Over 100 Risky Applications: The Vulnerabilities You Can Mitigate with AppAware
by Serena Raymond on Feb 17, 2022 12:00:00 AM
Some applications are just riskier than others. They’re more likely to host malware or be the perfect place to launch a social engineering attack.
We analyzed billions of DNS query data available through our DNS security tool and conducted research to identify the 100 most risky applications for businesses. Here’s an overview of the top 25, as well as the main application categories and historical security risks that led us to placing them in our AppAware feature.
Messaging & Business Applications
Messaging applications can be a playground for threat actors—especially in public-facing messaging applications. These scammers are known to create fake identities and privately message users with links to domains that house malware or invite them into a phishing scam.
When it comes to spreading malware or being used for phishing attacks, Discord is a major offender. In research by Sophos, 4% of all TLS-protected malware downloads originated on Discord.
While it is known there is a lot of malware hosted on Discord’s CDN (content delivery network)—upwards of 17,000 malicious URLs were discovered in 2021—there is still a need to take into account for all of the externally-hosted malware that leverages Discord.
Disqus is no stranger to data breaches, having experienced a breach in 2017 and handling it incredibly well. But the potential risk is still there. Used to host the comment sections on so many websites, it’s easy for scammers to propagate phishing domains through Disqus. Spammer accounts don’t get taken down, so as long as they remove their comments quickly on each site they comment on, they can continue to spread malicious activity.
Hijacked Facebook accounts and data breaches have been a problem since Facebook’s inception. But Messenger can pose a particular risk because it is easy to spread targeted phishing attacks to individuals privately, tricking them into thinking the threat actor is another person. And this messaging tool is not even encrypted—Facebook postponed all plans for end-to-end encryption for Messenger until 2023. In a late January phishing attack, hackers gained control of Facebook accounts in Finland through the use of Facebook messenger. There seems to be a never-ending trail of hijacked Facebook accounts, all leading to figure hijacked accounts that can cause major problems for anyone with a Facebook account linked to a company profile.
ICQ is an old platform—and it has been the subject of many data breaches going all the way back to the early 2000s. Part of this is because accounts were easily hacked. The application ICQ provides convenience for end users, but back in 2017 it was reported that it was a favorite of cybercriminals to use for the proliferation of phishing attacks. To this day, it’s still a popular place for threat actors to congregate because criminal chatrooms as easily hidden as ICQ does not have a traditional search function. Links are shared directly and new rooms can be removed and created rapidly, making them hard to track.
There have been privacy concerns over this South Korean app, and related apps like Kakao Map, for a long time. But one major concern is malware known as PhoneSpy that specifically targets this messaging app.
Kik is another popular app that cybercriminals use for communication. On top of that, apps related to Kik have been known to store passwords in plain text.
While this app has end-to-end encryption (unlike other messaging apps on this list) and is generally considered safer than its peers, it has its dangers. In one early 2021 report, Signal may allow threat actors to spy on you. Additionally, a story about how the FBI can hack Signal accounts raised the question of “Who else can hack these accounts?”
Even business-oriented messaging applications aren’t always safe. Slack has been used repeatedly to spread malware, including when cyberattackers abused the platform to spread the malware Ryuk.
Arguably the riskiest of the messaging apps, Snapchat is used by threat actors to implement phishing schemes (like a fake 2FA scam from mid-2021) and to sell stolen information. At DNSFilter, it’s the most-blocked social media tool on our network—nearly 10% of all Snapchat DNS queries are blocked.
This application has over 500 million currently active users. Unfortunately, just over the last few weeks, reports of Telegram’s usage by threat actors has increased in 2022—particularly as a place to sell stolen information. Credit cards are posted for sale often, costing between $15 to $1500 per card. The platform is also used to spread malware. One malware variant actually searches for existing Telegram folders on a device and sends conversations back to the servers of the threat actor.
Tencent was founded in 1998 and has a host of products, including this messaging app. The company itself has been found to be linked to multiple malware campaigns, including a DDoS botnet (ABCbot) that targeted Tencent and other cloud service providers after the shell script is triggered.
Browser vulnerabilities can sometimes be used to infiltrate other apps. This happened in spring 2021 to WeChat: A Chrome exploit led to the abuse of WeChat where users were sent malicious links. Due to security concerns over the application in 2020, WeChat was banned by the Australian military and the US Army as well. Though, the US ban has since been rescinded.
