found that "malicious fee deduction" category accounted for the highest proportion of virus samples, reaching 72%. This kind of virus applications send messages and deduction instructions without permission of users, which causes certain risks to the charges of users' mobile phones, while the proportion of "rogue behavior" detected in the client is the highest, followed by "malicious deduction".

Compared with the types of virus samples and sample databases on the client side, although the number of samples of "malicious fee deduction" is very large, the number of infections on the client side has become an inverse ratio. This is because the state focuses on the special governance of mobile Internet malicious programs with large influence range and high security risk, "malicious fee deduction" malicious programs have a significant governance effect, while "rogue behavior", "hidden fee deduction" malicious programs have a significant governance effect Private theft, SMS hijacking and deception viruses occupy most of the clients with a small number of samples, especially the "SMS hijacking" and "deception fraud" viruses, which are used for fraud, basically affect the clients with a ratio of 1:10. In addition, the "rogue behavior" viruses that interfere with users' normal use of software, affect user experience, and add ad bookmarks, ad shortcuts or screen locking at will occupy a large number of user clients, which are generally used for malicious advertising promotion.

89% of popular apps are counterfeited

15 popular applications were selected from 16 industry categories, and 240 applications were analyzed for counterfeiting. It was found that 89% of the popular applications had counterfeiting, with a total counterfeiting amount of 12859, an average of 54 for each application, and a total of 23.74 million infected devices. In March, the number of counterfeiting applications dropped significantly, which was in line with the rule that black ash production had less activities before and after the Spring Festival holiday.

In the financial industry, most of the bank counterfeiting applications have the behavior of SMS hijacking

In the financial industry, banks, wallets and financial management are selected as three sub categories, and 10 popular applications are selected for analysis, and 407 counterfeit applications are found. Bank counterfeiting accounts for 53%, wallet counterfeiting accounts for 36%, and financial counterfeiting accounts for 11%.

Distribution of counterfeiting applications in the financial industry in 2016

In this analysis, a bank found a total of 30 counterfeit applications, all with SMS hijacking behavior, the number of infected devices is 33863, the infected users are mainly distributed in Guangdong, Beijing, Jiangsu and other provinces.

Aliju security mobile security scanner innovates and iterates rapidly to help enterprises improve the pre-awareness of security

In 2016, aliju security mobile security scanner successfully provided 305909 scanning services, with an average of 838 services per day and 17698883 detected vulnerabilities. In 2016, shell apps accounted for 16.54% of all scanned apps, 21 product iterations and 16 new rules. Among them, heuristic rule scanning can detect the impact of external controllable data on the internal logic of the application. The scanner can make various judgments based on the data from socket, network and intent, and then judge whether there is a vulnerability that can be used by malicious users, including phishing, external operating system files, command execution, reflection operation, and activity startup , service, etc.). In addition, the new denial of service scanning rule can also support scanning whether dynamically registered components can cause a denial of service vulnerability.

98% of TOP10 applications in 18 industries have vulnerabilities, but WebView's remote code execution vulnerabilities have declined rapidly

In order to analyze the vulnerabilities in various industries of mobile applications, we downloaded 180 top 10 applications in 18 industries in the third-party application market, and used aliju security vulnerability scanning engine to scan these samples. Of the top 10 applications in 18 industries, 98% have vulnerabilities, with a total vulnerability of 14798, with an average of 82 vulnerabilities per application. The number of loopholes in tourism, games, audiovisual and social products is high. However, the highest proportion of high-risk vulnerabilities is in the order of office, tools, games and finance. In the process of mobile data, enterprises need to pay more attention to the security threats of employees when using these industry apps.

The vulnerability types mainly include "denial of service", "WebView plaintext storage password", "key hard coding risk" and "AES / des weak encryption risk" in the integration, "key hard coding risk" and "AES / des weak encryption risk" The vulnerability will break down the information security foundation based on cryptography, because the common cryptography algorithms are public, and the confidentiality of encrypted content depends on the confidentiality of the key. If the key is leaked, for symmetric cryptography algorithm, it is easy to get the plaintext before encryption according to the used key algorithm and the encrypted ciphertext; for asymmetric cryptography algorithm or signature algorithm, it is easy to get the plaintext before encryption according to the secret The key and the plaintext to be encrypted can easily obtain the signature value and forge the signature.

In the process of app development, it is recommended that enterprise users check whether the application has the risk of hard key coding through aliju security vulnerability scanning, use the security encryption function in aliju security component to protect the implementation of developer's key and encryption algorithm, ensure the security of key, and realize the safe encryption and decryption operation and security signature function.

The most sophisticated and sophisticated IOS apt attacks appear

Pegasus - the trident attack chain was discovered during an apt attack on a human rights activist in the United Arab Emirates. The whole attack chain consists of three vulnerabilities: JS remote code execution (cve-2016 - 4657), kernel information disclosure (cve-2016-4655), and kernel UAF code execution (cve-2016-4656).

