Loopholes in code banks put app users at risk

On August 8, US security firm Check Point Research released a report which underscored that hackers are installing malicious packages in a leading Python code repository, PyPI, that is used by over 600,000 developers around the world and is part of nearly 3.7 million app releases.

Python is a popular programming language used to build popular smartphone apps such as YouTube, Instagram, Reddit and Spotify, and a code repository is an archive (akin to a bank) of a programming language that is constantly updated by open source developers who work on various app projects. GitHub, for instance, is used by developers to post, log and update their work, and distribute to fellow developers for licensing. The platform, owned by Microsoft, claims to currently have over 83 million developers and 200 million code repositories.

Software developers around the world can access packages and scripts contributed by their counterparts and freely use them to develop new products. According to Check Point, hackers target a script--a series of instructions--in the PyPI repository that handles the installation process of an app built on Python.

PyPI is simply a case in point. Security experts point out that thousands of malicious code snippets that have invaded public programming language repositories, are finding their way into public mobile applications — increasing the chances of security glitches and backdoors (a vulnerability in the code that hackers exploit) being installed in these apps. The malicious code snippets run in the background, as a result of which it is not always noticed by developers.

The reason: Big companies that own apps have large teams working constantly to keep them secure, but independent developers have no such means that makes them easy prey for hackers.

According to security firms, it is this nature of repositories that make them vulnerable to security breaches. Huzefa Motiwala, director of systems engineering for India and SAARC at US-based cyber security firm Palo Alto Networks asserted that such instances are commonplace. “Most code repositories do not have a robust security screening and validation process, which allows cyber attackers to add malicious code snippets to popular repositories. There is also no way for small developers to edit their app’s code once an app is built using the unintended malicious scripts, and the only way for developers is to redo their project,” Motiwala said.

Himanshu Kohli, an independent developer and computer science student at the University of Illinois at Urbana-Champaign, who publishes his work on public code repository platform GitHub, said that most small-scale developers have blind faith in major repositories such as Python’s PyPI when it comes to filtering their code snippets for vulnerabilities. “Most of us typically do not have the resources to independently vet security vulnerabilities,” he said.

Ori Abramovsky, head of data science at SpectralOps, the research division of Check Point Research, told Mint that the end-goal of the attack is to “make innocent software developers integrate their malicious code into apps that will eventually be executed on someone’s device.” He added that the range of exploits enabled by these scripts in repositories include information stealer malware, which scrape users’ devices and relay personally identifiable information to attackers — which in turn can then be used for a wide range of attacks such as spear phishing (targeted phishing attack).

He added that such scripts allow attackers to install backdoors, which in turn can be used for remote code execution (RCE) cyber attacks. RCE attacks are commonly used for stealing financial information or cyber espionage activities, the most notorious example of which is Israeli cyber operations firm NSO Group’s malware, Pegasus.

The issue is not just persistent with a single programming language such as Python. On August 10, a report by Singapore-headquartered cyber security firm CloudSEK said attackers are exploiting security breaches to steal personal access tokens (PATs) of GitHub developers. A GitHub PAT is the personal authenticator that is used by developers to access their code on the platform.

According to CloudSEK, hackers use stolen PATs to infiltrate developer repositories on GitHub, make additions to their code without authorization, and even delete an entire repository. The CloudSEK research found 159 code repositories that could be cloned by hackers to add malicious scripts. Apps that the stolen PATs were found in include Blinkit, a popular hyperlocal grocery delivery service in India.