Risk Detections Quick Guide

XTD detects a comprehensive range of threats to your apps, classified as high, suspicious, or low risk. XTD also collects data on informational events that do not pose a risk.

The reported risk level of an app instance depends on both the type and number of detections; for example, a low-risk detection on an instance that already has other suspicious detections raises the instance's risk level more than the same low risk detection on an instance that has no other detections.

This section describes the types of risk detections that XTD may report for your app instances, and guidance on how you should respond to them.

Rooting

Description

Rooting (Android) or Jailbreak (iOS) means changing the device in a way to allow the user to run apps with administrative privileges.

This can be used as an attack platform to attack the protected application or enable malware to infect the mobile device and attack the application more easily.

There are also use cases in some regions where rooting is required for daily operations.

Response Guidance

Typically, you must evaluate whether users in your region depend on rooting and whether you want to take the risk of more exposed applications.

You then have the option to either monitor the development of rooting or to suspend apps on rooted devices.

Tampering

Description

A modification to the protected app's code has been detected. Tampering indicates an intent to either reverse engineer the app or to change its program flow and functionality. An example is the repackaging of an app after malware was injected.

Response Guidance

Tampering should not happen during normal use. Tampered applications are prevented from starting by default. If these attacks become more frequent, consider deploying the app with a new protection run benefitting from polymorphism.

Debugger

Description

Debuggers are tools to analyze and modify applications during runtime. Debuggers are used to reverse engineer and manipulate the application during runtime and to extract data. For example, debuggers may be used to change program code during runtime to omit the signature check.

Response Guidance

Debugging should not happen during normal use. Verimatrix recommends suspending the associated app instances. The default setting shuts down affected applications automatically.

If these attacks become more frequent, consider deploying the app with a new protection run benefitting from polymorphism.

Hooking/Emulator

Description

Hooking involves attaching frameworks like Frida to an application’s APIs to intercept data. This can allow reverse engineering, data extraction, and manipulation of the application during runtime. Detection of hooking frameworks can also detect the use of virtualization.

Virtualization or emulation refers to running the application in virtualized environments like iOS or Android device emulators. App development frameworks like Android Studio usually contain emulators for debugging and instrumentation. Emulators may be used for attacks as well as development.

Response Guidance

Hooking and virtualization/emulation should not occur during normal use. Verimatrix recommends suspending the associated app instances. If these attacks become more frequent, consider redeploying the app with a new protection run benefitting from polymorphism.

Overlay

Description

Overlays are GUI elements of another application laid over the GUI of the protected app. Helpful overlays exist for purposes such as improving accessibility, or signaling new messages on an email app.

However, if the overlays are replacing elements like the input of username and password, overlays can be used to steal credentials or even to trick users into entering arbitrary data into malware apps, since the users believe they are still in the app they originally started.

Other examples of potential malicious use of overlays are keystroke logging or key injection. In the case of an alert, this detection has identified an overlay plus an additional indication such as an outgoing connection to command and control servers. Most of today’s malware that uses specific apps for key logging, SMS interceptions, or overlaying abuses the Android accessibility service.

Verimatrix malware detection reveals the app names which abuse the accessibility API on Android for malicious purposes and reports them.

Response Guidance

Overlay detection by malware should not happen in normal use. You should warn the affected app user and add an additional authentication or review of the affected users’ transactions to the application server. Ideally you would shut down the affected app.

Bootloader Unlock

Description

Bootloader unlocking is a feature allowing developers to put their own custom-built firmware images on a device. The environment may provide no security at all on these devices.

While this is a required feature for developers, user devices should not use this feature at all. No security critical application should run on devices with an unlocked bootloader.

Response Guidance

Verimatrix recommends suspending app instances running on devices with an unlocked bootloader.

Sideloading

Description

Detection of sideloading indicates the possibility that the app was not downloaded from a trusted source such as the Google Play store. Apps downloaded from other sources have a vastly higher probability of containing malicious code.

Response Guidance

At the very least, for security-critical applications such as banking, Verimatrix recommends warning the affected user that they are at risk of malware attacks.

Accessibility Malware

Description

A specific instance of Overlay detection taking advantage of device accessibility features.

VPN

Description

Detection of usage of a VPN agent. VPNs are often used to spoof physical device location and trick providers into giving services on devices not meant for those geographies.

Usage of VPNs can indicate malicious activity that is intended to trick geofencing restrictions and geolocation risk assessment tools.

Response Guidance

Whether using a VPN cloning framework is a threat to your application or not depends very much on the use case.

If it is detected for one device in combination with other threats, it is advisable to suspend the associated user's app.

Proxy

Description

Detection of a proxy or proxy agent in the internet connection between the app and the server. Proxies can be located on the device running the application or in the network between the application and the server it connects to. Proxies usually only reroute traffic, for example, to bypass company firewalls legally inside a corporate network. Proxies can also be used to obfuscate the geolocation of an app or to intercept the traffic between app and server, allowing theft or manipulation of data.

Response Guidance

Proxies have both legitimate and malicious uses. The detection is reported only when the mobile device is using mobile data, since legitimate use is mainly focused on Wi-Fi connections. Verimatrix recommends checking any transaction made by the affected application and warning the user.

MITM (Man-in-the-Middle)

Description

Man-in-the-middle attacks analyze and possibly extract and manipulate data that is exchanged between application and server.

This connection is usually end-to-end encrypted and authenticated. However, authentication can be circumvented, proxies can be put into the connection, and these proxies can be decrypted, manipulated/analyzed, and re-encrypted before forwarding to the legal peers.

Response Guidance

Man-in-the-middle attacks should not happen during production use. Affected apps should be shut down and all user transactions be reviewed.

DNS Inconsistency/DNS Interference

Description

The DNS server used by the app is compared with the DNS server that Verimatrix identifies as the one that should be used. Specifically, the expected response to DNS requests is compared with the one the app is seeing. An unauthorized DNS server indicates that the app is misled to communicate with an unauthorized (cloud) service as part of an attack.

Response Guidance

DNS exploitation should not happen in production scenarios. Those users should be monitored, and either be warned or be disabled from continuing to use the secured application.

First Run

First Run is the event reported when the app instance is started for the first time after being installed. By default, first run events are considered informational and do not contribute to risk level.

Activity

Activity refers to any other normal event. By default, activity events are considered informational and do not contribute to risk level.


What’s Next