The attack chain can be used to achieve a perfect remote jailbreak on IOS, and completely steal sensitive information from applications such as Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, calendar, line,, wechat SS, tango, etc. Pegasus can be said to be one of the most influential IOS vulnerabilities in recent years. It is also the most complex and stable apt attack against mobile devices, which can be considered as a milestone of mobile device attack. With the characteristics of long connected Wi Fi, 3G / 4G, voice communication, camera, email, instant message, GPS, password, contact person and the whole body, there will be more and more apt attacks against mobile devices.

Wool party and scalper Party became the biggest cancer in the development of Internet business in 2016

In 2016, in various Internet business activities, the wool party and the scalper party continued to prevail. All kinds of red bag / coupon promotions without security prevention and control will be snatched by the wool party by various means, such as machine / small size, etc., and 70% - 80% of the promotional offers will be taken away by the wool party, which eventually leads to the promotion of businesses and platforms into the pocket of the wool party. The scalpers can use machines to place orders and human flesh to grab orders, snatch the products with big discounts and profits, and then sell them at high prices to earn the difference. Large scale machine orders will bring pressure to the website traffic, generate similar DDoS attacks, and even cause website paralysis. In addition, the use of simple dimension password verification has evolved into the use of complex robot guessing password technology to avoid simple strategic defense. Enterprises need more dimensions and indicators, and use more complex rules and models for defense.

Man machine confrontation sliding verification code as an important means against black production

As an important means to fight against man-machine black production, sliding verification code needs to further judge the "gray black users" screened out. The evolutionary sliding verification code is no longer based on human-computer judgment, but based on the inherent biological characteristics of human beings and the comprehensive decision-making of environmental information to determine whether it is human or machine. And it will not interrupt user operations, thus providing a better user experience. In the process of confrontation, the verification code system perceives the risk and needs real-time switching confusion and encryption algorithm, which greatly improves the cost of black production to crack.

For aliju's secure human-machine identification system, the number of interface calls is billion, while the number of misidentifications is only one digit. In addition to false identification, our technical difficulty lies in how to find out the missing report. In general, we will monitor the "big picture" of the overall user traffic. Once we detect that the registration or login traffic is abnormal, our security attack and defense technical experts will respond in an emergency. This response speed is at the hour level.

In addition, the black production also reflects the different business time sequence through the brush library collision. Take Q4 in 2016 as an example. Before the double 11, the black industry mainly focused on cheating activities on various platforms. After the double 11, the risk of bank swiping and bank colliding began to rise continuously, accounting for more than half of all risks stably.

In 2016, the loss of mobile fraud exceeded hundreds of millions of US dollars

At present, mobile applications are promoted and interacted through resources exchange, search platform, advertising network and agents, direct promotion and natural installation. But the promoters found that the cost of investment reflected good promotion data, but the users were not optimistic. A large number of channel fraud makes mobile application promoters lose a lot. According to the analysis of a platform, the amount of mobile fraud in 2016 has exceeded hundreds of millions of dollars.

Commonly used mobile frauds cheat by means of machine brush, simulator, machine change tool, etc., such as modifying the hardware parameters IMEI, MAC, Bluetooth address of mobile phone through one key generation of machine change software, forging the new mobile phone to install and activate the app for many times; operating various Android simulators in batch through scripts, such as Tiantian simulator, Haima game simulator, nocturnal God simulator, etc, Repeat brush app installation app activation and other operations. Aliju can safely use stable device fingerprint technology + big data analysis to prepare to identify various cheating means and devices. It can save promotion cost, time cost and development cost for users, and ensure promoters to obtain real user data for business services.

Create a deep and adaptable digital business system

Internet plus or enterprises are facing the security threat in the development of Internet business. The practice of implementing the adaptability of digital business system has great challenges to traditional companies. In the face of various business departments' participation and collaboration, it is necessary to distinguish business risk priority, focus on defense nodes in depth, and make trade-offs between the two businesses, so as to make the business security department. The door is more agile and flexible. Aliju security helps enterprises evaluate business security assets and risk priorities, use defense in depth to protect the security of key nodes in the key value chain, and provide targeted protection for business in practice.

As a leader in providing Internet business solutions, aliju security's capabilities involve mobile security, content security, data risk control, real person authentication and other dimensions. Among them, content security includes intelligent yellow identification, text filtering, image recognition, etc.; mobile security includes vulnerability scanning, application reinforcement, security components, phishing monitoring, etc.; data risk control includes security verification, risk identification, etc.; real person authentication includes identification of identity fraud and phishing.

At present, Ali poly security has more than more than 800 million terminals, enabling Internet companies to enjoy Taobao, Tmall and Alipay's "same paragraph" security technology to protect the business security of Internet companies.

Prepared by: Xundi, ningqiong @ aliju security

Download the complete PDF version of aliju security 2016 annual report, please click here

For more Alibaba security articles, please continue to pay attention to aliju's security column or aliju's official security blog