Beware of mobile apps bearing gifts this Christmas

By Michael Sutton


Users should be aware that it’s not just mobile malware but, more importantly, data privacy breaches that they may be confronted with if they are not careful with their digital habits. With BAD (Bring Any Device) being so widespread, this can also affect enterprise data.


So when downloading free apps, if you want to keep your privacy, Zscaler has the following tips:


1.       Stay away from non-official app stores. You can block access to the URL if you are an enterprise user.


2.       Have a solution in place that permits filtering and monitoring network traffic regardless of device or location to prevent malicious activity and privacy breaches. Solutions that only monitor LAN traffic are blind when employees work beyond the office, which is quickly becoming the norm.


3.       It is Important to have a security technology that can deliver reports to identify the apps that your employees are using, highlight associated risks and allow for policies to be implemented to mitigate that risk.


The top mobile apps, whilst being fun or useful, also ask for privileges that can allow a user to be monitored, and sensitive information potentially viewed and compromised. This might not be of too much concern to some people but, depending on who you are and where this sometimes sensitive information is shared, the loss of your privacy can suddenly become very important.  Consider the case of a senior executive, whose company-owned device has applications installed which have been granted permissions to access to his address book, photos or geo-location data.


Users should assume apps are harvesting tracking data, especially free apps as this is how advertisers make money, by creating device profiles in order to better target advertisements. This is true even for legitimate app stores but the problems get even worse when considering apps from ‘unofficial’ Android app stores, which may have malicious functionality in addition to privacy issues. People need to be aware of this stuff and I don’t think that they are.


A free app wants to deliver meaningful advertisements, so the app will grab whatever it can to track that device. This is done by obtaining unique identifiers for the device, such as the device’s, IMEI/ UDID numbers or MAC addresses. If the same advertising SDK (software development kit) is used on many apps the advertiser can create a profile for the device. This is done to deliver meaningful ads that match your preferences.  Some people don’t care about that, but some people don’t like it at all as it tracks you and your behaviour.


According to a list of the most popular apps by Global Web Index, these are mainly social networks which require personal or geo-location data. People mistakenly assume that the most popular apps are likely to have more strict privacy controls, but in general, the top ten apps will not be doing anything worse or treat your privacy any better than number 10,000 or number 20,000.


Most of the apps that we see which are really malicious are not on official app stores; almost everything truly malicious comes from third party Android app stores. The majority are fake or cloned versions and most generate revenue for attackers by carrying out SMS fraud which sends text messages to premium rate numbers.


According to research released this week by ZScaler, the Android malware MouaBad.P has the ability to read, write, send and receive SMS messages. Forcing Android applications to initiate calls to premium phone numbers controlled by the attackers is a common revenue generation scheme that we see, particularly in Android application distributed in third party Android app stores.


This analysis of apps shows common themes across privacy as apps are often aggressive in terms of the user data that they want access to, and it is often because they are free apps. They track user information because the advertisers want that.


ZScaler research has found that 22% of apps on the Google Play Store contain advertising libraries that at least some antivirus vendors
classify as adware. The libraries are classified as such due to overly aggressive advertising practices including capturing excessive personal information and the inclusion of ads via deceptive delivery models, including altering device settings.


The breakdown by category is interesting. After looking at the top 300 apps in each category, half of entertainment and 41% of personalisation apps are flagged as containing adware.  The breakdown is as follows:


·         Business 5%


·         Education 18%


·         Books 8%


·         Entertainment 50%


·         Music 19%


·         Personalistion 41%


·         Comics 18%


·         Finance 10%


·         Medical 17%


The reason why Zscaler sees adware as dangerous is that it exhibits at least one of the following behaviours:


·         Harvests excessive personally identifiable information


·         Performs unexpected actions in response to ad clicks without appropriate user consent (appropriate user consent entails providing a clear alert in the application that the user can accept or decline before any behaviour takes place)


·         Collects IMEI numbers, UDIDs or MAC addresses


·         Initiating phone calls and SMS messages


·         Changing wallpaper and ringtones


·         Leaks location information


·         Leaks email addresses


·         Leaks personal information such as contacts, birthdays, calendar appointments, etc


About the author


Michael Sutton is Director of Security Research at Zscaler,


 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s