Google Workspace Marketplace Restrictions Modified to Allow Any App
An adversary may modify Google Workspace Marketplace restrictions to allow installation of any application, potentially enabling the deployment of malicious APKs to end users within the Google Workspace environment, bypassing security restrictions.
This rule detects when Google Marketplace restrictions within a Google Workspace environment are modified to allow the installation of any application. Such a configuration change can severely weaken the security posture of the organization, as it bypasses the intended restrictions that prevent users from installing potentially malicious applications. Adversaries could upload malicious APKs to the Google Marketplace and, by enabling the "allow any app" setting, facilitate their installation on mobile devices managed within the Google Workspace. Google clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google. This change allows any application from the marketplace to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user. This rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.
Attack Chain
- An attacker gains administrative access to the Google Workspace environment, potentially through compromised credentials or exploiting a vulnerability in the administrative interface.
- The attacker navigates to the Google Workspace admin console and accesses the Google Workspace Marketplace Apps settings.
- The attacker modifies the "Apps Access Setting Allowlist access" setting for the Google Workspace Marketplace application.
- The attacker changes the setting from a restricted state (e.g., only allowing whitelisted applications) to "ALLOW_ALL".
- The attacker uploads a malicious APK to the Google Marketplace.
- Users within the Google Workspace environment are now able to install the malicious APK without restriction.
- The malicious APK executes on users' mobile devices, potentially leading to data theft, malware infection, or other malicious activities.
- The attacker leverages the compromised devices to gain further access to the Google Workspace environment or other connected systems.
Impact
If successful, this attack can lead to widespread compromise of mobile devices within the Google Workspace environment. The number of affected users depends on the size of the organization and the number of users who install the malicious application. This can result in data breaches, financial losses, and reputational damage. The sectors targeted are broad, encompassing any organization using Google Workspace.
Recommendation
- Deploy the Sigma rule
Google Workspace Marketplace Allow-All Settingto detect when the "Apps Access Setting Allowlist access" is set toALLOW_ALLin Google Workspace admin logs. - Investigate any instances where the
google_workspace.admin.new_valuefield is set toALLOW_ALLfor theGoogle Workspace Marketplaceapplication, as identified by the Sigma ruleGoogle Workspace Marketplace Allow-All Setting. - Regularly review and audit Google Workspace Marketplace app settings to ensure they align with security best practices, as mentioned in the references.
- Implement multi-factor authentication (MFA) for all administrative accounts in Google Workspace to prevent unauthorized access, which is the initial requirement for this attack.
- Monitor the
event.actionisADD_APPLICATIONto identify applications installed after these changes were made. as described in the Overview
Detection coverage 2
Google Workspace Marketplace Allow-All Setting
mediumDetects when the Google Workspace Marketplace restrictions are changed to allow any application.
Google Workspace Marketplace App Installation
lowDetects when a new application is added to Google Workspace after the Marketplace settings have been modified.
Detection queries are available on the platform. Get full rules →