When I conduct security awareness sessions with companies, many people are surprised to discover mobile apps can potentially be malicious. To make matters worse, it’s getting harder to spot risky apps. You might expect obvious red flags, but a recent incident shows how hard mobile device security is for security professionals and regular users alike.
CamScanner used optical character recognition to ‘read’ text from documents to create shareable PDFs. As ZDnet pointed out, it wasn’t some fringe app but a widely used productivity tool with loads of positive reviews. It had been listed on the Google Play store since 2010, racking up more than 100 million downloads.
That was before late August, when Google removed CamScanner from its Play store. Researchers at Kaspersky had noticed a spike in negative reviews and decided to take a closer look. After analysing the app, they saw an advertising library in it that contained a malicious dropper component. This dropper would then download and launch a payload from malicious servers. Once the module owner had infected a device, they could use it any way they wanted – from showing intrusive ads to stealing money from their mobile account by charging paid subscriptions.
Unfortunately, CamScanner is not an isolated case. Positive Technologies recently analysed 17 mobile apps and found high-risk flaws in 43 percent of Android apps and 38percent of iOS apps. As Digital Trends’ writeup noted, the findings didn’t just identify vulnerabilities in specific apps, but revealed broader trends in app design which could lead to mobile device security issues.
The risks with mobile devices
What are the security risks of downloading an app with malicious code? Depending on the levels of permission you have given, it could potentially get access to your contact information or your photos. If an app is voice activated or has access to the device’s microphone, it might also be able to hear conversations. When you download a legitimate app, it should tell you the features it has and the permissions it needs, but some apps aren’t always so transparent about what they do.
The impact of a security flaw will depend on how you use your phone; is it strictly for personal use, or do you also use it for work? For home users, it is an invasion of privacy; from a business point of view, you could potentially be in breach of confidentiality agreements. Suppose a malware takes screenshots of your compromised phone, you could become the victim of a data breach if you use that phone to read company email.
As the CamScanner example shows, it can be hard to determine how safe an app is, but that’s no reason not to try. As individuals or technology professionals, we can take steps to minimise the risk to our personal devices, or to business data. Here are six tips to keep in mind.
Only download apps from official sources such as Google Play Store (for Android devices) or the Apple App Store (for iPhones and iPads). These big companies have teams conducting due diligence on apps. While this won’t provide full protection it will decrease your chances of downloading a malicious app.
Before downloading an app, take a moment to look at reviews, comments and the number of downloads. This isn’t a foolproof method, but it’s a useful indication as to whether an app is legitimate. Watch for misspellings of common names – just as with phishing scams, this is a common way to trick unwary users.
When you tap the ‘install’ button, you may be shown a list of permissions the app requires, such as access to the camera, your text messages, or photo library. It’s the user’s responsibility to review this list and check if you’re comfortable with the level of sharing the app supposedly needs.
Once you have downloaded the app, go into your mobile’s settings menu and toggle individual permissions. For example, Apple gives you the option to enable location services only while using an app, or to deny access to the camera roll. I have an authenticator app that requires access to the camera, but I disable this setting until I need to use it.
You can mitigate the risk even further by adding an extra layer to your mobile device security. Android devices let you install antivirus software (Apple has its own built-in security).
Discourage people from rooting (Android) or jailbreaking (Apple) their phones. Doing this gives apps elevated privileges, and it could enable some of them to access information or to broadcast the phone’s location without the user realising.
Work vs personal use
We also need to consider that smartphones are blurring the lines between work and personal use. If someone is using their own mobile for work, it’s unrealistic to police what apps they should or shouldn’t download. For this reason, we recommend using separate work and personal devices.
However, not all companies may have the budget to do this, so in that case, we recommend installing a mobile device management (MDM) tool. Sometimes called EMM, or enterprise mobile management, examples include AirWatch, or Intune, Mobile Iron, or LANDESK. These kinds of software let the organisation apply some level of control to its own data, such as placing company-confidential data in a sandbox environment so the data can be wiped if the device is stolen or compromised.
Neha Thethi is a senior information security analyst with BH Consulting