Mobile Devices Rise as Hackers' Wonderland: Nine Reasons Why

 
 
By Chris Preimesberger  |  Posted 2014-03-04 Email Print this article Print
 
 
 
 
 
 
 
 

Never mind the National Security Agency's tapping of smartphone applications to mine personal calling metadata. People and their employers need to understand their phones are also wide open to hackers and exactly what they are giving up in terms of privacy and information whenever a user installs an app. That fact is that they are also exposing their employer to myriad security risks. Marble Mobile Security Lab recently conducted an analysis of 50,000 Android apps, and the results are unnerving. Apps that combine Short Message Service (SMS) reading with address book exposure could create a huge threat to the security of enterprises. Many companies believe that the core security of mobile platforms such as Android and iOS makes them secure endpoints. But this research, supplied by Marble Security founder and CTO David Jevans—the highlights of which are displayed in this eWEEK slide show—shows that employees are downloading apps that endanger not only data and documents on their devices, but also create a threat to usernames and passwords and enable attackers to highly target companies and their employees.

 
 
 
  • Mobile Devices Rise as Hackers' Wonderland: Nine Reasons Why

    By Chris Preimesberger
    Mobile Devices Rise as Hackers' Wonderland: Nine Reasons Why
  • Nearly One-Third of Mobile Apps Access Users' Google Accounts

    These apps automatically log in to users' Google accounts, both personal and corporate, such as email, docs and Google +. Then they can access documents stored in Google Docs, and potentially send them off the device, exposing companies and users to data loss and theft, or opening the door to further network penetration. This is a huge threat.
    Nearly One-Third of Mobile Apps Access Users' Google Accounts
  • 17 Percent of Apps Send IMEI/SIM Card IDs to Internet Servers

    IMEI and SIM cards are unique numbers used to identify mobile devices so telcos can authenticate you and your device. When apps acquire and send these identifiers to third-party servers, they can be used to physically track you and your device. In addition, with these identifiers, criminals may be able to clone a device so they can receive a user's phone calls and text messages.
    17 Percent of Apps Send IMEI/SIM Card IDs to Internet Servers
  • 12 Percent of Apps Read Users' SMS Communications

    If an app can read the SMS texts on a mobile device, it can learn with whom the user communicates. For a corporate employee, this information presents a significant security breach, because criminals may use it to impersonate familiar people, maybe through another channel, to make a more successful phishing attack. SMS-based two-factor authentication, offered by Google, Twitter and many banks, can also be defeated if text messages are visible to malicious apps and third parties.
    12 Percent of Apps Read Users' SMS Communications
  • 9 Percent of Apps Read Users' Phone Call History

    As with compromised SMS texts, an app that reveals a user's mobile phone call history can help criminals begin building a social engineering graph on a particular user. A criminal now knows who the user calls and texts, and ultimately trusts. They will use this trust to attack specific companies by spoofing known contacts to obtain network log-ins and sensitive information.
    9 Percent of Apps Read Users' Phone Call History
  • 9 Percent of Apps Read Users' Contact Database

    The prospect of a company's contact database living somewhere on a third-party advertising server connected to the Internet is a severe security breach, because it exposes critical data used for spamming, phishing and social engineering schemes. Malicious code embedded within seemingly innocuous apps, such as games and utilities, can transfer contact databases directly to servers over the Internet.
    9 Percent of Apps Read Users' Contact Database
  • 6 Percent of Apps Read Web Browser History on the Device

    Businesses don't want their employees' browsing history exposed because it allows criminals to build profiles and learn what sites the employee visits, where they work, where they bank, corporate URLs visited, including Webmail servers and SharePoint sites. Equipped with an employee's browsing history and log-in credentials, a criminal can easily gain access to a corporate network, because many people use the same password or a slight variation for every site that requires authentication.
    6 Percent of Apps Read Web Browser History on the Device
  • 2.8 Percent of Apps Modify Device WiFi Settings

    Apps that automatically change WiFi settings on a mobile device expose employees to a variety of Web attacks. Employees can be directed to WiFi networks controlled by criminals so that all their traffic can be monitored or subjected to man-in-the middle attacks.
    2.8 Percent of Apps Modify Device WiFi Settings
  • 1.6 Percent of Apps Attempt to Install Other Apps or Malware on Devices

    On older versions of Android, apps can install other apps or malware without the user's knowledge. In fact, 1.6 percent of Android apps request permission to install apps. There is no reason for any mobile app to install another app on a device. These additional apps can be modified by criminals to seize complete control of the employee's device without their knowledge to track SMS texts, monitor phone calls, read browser histories and modify WiFi settings, exposing the employee and the enterprise to countless forms of attacks.
    1.6 Percent of Apps Attempt to Install Other Apps or Malware on Devices
  • Malware Versions of Apps Can Come Preloaded on Devices

    A specific example of a malicious app that Marble Security Labs identified that comes preloaded on devices is a Netflix imposter. There are about 10 to 12 versions of the app, and one malicious version aimed at stealing credit card details is available for download. The lab has discovered that the malicious version is often coming preloaded on out-of-the box phones and tablets. Whoever is preloading the brand-new devices is responsible. It's not Netflix's fault. Similar approaches could target corporate applications, seeking remote employee log-ins and passwords—the first step in advanced persistent threats (APTs).
    Malware Versions of Apps Can Come Preloaded on Devices
 
 
 
 
 
Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel