Skip to main content
Aug 29, 2018

Using real-time threat analytics to thwart a serial app attacker

How Arxan helped shut down continuous reverse engineering attacks

Operating in the Dark

It started after releasing an app update. A few days after deploying an update to the app store, a copycat version of a prominent financial transaction app appeared. The fraudulent app looked like the real thing, duping users into downloading it instead. Each time the copycat app was discovered and removed. And each time the company updated its legitimate app, a fraudulent one would appear.

The company was unable to determine how the attackers were able to reverse engineer their app or identify the source of the attacks. Attempts to mitigate the attacker’s exploits failed. The business suffered: user adoption failed to materialize, the fraudulent app tarnished the business’ reputation and brand, confused users and impacted revenue.

Copycat Attacks: This type of attack is accomplished by reverse engineering the app in question, exposing the source code of the app or revealing functional endpoints and logic, with the goal to monetize the copycat app. Once an app has been reverse engineered, it can be loaded with malware or fraudulent code and redistributed via the app store to unsuspecting end users. Once downloaded end users can have their credentials stolen, be redirected to fraudulent websites or presented with ads — all designed to enrich the attacker.

Seeing the Light

Without visibility into the attacks on the app in the wild, the company had no way to pinpoint the source of the threat or optimize its defenses to stop it.

Enter Arxan Threat Analytics.

After implementing Threat Analytics, the business had real-time data showing how attackers were targeting their application. With detailed visibility into the techniques and processes the attackers used to reverse engineer the app, the business was able to create an effective defense strategy.

Dissecting the Attack

Threat analytics provided detailed visibility into the techniques and processes the attackers used to reverse engineer the app. The developers used this information to create an effective defense strategy.

On the newly protected app, threat data analysis revealed the attacker first ran the app on a rooted device, familiarizing themselves with its operation. They then attempted an initial attack by manipulating or replacing resource files. When these approaches did not work because of the new protection mechanisms, the attacker moved on and tried to inject code into the binary before resorting to hook processes to exfiltrate the data. These methods were all unsuccessful because of the improved protection, but being able to track the anatomy of an attack in this way is crucial for remediating it immediately and to stay ahead of future attacks.


Being able to rapidly identify the methods used by attackers allowed the business to immediately shut down attackers. Learning how and where in the code the attacker targeted the app provided the security development team insight into where they needed to spend their resources to stop future attacks. 

Arxan-Threat-Analytics.jpgThe secondary benefit of knowing where the app was being attacked also revealed where it wasn’t. This attack data enabled the security team to fine-tune performance and deliver a better user experience without having to make protection trade-offs.

Beyond knowing what was happening to the app and where to harden its security, the business also used the threat analytics service to identify specific user accounts associated with the attacker. App-specific data from Threat Analytics combined with user records known to the business allowed the attackers to be identified and have their accounts blocked.

Additionally, other accounts were blocked that displayed malicious behavior and showed signs of originating in an untrusted environment. Any transactions originating from these accounts were flagged to require additional verification steps for account activity to be allowed.

The Bottom Line

Since introducing Arxan, the copycat apps have stopped, and the business can now serve its customers as intended. App adoption has improved, along with the business’s brand image, revenue and customer satisfaction. Arxan Application Protection with Threat Analytics helps assure the business is protected through focused app protection improvements.



Magnus Mjøsund

Magnus Mjøsund is a Group Product Manager at Arxan Technologies, setting the direction and strategy for Arxan Threat Analytics, App Management and Desktop. Working closely with customers to understand and solve their needs, as well as being a part of the engineering team, he helps deliver great features and products. Magnus has a background from IT consulting and project management. Originally from Norway, Magnus has a BSc in Economics from Copenhagen Business School, and an MBA and MSc in Information Systems from Boston University, and is now located in San Francisco, USA.

More from the Blog
Apr 02, 2018

How to Detect App Threats to Protect Your Business

Apr 02, 2018

Protecting Apps Is Not Enough: Why You Need Threat Analytics

Every app downloaded via an app store is running in a
Read more
Jul 25, 2018

Your App Security Risk Models Are Wrong

And That’s Why Feedback Is So Important Information security, especially application security, expresses its tenets and risk ...
Read more