The average large global enterprise has about 2,400 unsafe apps on the mobile devices in its environment, according to a new study from mobile security vendor Veracode.
The firm analyzed more than 400,000 of the most popular applications available in Apple and Google app stores and found that 14,000 of the, or about 3 percent, have security problems.
For example, 85 percent of the 14,000 unsafe apps expose sensitive data such as location, contacts, and text messages.
Some go further. About 37 percent perform suspicious activities, such as checking whether a device is rooted or jailbroken, disabling malware, or running other programs.
And 35 percent access such personal information as browser histories and then send it to suspicious overseas locations.
Many users have become complacent because adware and its close cousin, spyware, have become quite common, especially in popular free applications.
"When they're free, the user is the product," said Theodora Titonis, VP of mobile at Boston-based Veracode.
But some applications take this much too far, she said. "When you pull up a flashlight app, for example, and it's sending considerable amount of data to locations around the world."
"We've seen these apps," she said. "We've notified the appropriate parties."
Meanwhile, these apps are in the stores, and are being downloaded, she said. But, more importantly for enterprises, they're ending up on employee devices.
She provided an example of one app in the database, the Lazy Listen audiobook app for Android phones, available through the Google Play store. It's a free Chinese-language app, with between 500,000 and one million installs, from Shenzen's Oneline Technology Co., Ltd.
The app has to ability to know when phone calls are coming in, to send text messages, to record audio, to read the root file system, track the user's location, check if the device has been rooted, and to get identifying information about the user, the device and its carrier.
"The behavioral analysis shows that this information is not used to improve the customer experience," said Titonis.
What the information can be used for, is to be transmitted back to the parent servers and sold as a way of monetising the app -- potentially sold to unknown and untrusted third-party data brokers.
Veracode's cloud-based mobile app security application is available through mobile device management vendors, such as VMware's AirWatch, MobileIron, IBM's Fiberlink and Good Technology.
It allows companies to automatically blacklist apps that fail the security assessment, for example, or even go further.
"They can alert the user that there's an unsafe app, or limit access to corporate email, or even wipe a device if the applications poses that much of a risk to the enterprise," Titonis said.
She also disclosed the names of three of the apps most blacklisted by enterprises -- Angry Birds, Facebook, and Netflix.
But while Angry Birds is ad-supported, she added, it's more on the regular adware side of the security spectrum rather than spyware.
So it's more likely that it's blacklisted as a productivity killer.