It’s been drummed into employees’ heads not to download apps from unvetted 3rd party sites - and for good reason: attackers infest fly-by-night websites offering cheap or free app downloads. But even when users do everything by the book, don’t assume the story will end on a happy note.
Both the Google and Apple app stores take extra measures to vet 3rd party apps submitted for inclusion. Yet, there are several instances in which existing safeguards failed to block malware-laden apps from getting uploaded.
It doesn’t happen all the time but just enough to make news.
For instance, Symantec recently discovered the presence of 38 malicious applications in the Google Play Store disguised as games and education apps. The app authors were ingenious about disguising their existence on victims’ devices, removing their icons from the home screen. They redirected victims to install another app on the Google Play Store that displayed advertisements, and had minimal additional functionality.
When Android app stores got flooded with 1,000 spyware apps last summer, malware marketed as a messaging application actually performed the advertised messaging function so as not to arouse user suspicions. That was a pretext to then allow the download to transfer user data to a command and control server.
For security practitioners struggling to protect their organizations in the era of Bring Your Own Device (BYOD), it’s yet another item to add to an already lengthy To-Do list.
A company that does not understand that users will continue to download and install personal apps onto the same devices they use for business is burying its head in the sand.
“Google occasionally reports how many malicious apps have been removed from Google Play, so this clearly does happen, and people an easily become victims. This happens less frequently on Apple’s App Store, but it is not unheard of,” said Symantec Mobile Security Specialist, Brian Duckering. “Apps can get on people’s devices in a variety of ways, so malware does not only come from the primary app stores."
Security executives obviously can’t control what goes on all of their employees’ mobile devices. BYOD is now part of the contemporary work culture and employees regularly use their own personal devices for work. But these “dual-use” - personal and professional - are a constant source of concern for IT managers who are already scrambling to stem the advance of mobile malware.
Last year, for instance, saw a 54% uptick in the number of new malware variants, according to the 2018 Symantec Internet Security Threat Report. As the ISTR notes, it’s not just the volume of malware that’s increasing: Attackers have developed new methods of infection and tricks to remain on compromised devices as long as possible. And they are targeting app download sites as part of that campaign.
Not only have mobile attackers gotten very creative with their tactics, they’ve been able to fool even smart and security-conscious people to unknowingly take actions that wind up exposing their organizations’ security, according to Duckering.
“A company that does not understand that users will continue to download and install personal apps onto the same devices they use for business is burying its head in the sand,” Duckering said. “The right approach to security must take that into account so that the company can protect sensitive data in spite of these activities.”
There’s no foolproof defense. As always, it boils down to a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behavior.
At the same time, user education should focus on minimizing the threats posed to mobile users. Education should stress the importance of only installing apps from the primary app stores, and not to click on untrusted links or approve device permissions and accesses without good reason.
Other precautions should include:
- Keeping your software up to date
- Never patronize unfamiliar sites
- Only installing apps from trusted sources
- Paying close attention to the permissions requested by apps
- Installing a suitable mobile security app, such as Norton or SEP Mobile, to protect your device and data
- Making frequent backups of important data