Light Dark
September 5, 2014 By Douglas Bonderud 5 min read
Data Protection
Endpoint

Mobile is the next malware battleground. That’s the prevailing attitude among many information technology (IT) professionals, who often see the spread of mobile malware as akin to malicious software on desktops or PCs.

It makes sense. SC Magazine reports that a new version of the AndroRAT Trojan, SandoRAT, is now infecting Android phones, while BGR notes that over 75,000 jailbroken iPhones have been victimized by the AdThief malware. Yet a report from Appthority found that just 0.4 percent of mobile enterprise apps were infected with malware, while 99 percent of free mobile apps for both iOS and Android had at least “one risky behavior,” such as recording unique device identifiers, device locations or contact lists.

In other words, user permissions — not pernicious software — may pose the greatest mobile threat.

Redefining Malware

California State University at Sacramento defines malware as “an umbrella term for multiple kinds of software, including spyware, viruses and adware. The general rule is that if a program installs itself without user knowledge and/or consent, it is considered malware.”

This makes sense. The recently discovered HijackRAT, for example, masquerades as an app called “Google Service Framework.” As reported by The Independent, once installed on a mobile device, this remote access tool replaces legitimate banking tools with spoofed versions, grabs any personal data it can find and deletes antivirus software.

But here’s the problem: To commit any of these acts, HijackRAT needs user permissions. Because it looks legitimate, users often have no problem tapping “Yes” to any access requests, assuming they are necessary for the free app to function properly.

If users are giving permission for installation and execution, can this really be called malware? Absolutely. The granular nature of app and in-app purchases makes more traditional malware delivery methods effectively obsolete. To compensate, mobile malware developers have changed tactics, relying instead on user behavior to grant malicious programs the access they need. And what’s their target? Data — everything from contact lists to GPS coordinates to more “traditional” information, such as login and access credentials. Once given free rein over an entire mobile ecosystem, it’s easy for this kind of collection to go undetected because virtually every app, legitimate or not, asks for the same kind of permissions.

The bottom line? Nothing is free.

You’re the Product

, vice president of strategic initiatives for cloud and smarter infrastructure at IBM, spoke recently about his take on the evolving market of free mobile apps targeting user data. He used the example of a utility app he came across that included not only a “contact backup” feature, but also a free compass, flashlight and mortgage calculator all in one.

At first glance, this seems like an odd mix, but from the perspective of a company looking to harvest personal data, it’s a gold mine. It starts when a user grants the app permission to access contact data and location services. When a “contact backup” is performed, the app developer gains access to every person, email and phone number in the user’s mobile device. The GPS provides coordinates and tells the app exactly where the user lives. The mortgage calculator, meanwhile, provides financial data, helping place the user in a socioeconomic hierarchy. In most cases, this data is collected for downstream advertising use — as Barlow put it, “You are the product that is for sale.”

The Enterprise Equivalency

But what about corporate data? While identifying a user’s home address and income bracket gives advertisers a leg up, obtaining corporate information through free mobile apps can have even farther-reaching consequences. For example, Barlow noted that he has seen employees keep username and password data in their contact lists and also raised the issue of “document clouds.” If an employee quits but has company documents stored in personal cloud services, data-mining apps could find and leverage that information even if corporate permissions have been rescinded.

Barlow makes a case for greater emphasis on “app reputation” — evaluating an app based on what it actually does rather than what it is advertised to do — and the “containerization of the corporate device.” For example, company laptops are one of the last “sterile” corporate environments, according to Barlow. IT security professionals don’t worry about data moving around within the confines of a laptop since every program has been approved, vetted and screened.

But when it comes to mobile, it’s “the exact opposite of what we’ve been doing for 20 years,” Barlow said. It is no longer possible to assume any app is without malice or ill intent; every application must be viewed with suspicion until it can be proven trustworthy. Think of it like kids engaged with social networks and parents wondering whether they’re safe. Just asking questions isn’t enough; actions and reputations prove the point.

Make or Break

Of course, there’s another side to mobile enterprise apps: creation. How do companies ensure the app they’ve created isn’t repurposed as a piece of data-mining malware? Barlow points out that compromising websites is something that has to happen in real time, while “mobile apps can be worked on in a lab for three months.” Hackers can grab these apps, take them offline and then dissect their code and remove requirements for passwords or other forms of authentication. How long does this process take?

“Your average teenager can pull this off in a few hours,” Barlow said.

So how do companies make sure users aren’t getting a rogue variant of the real deal? Barlow compared corporate app development to the recording industry, saying both must “harden” their data so it can’t be pirated. Just as digital movie recordings scramble or obfuscate their code so they can’t be replicated and resold, corporations designing mobile apps must integrate safeguards against tampering that make it prohibitively difficult for would-be hackers to steal the original product.

The Next Big Thing in Free Mobile Apps

Barlow said he sees mobile apps as the “next big thing to pop.” A year ago, he and his team couldn’t even get retail vendors interested in point-of-sale security. Then, the Target breach happened, and they are now inundated with requests for help. For Barlow, there are two options: a mobile app meltdown or a sharp regulation increase. He described a recent Federal Communications Commission meeting where the top three priorities were: “mobile apps, mobile apps and mobile apps.”

Right now, the market for free mobile apps is akin to the Wild West: Standards are few and far between, and apps run unchecked thanks to broad user permissions. How do companies limit their risk? It starts with training. Employees need to regard permission requests with the same skepticism as “Download now!” phishing emails and react accordingly. Corporations, meanwhile, must exercise due diligence and make sure they’re using the best app available for the task and that it doesn’t collect or share data outside its purview. What’s more, businesses need the support of leading security vendors to help fight 20 years of habit by making device containerization a top priority.

When it’s all said and done, there’s no such thing as a “free” app — and the real cost is measured in data, not dollars.

 |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature