Threat actors increasingly are targeting monitored applications with active protection as they leverage low-code techniques and AI-powered tools to target applications running outside corporate firewalls.
Those are among the conclusions from a report from Digital.ai that focused on application security threats. The report, based on anonymized and aggregated customer data collected across the month of February 2024, indicated that the ease and accessibility of AI and machine-learning coding tools that developers so enjoy also have a less savory cheering section. These tools empower threat actors to analyze applications more efficiently and develop malware with greater effectiveness.
Overall, there was a significant rise in application attacks so far in 2024, with an 8% year-over-year increase in the likelihood of an app being targeted. Among the factors driving the increase in breached applications are the democratization of reverse-engineering tools among hackers, a rise in jailbreaking activities, and the surging use of AI and MLwhich boosts malware development productivity.
Mobile applications are increasingly targeted. Due to the open source operating system, Android apps are more likely to face environmental attacks (94%) than are iPhone apps (70%).
The report also noted a sharp rise in specialized attacks that compromise app integrity, with iOS apps experiencing a growth to 20% from 6% in modified code attacks and Android apps to 63% from 28%.
Proactive Security Testing Required
Joni Klippert, co-founder and CEO at StackHawk, said the increase in application attacks underscores the critical need for proactive security testing throughout the software development lifecycle.
“The rise in attacks, especially those targeting gaming and financial services apps, highlights that no application is immune to threats,” Klippert said.
By integrating security testing early and continuously, engineering teams can identify and mitigate vulnerabilities before they are exploited in the wild. Doing so reduces the risk of breaches and ensures a stronger security posture for applications, Klippert added.
Application programming interfaces (APIs) are proliferating faster than current security measures can handle, a challenge exacerbated by AI code assistants like Copilot. “The rapid increase in APIs was already a significant issue, and with AI-generated code, manual testing alone is impractical and unsustainable,” Klippert said.
Financial Apps a Top Target
Gaming and financial services applications are at the highest risk, with attack rates of 76% and 67%, according to the Digital.ai report.
Monique Becenti, director at Zimperium, was unsurprised by the increase in application attacks. “This aligns with our own research, which found last year 80% of phishing sites now either target mobile devices specifically or are designed to function on both mobile and desktops,” she said.
Mobile phishing remains one of the most concerning tactics in the playbook of today’s evasive cybercriminals. “At some point, virtually anyone with a laptop or mobile device will be targeted,” Becenti said.
Becenti said Digital.ai’s report is also a “sobering reminder” that financial applications remain the hotspot for financially motivated attackers.
In Zimperium's Mobile Banking Heist Reportresearchers found 1,103 traditional banking apps were targeted, making up 61% of attacks towards financial apps, while 39% were emerging FinTech and trading apps (704 apps).
Malicious Actors Leverage AI Tools
Eric Schwake, director of cybersecurity strategy at Salt Security, also acknowledged the rise in sophisticated attacks.
Rather than relying on generic, automated attacks, bad actors are now leveraging reverse-engineering tools and AI/ML to craft attacks that exploit the unique business logic of individual applications. “This means that they can bypass traditional defenses like WAFs and manipulate legitimate application workflows for fraud, such as account takeover, fake account creation, and transaction manipulation,” Schwake said.
Because APIs are integral to modern-day applications, threat actors are developing new ways to exploit vulnerabilities. Malware developers’ increasing use of AI/ML is set to significantly raise the bar for application security threats. “Organizations can expect to face increased attack volumes, sophisticated evasion techniques that mimic legitimate traffic, and adaptive attacks that evolve in real time to bypass defenses,” Schwake warned.
Several emerging trends and technologies would influence the landscape of app security threats, Schwake predicted. For example, “API-first design, which involves integrating security from the initial design phase of APIs, will become increasingly important as applications rely more heavily on APIs.” He also believes a zero-trust model for API access, which assumes no trust by default, will become the standard, and API threat modeling will be essential for proactively identifying and addressing API-specific threats.
“Additionally, AI-driven security operations will streamline and automate security processes, speeding up incident response and enhancing overall security posture,” Schwake said.
Photo credit: Jakub Żerdzicki on Unsplash
Recent Articles By Author
GIPHY App Key not set. Please check settings