2,400 unsafe apps on user phones in large firms

The average large global enterprise has about 2,400 unsafe apps on the mobile devices in its environment, according to a new study from mobile security vendor Veracode.

The firm analyzed more than 400,000 of the most popular applications available in Apple and Google app stores and found that 14,000 of the, or about 3 percent, have security problems.

For example, 85 percent of the 14,000 unsafe apps expose sensitive data such as location, contacts, and text messages.

Some go further. About 37 percent perform suspicious activities, such as checking whether a device is rooted or jailbroken, disabling malware, or running other programs.

And 35 percent access such personal information as browser histories and then send it to suspicious overseas locations.

Many users have become complacent because adware and its close cousin, spyware, have become quite common, especially in popular free applications.

"When they're free, the user is the product," said Theodora Titonis, VP of mobile at Boston-based Veracode.

But some applications take this much too far, she said. "When you pull up a flashlight app, for example, and it's sending considerable amount of data to locations around the world."

"We've seen these apps," she said. "We've notified the appropriate parties."

Meanwhile, these apps are in the stores, and are being downloaded, she said. But, more importantly for enterprises, they're ending up on employee devices.

She provided an example of one app in the database, the Lazy Listen audiobook app for Android phones, available through the Google Play store. It's a free Chinese-language app, with between 500,000 and one million installs, from Shenzen's Oneline Technology Co., Ltd.

The app has to ability to know when phone calls are coming in, to send text messages, to record audio, to read the root file system, track the user's location, check if the device has been rooted, and to get identifying information about the user, the device and its carrier.

"The behavioral analysis shows that this information is not used to improve the customer experience," said Titonis.

What the information can be used for, is to be transmitted back to the parent servers and sold as a way of monetising the app -- potentially sold to unknown and untrusted third-party data brokers.

Veracode's cloud-based mobile app security application is available through mobile device management vendors, such as VMware's AirWatch, MobileIron, IBM's Fiberlink and Good Technology.

It allows companies to automatically blacklist apps that fail the security assessment, for example, or even go further.

"They can alert the user that there's an unsafe app, or limit access to corporate email, or even wipe a device if the applications poses that much of a risk to the enterprise," Titonis said.

She also disclosed the names of three of the apps most blacklisted by enterprises -- Angry Birds, Facebook, and Netflix.

But while Angry Birds is ad-supported, she added, it's more on the regular adware side of the security spectrum rather than spyware.

So it's more likely that it's blacklisted as a productivity killer.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleapplicationsGoogleVeracodesoftwaredata protection

More about AppleFacebookGood TechnologyGoogleMobileIronNetflixTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place