How Malicious Apps in Connected Vehicles Could Lead to Heightened Risks

By Omar Yang (Senior Threat Researcher, Automotive)

As vehicles transform into connected devices, they increasingly resemble smartphones on wheels and, as a result, invite new cybersecurity risks.

At the heart of this transformation is the software-defined vehicle (SDV). SDVs rely on software rather than hardware for functionality, allowing for continuous updates and enhancements. This software-centric approach offers customization and flexibility, the integration of apps for navigation, entertainment, advanced driver assistance systems (ADASs), and even autonomous driving.

However, as more apps are integrated into vehicles, the potential for cyberthreats increases. Apps that enhance the driving experience also make cars susceptible to threats such as malware, backdoors, and phishing attacks. Unlike with smartphones, vulnerabilities in cars, which are safety-critical devices, could lead to severe and potentially life-threatening consequences.

The role of app stores in SDVs

App stores are essential to the ecosystem of SDVs, serving as centralized hubs for downloading and updating applications that enhance the vehicles’ functionality. Like smartphone app stores, these platforms offer a curated selection of apps in different categories. In the case of SDV app stores, the categories include navigation, entertainment, vehicle diagnostics, and ADASs.

Google’s recent announcement of Android Automotive OS bringing more apps to cars highlights the excitement among car manufacturers, software developers, and users. This development marks a significant advancement, promising a better driving experience through an enriched app ecosystem.

The current state of apps in mobile phones and vehicles

The proliferation of apps on mobile phones is staggering, with the average smartphone user having around 80 apps installed but consistently using only about 30 of them monthly​. These apps cover a wide range of functionalities, from social media and entertainment to banking and productivity.

In contrast, the integration of apps in vehicles is still in its early stages but is rapidly evolving. Modern vehicles increasingly feature app platforms that offer drivers access to navigation, music streaming, and vehicle diagnostics directly from their dashboards. While the number of apps available for vehicles is fewer than that for smartphones, it is expected to increase significantly as more manufacturers adopt SDV technology. The in-car app market is forecasted to see significant growth from 2024 to 2032, driven by the increasing demand for connectivity and advanced vehicle functionalities​.

Malicious apps on mobile phones

Malicious apps on mobile phones pose significant threats, often going unnoticed until they have caused substantial damage. One high-profile case of such a scenario involves a Chinese e-commerce app that was discovered to contain malware capable of exploiting vulnerabilities in Android systems. This malware could monitor user activities, access data from other apps, and even modify system settings without user consent​.

Reports from Trend Micro highlight other concerning scenarios. For instance, in 2020, the mobile banking trojan Faketoken resurfaced and sent offensive messages from victims’ accounts and exploited financial apps to steal sensitive information​. Another report uncovered malicious apps on Google Play that communicated with trojans, installed additional malware, and performed mobile ad fraud. These malicious apps disguised themselves as legitimate apps, making it difficult for users to identify them as threats​.

How malicious apps could compromise cars

The vehicle app ecosystem could very likely go down a similar path. As the vehicle app ecosystem expands, the risk of malicious apps infiltrating car systems increases. Malicious apps often disguise themselves as tools designed to enhance a car’s in-vehicle infotainment (IVI) system or improve performance. But instead of providing genuine benefits, they can steal personally identifiable information (PII), commit fraud, deploy ransomware, or serve adware. For example, an app that claims to optimize engine performance might secretly access and abuse sensitive data such as location history or financial information stored within the car’s systems. This not only compromises the vehicle’s security but also puts the driver’s privacy and safety at risk.

Another significant risk comes from jailbroken operating systems or third-party app stores that offer free versions of paid or subscription-based apps. These unauthorized platforms can introduce vulnerabilities, as the apps and the stores themselves might be malicious. Users seeking free apps might inadvertently download malware that compromises their vehicles’ security, leading to data breaches or system malfunctions.

Moreover, some apps or browser extensions offer incentives to users in exchange for tracking their behavior. While this might seem harmless, such tracking can lead to privacy invasions and data being sold to third parties without the users’ explicit consent. For vehicles, this could mean detailed logs of drivers’ habits, routes, and schedules being exploited for malicious purposes.

Malicious apps likely to compromise cars are commonly deployed for the following purposes:

• Theft of PII: Compromised apps can lead to identity theft and unauthorized access to sensitive information.
• Fraud: Malicious apps can facilitate fraudulent activities, such as unauthorized financial transactions.
• Ransom: Vehicles could be immobilized until a ransom is paid, posing significant safety risks.
• Advertising: Persistent adware can degrade the performance of a car’s systems and distract the driver, potentially leading to accidents.
• Trojan: Apps acting as trojans can provide backdoor access for further malicious activities, compromising the entire car system.

Table 1. Security risks, their impact, and their examples

The higher stakes of malicious apps in vehicles

Vehicles are inherently safety-critical systems, meaning that their failure or compromise can lead to severe consequences, including injury or loss of life. This elevates the importance of securing the software that controls various aspects of a vehicle’s operation.

Potential scenarios illustrate the heightened stakes involved. A malicious app could introduce a backdoor into a vehicle’s control systems, allowing unauthorized users to manipulate critical functions like brakes or acceleration. Ransomware could lock essential features, such as starting the engine or using navigation, until a ransom is paid. Additionally, a compromised app might leak sensitive data like real-time location or driving patterns, which could be exploited for stalking or theft. Adware could distract drivers with intrusive ads, increasing the risk of accidents. Each of these scenarios not only causes privacy concerns or financial losses but also poses significant safety risks, highlighting the critical need for robust cybersecurity measures in the automotive industry.

Mitigation strategies against malicious apps

To mitigate the risks posed by malicious apps in vehicles, several strategies should be employed. First, security by design is essential, integrating robust cybersecurity measures from the development stage of both vehicle software and apps. Regular software updates are recommended to patch vulnerabilities and protect systems against emerging threats. User education can help drivers recognize and avoid suspicious apps and phishing attempts. Lastly, adherence to regulations and standards like ISO/SAE 21434 helps ensure that automotive cybersecurity measures meet industry benchmarks. These strategies collectively enhance vehicle security, protecting both the vehicle and its occupants from risks due to malicious apps and other threats.

Table 2. Mitigation strategies against malicious apps and the problems that they address

For more insights on automotive cybersecurity, visit our resource center and read our other blog entries.