Mobile Devices Rise as Hackers' Wonderland: Nine Reasons Why

Mobile Devices Rise as Hackers' Wonderland: Nine Reasons Why
Nearly One-Third of Mobile Apps Access Users' Google Accounts
17 Percent of Apps Send IMEI/SIM Card IDs to Internet Servers
12 Percent of Apps Read Users' SMS Communications
9 Percent of Apps Read Users' Phone Call History
9 Percent of Apps Read Users' Contact Database
6 Percent of Apps Read Web Browser History on the Device
2.8 Percent of Apps Modify Device WiFi Settings
1.6 Percent of Apps Attempt to Install Other Apps or Malware on Devices
Malware Versions of Apps Can Come Preloaded on Devices
1 of 10

Mobile Devices Rise as Hackers' Wonderland: Nine Reasons Why

By Chris Preimesberger

2 of 10

Nearly One-Third of Mobile Apps Access Users' Google Accounts

These apps automatically log in to users' Google accounts, both personal and corporate, such as email, docs and Google +. Then they can access documents stored in Google Docs, and potentially send them off the device, exposing companies and users to data loss and theft, or opening the door to further network penetration. This is a huge threat.

3 of 10

17 Percent of Apps Send IMEI/SIM Card IDs to Internet Servers

IMEI and SIM cards are unique numbers used to identify mobile devices so telcos can authenticate you and your device. When apps acquire and send these identifiers to third-party servers, they can be used to physically track you and your device. In addition, with these identifiers, criminals may be able to clone a device so they can receive a user's phone calls and text messages.

4 of 10

12 Percent of Apps Read Users' SMS Communications

If an app can read the SMS texts on a mobile device, it can learn with whom the user communicates. For a corporate employee, this information presents a significant security breach, because criminals may use it to impersonate familiar people, maybe through another channel, to make a more successful phishing attack. SMS-based two-factor authentication, offered by Google, Twitter and many banks, can also be defeated if text messages are visible to malicious apps and third parties.

5 of 10

9 Percent of Apps Read Users' Phone Call History

As with compromised SMS texts, an app that reveals a user's mobile phone call history can help criminals begin building a social engineering graph on a particular user. A criminal now knows who the user calls and texts, and ultimately trusts. They will use this trust to attack specific companies by spoofing known contacts to obtain network log-ins and sensitive information.

6 of 10

9 Percent of Apps Read Users' Contact Database

The prospect of a company's contact database living somewhere on a third-party advertising server connected to the Internet is a severe security breach, because it exposes critical data used for spamming, phishing and social engineering schemes. Malicious code embedded within seemingly innocuous apps, such as games and utilities, can transfer contact databases directly to servers over the Internet.

7 of 10

6 Percent of Apps Read Web Browser History on the Device

Businesses don't want their employees' browsing history exposed because it allows criminals to build profiles and learn what sites the employee visits, where they work, where they bank, corporate URLs visited, including Webmail servers and SharePoint sites. Equipped with an employee's browsing history and log-in credentials, a criminal can easily gain access to a corporate network, because many people use the same password or a slight variation for every site that requires authentication.

8 of 10

2.8 Percent of Apps Modify Device WiFi Settings

Apps that automatically change WiFi settings on a mobile device expose employees to a variety of Web attacks. Employees can be directed to WiFi networks controlled by criminals so that all their traffic can be monitored or subjected to man-in-the middle attacks.

9 of 10

1.6 Percent of Apps Attempt to Install Other Apps or Malware on Devices

On older versions of Android, apps can install other apps or malware without the user's knowledge. In fact, 1.6 percent of Android apps request permission to install apps. There is no reason for any mobile app to install another app on a device. These additional apps can be modified by criminals to seize complete control of the employee's device without their knowledge to track SMS texts, monitor phone calls, read browser histories and modify WiFi settings, exposing the employee and the enterprise to countless forms of attacks.

10 of 10

Malware Versions of Apps Can Come Preloaded on Devices

A specific example of a malicious app that Marble Security Labs identified that comes preloaded on devices is a Netflix imposter. There are about 10 to 12 versions of the app, and one malicious version aimed at stealing credit card details is available for download. The lab has discovered that the malicious version is often coming preloaded on out-of-the box phones and tablets. Whoever is preloading the brand-new devices is responsible. It's not Netflix's fault. Similar approaches could target corporate applications, seeking remote employee log-ins and passwords—the first step in advanced persistent threats (APTs).

Top White Papers and Webcasts