Lately, we've witnessed a surge in legitimate apps and websites performing port scans on users' devices, sparking curiosity and concern. Even more intriguing is the fact that these apps, particularly from banks and financial institutions, have raised red flags. Are they compromised? Are they launching attacks? Let's dive into this fascinating phenomenon to unravel the truth behind the recent detections.
Spoiler: in this case, the trend was not of a malware campaign, but a new fashion for checking device state.
A port scanning attempt is discovered on the network
A “port” is a network address to a particular process or program running on a device. You can imagine it as a virtual door assigned to a specific process or program. Each process gets its own door with a unique number. Importantly, most processes have a door number that it prefers to use. A web server usually uses port 80 or 443 to receive HTTP traffic. Xbox Live, for example, uses port 3074. If I know which ports are open on a system, I can be reasonably confident which programs are running. This is the basis of port scanning.
Port Scanning is a legitimate tool that is used by system and network administrators to troubleshoot network problems, to check what’s running and that the systems are configured correctly. They also run port scans to identify vulnerable processes running on their machines.
But while port scanning has many legitimate applications`, it is also embraced by hackers, who use it to find exploits. In fact, this is often the first reconnaissance step an offensive hacker will take when they take on a new target. They deploy tools such as nmap to scan for open ports, or they create malicious programs or apps capable of running port scans autonomously on unsuspecting devices after installation.
At Kaymera, We treat apps that run port scans as highly suspicious, for all the reasons described here. They are often created by hackers to find vulnerable devices. So when legitimate apps for well-known banks and peer-to-peer money transfer suddenly started triggering port scan alerts, it appeared that these seemingly innocent apps could be up to something malicious. After confirming that the apps had been correctly downloaded from Google’s Play Store, and were indeed scanning ports, concerns grew that these apps (that had been installed from Google’s Play store) had been victims of a supply chain attack.
A website attempts to connect to a closed port, using JavaScript
A supply chain attack involves using the trusted channels behind app development and distribution to insert malicious code or malware into legitimate apps, which unsuspecting users then download and install. Once on the device, the attackers may gain unauthorized access, wreak havoc, and exploit vulnerabilities in the Android operating system. It's a sneaky attack that puts a vast number of users at risk and can cause a lot of damage.
And it’s not just Android apps. We’ve seen websites for banks and financial institutions running port scans, for the same reasons. It surprises a lot of people to discover that a website you visit can run a port scan on your computer, but this technique has long been known. By opening a WebSocket connection to the local device (localhost), a closed port will immediately refuse the connection. Whereas an open port will usually reject the connection more slowly (a few milliseconds). This small difference in response allows websites to identify running vulnerable services, or known malware attached to those ports.
After consulting our anti-fraud expert and a fraud defense experts, we discovered that this was not the case. In fact these banking apps are running port scans to increase their confidence that they are not running on a compromised device. They do this for two reasons - first, to ensure that there’s no insecure processes on the device. But additionally, some types of malware also open ports - and these port numbers can be used as a way of detecting and identifying the malware. The findings from the port scan are combined with other factors to calculate the risk of fraud.
Why does malware open ports? The primary reason is to allow the attacker to connect remotely and send commands - such as stealing sensitive data or encrypting the victim’s files. But it can also be used as a convenient channel for different modules of the malware to communicate with each other.
Financial malware such as Dridex has another reason for opening ports. They inject malicious JavaScript code into web browsers (in an HTTP response) to steal information such as passwords or credit card numbers. The malware then opens a port in order to receive this sensitive data (using AJAX), and ultimately to forward it to the attacker's command and control infrastructure. It can be an effective way to detect this malware by searching for its open port - especially as this type of check can be done with relatively low privileges.
We see that in many cases, banks’ apps are running port scans for legitimate reasons. There are perhaps some privacy concerns here, but for the most part, if you detect a port scan from an app you trust, that was downloaded from a reliable source, then it’s likely not a concern. But as always, this depends on your personal threat model.
Stay protected.