Analysis of Café Bazaar apps reveal concerning malware problem

Cafe Bazaar logo Malware

Overview of Café Bazaar

Café Bazaar is an Iranian android marketplace created by Reza Mohammadi and Jessam Armandehi and has announced that the platform has surpassed 40 million users. For our non-iranian readers Cafe Bazaar offers its services for specifically Persian-speaking users and has more than 160 0000 downloadable Iranian and International applications for gamin, social media and other uses and sees roughly 20 million visits a week within Iran. It is the most popular app store in Iran and controls over 97% of the market in Iran.

Café Bazaar has a history of suffering security incidents

after a long period of denial it was confirmed that in April 2019 Café Bazaar had been hacked by Russian hackers and customer information and source code of the platform had been leaked. Analysis of the leaked source code showed signs that the service many not have been implemented properly and there may be a security vulnerability in its security process. This type of mis-configurations left the platform vulnerable to distributing malware through the Café Bazaar.

What are the purpose of the malware in the android market?

android malware in Iran have perhaps a different activity type that other malware in the world and the main purpose of the malware found in Iran is to generate revenue for its creator. Therefore it is less common to find malware of a high complexity. For example in the case of Telegram – the popular messaging platform- malware found affecting this application is oftentimes seem to control victims accounts, display ads, and sell users Telegram data all in the pursuit of revenue generation. It was discovered after researchers analyzed the types of malware affecting Telegram that there was a very similar structure between many of them and in fact much of the malware could be traced back to ready-made code purchased from online and already assured to work on other platforms like Café Bazaar. The sellers simply change a few lines up here and there and re-sell the code as new as this has minimal effort involved and allows quick resale but at the expense of any sophistication of the product.

Analysis of malware in Café Bazaar apps

Perhaps surprisingly to some, an article published in 2017 by a team from a Japanese University analyzed the Café Bazaar android market and came to the shocking conclusion that Café Bazaar was one of the safest markets in the world. This is especially surprising as Google Play sore comes eighth is this review. As this seemed a bit odd, another cyber security researcher decided to conduct their own research on the platform.

We reached out to independent Iranian Cyber Security analyst Mohsen Tahmasebi and his colleagues. They had decided to conduct an independent security screening on Café Bazaar whereby they selected several applications to run through several antivirus platforms such as Virus Total. The researchers evaluated a total of 153 451 applications through the Virus Total and discovered that almost 50% of the apps reviews were detected as having some form of malware by at least one of the anti-viruses.

So why the large difference in findings between Mr. Tahmasebi and the Japanese University results? According to Mr. Tahmasebi, there could be many reasons for the variance but he thinks it is probably because the authors of the Japanese report only looked at a small sample of Café Bazaar-hosted apps and this being so, the article is probably of lower quality as Mr. Tahmasebi analyzed over 150 000 apps.

It cannot be known for sure but there is always a possibility that the authors could have been paid to come to such a conclusion, or were given a select number of specific applications to analyze. Café Bazaar has used the article many times for self promotion. If this was just a simple misunderstanding and no payments were involved, it still holds true that the mistakes made by the university researchers in the Japanese article were large academic mistakes that should not have occurred.

Mr. Tahmasebi clarifies that his analysis about Café Bazaar security doesn’t concern Café Bazaar itself, rather, it’s more about the security of the individual apps hosted within the Café Bazaar environment. He has not conducted any work on the internal security of the platform itself. He doesn’t personally think that Café Bazaar failure to tackle malware within its marketplace is anything to do with “an instruction from on high” rather its the result of Café Bazaar’s negligence in checking and applying security measures.

This only applies to the malware and adware that he has studied as there are other ambiguities about other apps that might have been tampered with or represent a security risk and he is not willing to speculate on the reason for their being allowed to persist in the marketplace.

Other options to Café Bazaar and protecting yourself in the marketplace

Other than Café Bazaar Mr. Tahmasebi recommends to our reader Google Play Store however he recognizes there may be location-related difficulties with that but they are easy to overcome. Definitely do not use “secondary marketplaces” including Café Bazaar but also do not trust blindly the Google Play store either as there is malware on there too.

Ultimately, Mr Tahmasebi suggest that there are some default, normal, standard security measures people can take to protect themselves from hack and if people follow those measures, they will be generally pretty safe such as do not install random files, ensure you get software for legitimate places, be careful who you trust and keep anti-virus updated as well as your operating system updated.

The full report and analysis can be found on Mr. Tahmasebi’s personal site.

Leave a Reply

Your email address will not be published. Required fields are marked *