Mobile is the next malware battleground. That’s the prevailing attitude among many information technology (IT) professionals, who often see the spread of mobile malware as akin to malicious software on desktops or PCs.
It makes sense. SC Magazine reports that a new version of the AndroRAT Trojan, SandoRAT, is now infecting Android phones, while BGR notes that over 75,000 jailbroken iPhones have been victimized by the AdThief malware. Yet a report from Appthority found that just 0.4 percent of mobile enterprise apps were infected with malware, while 99 percent of free mobile apps for both iOS and Android had at least “one risky behavior,” such as recording unique device identifiers, device locations or contact lists.
In other words, user permissions — not pernicious software — may pose the greatest mobile threat.
California State University at Sacramento defines malware as “an umbrella term for multiple kinds of software, including spyware, viruses and adware. The general rule is that if a program installs itself without user knowledge and/or consent, it is considered malware.”
This makes sense. The recently discovered HijackRAT, for example, masquerades as an app called “Google Service Framework.” As reported by The Independent, once installed on a mobile device, this remote access tool replaces legitimate banking tools with spoofed versions, grabs any personal data it can find and deletes antivirus software.
But here’s the problem: To commit any of these acts, HijackRAT needs user permissions. Because it looks legitimate, users often have no problem tapping “Yes” to any access requests, assuming they are necessary for the free app to function properly.
If users are giving permission for installation and execution, can this really be called malware? Absolutely. The granular nature of app and in-app purchases makes more traditional malware delivery methods effectively obsolete. To compensate, mobile malware developers have changed tactics, relying instead on user behavior to grant malicious programs the access they need. And what’s their target? Data — everything from contact lists to GPS coordinates to more “traditional” information, such as login and access credentials. Once given free rein over an entire mobile ecosystem, it’s easy for this kind of collection to go undetected because virtually every app, legitimate or not, asks for the same kind of permissions.
The bottom line? Nothing is free.
You’re the Product
Caleb Barlow (@calebbarlow), vice president of strategic initiatives for cloud and smarter infrastructure at IBM, spoke recently about his take on the evolving market of free mobile apps targeting user data. He used the example of a utility app he came across that included not only a “contact backup” feature, but also a free compass, flashlight and mortgage calculator all in one.
At first glance, this seems like an odd mix, but from the perspective of a company looking to harvest personal data, it’s a gold mine. It starts when a user grants the app permission to access contact data and location services. When a “contact backup” is performed, the app developer gains access to every person, email and phone number in the user’s mobile device. The GPS provides coordinates and tells the app exactly where the user lives. The mortgage calculator, meanwhile, provides financial data, helping place the user in a socioeconomic hierarchy. In most cases, this data is collected for downstream advertising use — as Barlow put it, “You are the product that is for sale.”
The Enterprise Equivalency
But what about corporate data? While identifying a user’s home address and income bracket gives advertisers a leg up, obtaining corporate information through free mobile apps can have even farther-reaching consequences. For example, Barlow noted that he has seen employees keep username and password data in their contact lists and also raised the issue of “document clouds.” If an employee quits but has company documents stored in personal cloud services, data-mining apps could find and leverage that information even if corporate permissions have been rescinded.
Barlow makes a case for greater emphasis on “app reputation” — evaluating an app based on what it actually does rather than what it is advertised to do — and the “containerization of the corporate device.” For example, company laptops are one of the last “sterile” corporate environments, according to Barlow. IT security professionals don’t worry about data moving around within the confines of a laptop since every program has been approved, vetted and screened.
But when it comes to mobile, it’s “the exact opposite of what we’ve been doing for 20 years,” Barlow said. It is no longer possible to assume any app is without malice or ill intent; every application must be viewed with suspicion until it can be proven trustworthy. Think of it like kids engaged with social networks and parents wondering whether they’re safe. Just asking questions isn’t enough; actions and reputations prove the point.
Make or Break
Of course, there’s another side to mobile enterprise apps: creation. How do companies ensure the app they’ve created isn’t repurposed as a piece of data-mining malware? Barlow points out that compromising websites is something that has to happen in real time, while “mobile apps can be worked on in a lab for three months.” Hackers can grab these apps, take them offline and then dissect their code and remove requirements for passwords or other forms of authentication. How long does this process take?
“Your average teenager can pull this off in a few hours,” Barlow said.
So how do companies make sure users aren’t getting a rogue variant of the real deal? Barlow compared corporate app development to the recording industry, saying both must “harden” their data so it can’t be pirated. Just as digital movie recordings scramble or obfuscate their code so they can’t be replicated and resold, corporations designing mobile apps must integrate safeguards against tampering that make it prohibitively difficult for would-be hackers to steal the original product.
The Next Big Thing in Free Mobile Apps
Barlow said he sees mobile apps as the “next big thing to pop.” A year ago, he and his team couldn’t even get retail vendors interested in point-of-sale security. Then, the Target breach happened, and they are now inundated with requests for help. For Barlow, there are two options: a mobile app meltdown or a sharp regulation increase. He described a recent Federal Communications Commission meeting where the top three priorities were: “mobile apps, mobile apps and mobile apps.”
Right now, the market for free mobile apps is akin to the Wild West: Standards are few and far between, and apps run unchecked thanks to broad user permissions. How do companies limit their risk? It starts with training. Employees need to regard permission requests with the same skepticism as “Download now!” phishing emails and react accordingly. Corporations, meanwhile, must exercise due diligence and make sure they’re using the best app available for the task and that it doesn’t collect or share data outside its purview. What’s more, businesses need the support of leading security vendors to help fight 20 years of habit by making device containerization a top priority.
When it’s all said and done, there’s no such thing as a “free” app — and the real cost is measured in data, not dollars.