2Nearly One-Third of Mobile Apps Access Users’ Google Accounts
These apps automatically log in to users’ Google accounts, both personal and corporate, such as email, docs and Google +. Then they can access documents stored in Google Docs, and potentially send them off the device, exposing companies and users to data loss and theft, or opening the door to further network penetration. This is a huge threat.
317 Percent of Apps Send IMEI/SIM Card IDs to Internet Servers
IMEI and SIM cards are unique numbers used to identify mobile devices so telcos can authenticate you and your device. When apps acquire and send these identifiers to third-party servers, they can be used to physically track you and your device. In addition, with these identifiers, criminals may be able to clone a device so they can receive a user’s phone calls and text messages.
412 Percent of Apps Read Users’ SMS Communications
If an app can read the SMS texts on a mobile device, it can learn with whom the user communicates. For a corporate employee, this information presents a significant security breach, because criminals may use it to impersonate familiar people, maybe through another channel, to make a more successful phishing attack. SMS-based two-factor authentication, offered by Google, Twitter and many banks, can also be defeated if text messages are visible to malicious apps and third parties.
59 Percent of Apps Read Users’ Phone Call History
As with compromised SMS texts, an app that reveals a user’s mobile phone call history can help criminals begin building a social engineering graph on a particular user. A criminal now knows who the user calls and texts, and ultimately trusts. They will use this trust to attack specific companies by spoofing known contacts to obtain network log-ins and sensitive information.
69 Percent of Apps Read Users’ Contact Database
The prospect of a company’s contact database living somewhere on a third-party advertising server connected to the Internet is a severe security breach, because it exposes critical data used for spamming, phishing and social engineering schemes. Malicious code embedded within seemingly innocuous apps, such as games and utilities, can transfer contact databases directly to servers over the Internet.
76 Percent of Apps Read Web Browser History on the Device
Businesses don’t want their employees’ browsing history exposed because it allows criminals to build profiles and learn what sites the employee visits, where they work, where they bank, corporate URLs visited, including Webmail servers and SharePoint sites. Equipped with an employee’s browsing history and log-in credentials, a criminal can easily gain access to a corporate network, because many people use the same password or a slight variation for every site that requires authentication.
82.8 Percent of Apps Modify Device WiFi Settings
91.6 Percent of Apps Attempt to Install Other Apps or Malware on Devices
On older versions of Android, apps can install other apps or malware without the user’s knowledge. In fact, 1.6 percent of Android apps request permission to install apps. There is no reason for any mobile app to install another app on a device. These additional apps can be modified by criminals to seize complete control of the employee’s device without their knowledge to track SMS texts, monitor phone calls, read browser histories and modify WiFi settings, exposing the employee and the enterprise to countless forms of attacks.
10Malware Versions of Apps Can Come Preloaded on Devices
A specific example of a malicious app that Marble Security Labs identified that comes preloaded on devices is a Netflix imposter. There are about 10 to 12 versions of the app, and one malicious version aimed at stealing credit card details is available for download. The lab has discovered that the malicious version is often coming preloaded on out-of-the box phones and tablets. Whoever is preloading the brand-new devices is responsible. It’s not Netflix’s fault. Similar approaches could target corporate applications, seeking remote employee log-ins and passwords—the first step in advanced persistent threats (APTs).