Beware Of Mobile Apps Bearing Gifts This Christmas

By   ISBuzz Team
Writer , Information Security Buzz | Dec 23, 2013 01:33 am PST

New mobile devices are dominating the Christmas wish lists of many people this year. But, whilst you may be thrilled to open a new Smartphone or tablet this week, there are many dangers that you may not be immediately aware of. There are an increasing number of legitimate malware attacks, driven by consumers’ ignorance when it comes to their data privacy, and what they give away, whilst using free of charge services or apps. Users should be aware that it’s not just mobile malware but, more importantly, data privacy breaches that they may be confronted with if they are not careful with their digital habits. With BAD (Bring Any Device) being so widespread, this can also affect enterprise data.

So when downloading free apps, if you want to keep your privacy, Zscaler has the following tips:

1. Stay away from non-official app stores. You can block access to the URL if you are an enterprise user.

2. Have a solution in place that permits filtering and monitoring network traffic regardless of device or location to prevent malicious activity and privacy breaches. Solutions that only monitor LAN traffic are blind when employees work beyond the office, which is quickly becoming the norm.

3. It is Important to have a security technology that can deliver reports to identify the apps that your employees are using, highlight associated risks and allow for policies to be implemented to mitigate that risk.

According to Michael Sutton, Director of Security Research at Zscaler, the top mobile apps, whilst being fun or useful, also ask for privileges that can allow a user to be monitored, and sensitive information potentially viewed and compromised. This might not be of too much concern to some people but, depending on who you are and where this sometimes sensitive information is shared, the loss of your privacy can suddenly become very important.  Consider the case of a senior executive, whose company-owned device has applications installed which have been granted permissions to access to his address book, photos or geo-location data.

Sutton said that users should assume apps are harvesting tracking data, especially free apps as this is how advertisers make money, by creating device profiles in order to better target advertisements. This is true even for legitimate app stores but the problems get even worse when considering apps from ‘unofficial’ Android app stores, which may have malicious functionality in addition to privacy issues. “People need to be aware of this stuff and I don’t think that they are,” he said.

“A free app wants to deliver meaningful advertisements, so the app will grab whatever it can to track that device. This is done by obtaining unique identifiers for the device, such as the device’s, IMEI/ UDID numbers or MAC addresses. If the same advertising SDK (software development kit) is used on many apps the advertiser can create a profile for the device. This is done to deliver meaningful ads that match your preferences.  Some people don’t care about that, but some people don’t like it at all as it tracks you and your behaviour,” he continued.

According to a list of the most popular apps by Global Web Index, these are mainly social networks which require personal or geo-location data. “People mistakenly assume that the most popular apps are likely to have more strict privacy controls, but in general, the top ten apps will not be doing anything worse or treat your privacy any better than number 10,000 or number 20,000,” said Sutton.

“Most of the apps that we see which are really malicious are not on official app stores; almost everything truly malicious comes from third party Android app stores. The majority are fake or cloned versions and most generate revenue for attackers by carrying out SMS fraud which sends text messages to premium rate numbers.”

According to research released this week by ZScaler, the Android malware MouaBad.P has the ability to read, write, send and receive SMS messages. “Forcing Android applications to initiate calls to premium phone numbers controlled by the attackers is a common revenue generation scheme that we see, particularly in Android application distributed in third party Android app stores,” the research said.

Sutton claimed that its analysis of apps shows common themes across privacy as apps are often aggressive in terms of the user data that they want access to, and it is often because they are free apps. “They track user information because the advertisers want that.”

ZScaler research has found that 22% of apps on the Google Play Store contain advertising libraries that at least some antivirus vendors classify as adware. The libraries are classified as such due to overly aggressive advertising practices including capturing excessive personal information and the inclusion of ads via deceptive delivery models, including altering device settings.

The breakdown by category is interesting. After looking at the top 300 apps in each category, half of entertainment and 41% of personalisation apps are flagged as containing adware.  The breakdown is as follows:

·         Business 5%

·         Education 18%

·         Books 8%

·         Entertainment 50%

·         Music 19%

·         Personalistion 41%

·         Comics 18%

·         Finance 10%

·         Medical 17%

The reason why Zscaler sees adware as dangerous is that it exhibits at least one of the following behaviours

·         Harvests excessive personally identifiable information

·         Performs unexpected actions in response to ad clicks without appropriate user consent (appropriate user consent entails providing a clear alert in the application that the user can accept or decline before any behaviour takes place)

·         Collects IMEI numbers, UDIDs or MAC addresses

·         Initiating phone calls and SMS messages

·         Changing wallpaper and ringtones

·         Leaks location information

·         Leaks email addresses

·         Leaks personal information such as contacts, birthdays, calendar appointments, etc