Podcasts
Word Notes
Ep 114
Word Notes 8.30.22
Ep 114 | 8.30.22

Sideloading (noun)

Show Notes
Transcript

Rick Howard: The word is: Sideloading.

Rick Howard: Spelled: Side as in not from normal channels and loading as in installing a program the process of installing applications on a device without the use of official software distribution channel.

Rick Howard: Example sentence: The user enabled sideloading to install a third party app on their Android phone.

Rick Howard: Origin and context: Most software vendors, including Google, Apple, and Microsoft offer official versions of their software via portal sites or app stores. 

Rick Howard: The responsible vendors, typically vet the software for security and stabilization issues. This isn't foolproof. There have been cases where vendors have deployed malicious apps by mistake, but as a rule, it's generally much safer installing apps from the approved app store than it is installing unvetted apps. Side loading from third party websites or from Kevin who lives down the block that said there are legitimate reasons for sideloading and many devices allow users to choose to enable it. Android phones, for example, give users the option to download third party software from outside of the Google Play store.

Rick Howard: Although they warn that there are security risks associated with this, iPhones, on the other hand, don't allow the installation of any apps outside the Apple's app store users would need to jail break their iOS operating system. In order to side load apps for an iPhone. According to PC World, "jailbreaking can be thought of as the process of installing a modified set of kernel patches that allow you to run unsigned code," but hackers use sideloading for malicious purposes too. 

Rick Howard: They can hide malicious code in functional and seemingly legitimate applications (Trojan horses) giving them a foothold on the system through which they can install additional malware. Matthew Gracey McMinn, Head of Threat Research at Netacea told CSO Online, "clever criminals tried to bundle malware with something useful, such as a free PDF to word document converter. The user installs the useful tool blissfully unaware of the malware running in the background. This background malware creates a back door, which gives the attacker access to and control of the device."

Rick Howard: Researchers at Mimecast last year (2021) discovered a sideloading campaign that exploited Microsoft's App Installer feature to trick users into downloading a malicious app. The attacker sent phishing emails, containing a phony link to a PDF file. When the user clicked a link, they'd be taken to a webpage that told them they need to install an app.

Rick Howard: In order to view the file, this would bring up a legitimate windows installation box that asked the user to approve the download, which contained the Trojan.

Rick Howard: Nerd reference: You're listening to one of the songs from the 2004 movie soundtrack, Troy, starring Brad Pitt, Diane Kruger, Eric Bonna, Orlando Bloom, and the host of that guy, actors and actresses that we all know.

Rick Howard: The movie dramatizes Virgil's epic poem, the Aeneid, written between 29 and 19 BCE. The story of how the Greeks, after a fruitless 10 year siege of the city of Troy tried a deception plan. King Odysseus, the legendary Greek king of Ithaca and the hero of Homer's epic poem, the Odyssey, built a giant and magnificent wooden horse as a peace offering, left it outside the gates of Troy and sailed away. The Trojans, thinking their ordeal was over, hauled the giant horse into the city. That night, while the city slept, the Greek fleet sailed back to the Trojan stronghold under the cover of darkness. And King Odysseus, secreted away within the belly of the giant horse with some of his best men, snuck out of the horse, opened the gates to let the Greek army in, and burned the city of Troy to the ground. So when you hear that sideloading is a kind of a Trojan horse, Now, you know what they are talking about. 

Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by KnowBe4
Sponsored by KnowBe4

KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform. KnowBe4 helps organizations address the human element of security by raising awareness of social engineering tactics through a new-school approach to security awareness training. Learn more at KnowBe4.