Remote Desktop Applications
The Remote Desktop Protocol (RDP) is a two-way communication protocol that is heavily used in IT. Windows operating systems include it by default and Azure virtual machines (VMs) also use it as the default method for communication. This makes it an ideal tool for exploitation by threat actors—an attack vector that grew 768% between the beginning and end of 2020. But it’s often the third-party remote access tools that are the riskiest, with threat actors using relatively simple brute force password attacks as the main means of compromise:
RDP software is inherently insecure. RemotePC is one of the most popular RDP applications available. For teams that aren’t using RemotePC, it’s important to block this tool.
TeamViewer is a particularly vulnerable application for a number of reasons. Its involvement as an entrypoint in an attack on a water treatment plant last year led to the FBI sending out an alert. It’s commonly used by organizations as a part of their IT stack, but it is easily compromised by hackers—such as in this VMWare attack where a TeamViewer account lacking MFA was used as the entrypoint. Additionally, its name is exploited for malvertising campaigns, leading to unsuspecting users downloading malware when they are seeking to install the original TeamViewer application.
According to Crowdstrike’s 2021 Threat Hunting reporting, RDP is used most often for lateral movement within an organization. TeamViewer is the top non-native RDP tool used by cybercriminals.
LogMeIn (part of the ecosystem with GoToMeeting and GoToWebinar)
LogMeIn is now GoTo, but the software is still the same. Phishing attacks have been launched using LogMeIn where threat actors impersonated company employees. It has also been used to spread malware through Point of Sale systems.
Allowing filesharing apps to be used at your organization is a potentially big risk. While business-oriented filesharing apps like DropBox seem secure, they can be leveraged for command-and-control communications, spreading malware, or downloading trojans. And of course, torrent sites like The Pirate Bay have always operated with users understanding that the likelihood of encountering some type of threat is higher on these sites.
This is an example of a filesharing application that is known for spreading adware.
It’s been four years since a poisoned BitTorrent client infected over 400,000 computers with cryptomining software in under a day, but it still remains a risky application. Just last year, BitTorrent again ultimately led to a cryptomining scheme as modified, free copies of Microsoft and Adobe programs shared on the platform infected users. It’s difficult to know if what you’re downloading has or hasn’t been tampered with.
This filesharing app has been busy creating new anti-ransomware capabilities. At the same time, it’s possible to bypass Box MFA, and Box has been used for phishing in the past.
Dropbox is used in typosquatting attacks and malvertising. But aside from scams, Dropbox can be directly leveraged by threat actors. These attacks don’t always make big headlines, but check out Dropbox’s community forums for users asking for help after their Dropbox files were impacted by a ransomware attack.
While not inherently malicious, FileFactory can sometimes be responsible for trojans, malware, and other viruses and wind up being flagged on lists like VirusTotal.
Back in 2020, there was a warning that Citrix’s enterprise-level ShareFile could result in a data breach because of a number of vulnerabilities. This is a popular tool for threat actors to mimic and use in phishing attacks.
The Pirate Bay
It’s no surprise that The Pirate Bay continues to be risky in 2022. From fake movies injecting code that can steal crypto to adware programs and trojans to pirated games spreading cryptojacking, the threat to your business is huge.
Downloading malicious torrents is a never-ending concern on uTorrent as well.
VPN and Proxy
Some consider VPNs as old school, and in this work-from-home age, they’re not 100% safe. Just this year, a VPN service was being used by cybercriminals to spread ransomware and malware. The group was taken down in a joint effort by Europol, the FBI, and the National Crime Agency (NCA). Ransomware gangs have taken advantage of zero-day vulnerabilities in multiple VPNs over the last year, but they’re also used to bypass filtering meant to protect end users—and that is a massive security issue.
While Hide.me might be good for end users, it can be a problem in a corporate environment. Hide.me advertises their ability to “Bypass Internet Censorship” which in many cases boils down to bypassing filtering and could result in inadvertently visiting malware sites.
Another instance of threat actors taking advantage of a known property and using its name to deploy malicious software.
This is just a snapshot of the risky applications we’ve identified at DNSFilter. For the full list, you can sign up for a free trial of AppAware.
The shift from in-office to remote work happened (quite literally) overnight. Work from home was forced onto many during the onset of the COVID pandemic, and it was astonishing how quickly people and organizations alike adapted to this new work style.
Zero Trust Network Access (ZTNA) is a cybersecurity paradigm that is rapidly gaining popularity among IT professionals. At its core, ZTNA is about moving away from the traditional network-based security perimeter approach and instead focusing on the users, assets, and resources that make up a system.
When DNSFilter was founded in 2015, we had a vision to build a product that would keep people and businesses safe and secure while they were using the internet. As a part of that vision, we have also worked diligently to ensure our growing organization maintains a high level of information security.