How Mobile Apps Can Put Devices (and Organizations) at Risk

With BYOD on the rise, most employees are using their personal mobile devices to access company information and software. Simultaneously, these employees are downloading personal (or work-related) apps onto those same devices — you’ve probably even asked employees to download apps like Slack or Teams onto their devices to ensure work can be done on them. While you may have vetted certain apps to ensure they’re safe to interact with internal systems, employees aren’t likely doing the same when scrolling on their phones at night and downloading the latest gaming or social app.

Most apps are harmless, but some are dangerous, or can become dangerous if they fall into the wrong hands. Even safe apps have access to data stored on a user’s phone, as well as features like cameras and microphones. They can be hacked with relative ease, putting that data, that employee, and that employer at risk. Dangerous applications are an even bigger threat. Plus, they’re easy to miss because they are designed to look safe so they seem benign.

This all poses a huge problem for businesses. Once a personal device is compromised, company data can be accessed and compromised as well. Even worse, companies have limited jurisdiction over employees’ devices and can’t implement as many security controls as they might like. 

Given those issues, how can companies protect their data and intellectual property from bad actors?

Let’s start by looking at the three types of applications and how they can put organizations at risk.

• Sideloaded apps: While the majority of apps are downloaded via Apple’s App Store and Google’s Play Store, some apps are downloaded from other sources. These sideloaded apps can be downloaded from third-party app stores, websites, social media, forums, and more. However, they’re much riskier, and the practice of sideloading apps should be discouraged altogether.
• Malicious apps that bypass app store security: While the Apple Store and Google Play have rigorous safety measures in place to keep malicious applications out of the store, sometimes one sneaks by. So, although sideloaded apps are much riskier, users can’t assume applications downloaded from their device’s app store are guaranteed to be safe.
• Compromised legitimate apps: Finally, even safe, legitimate applications can be compromised by bad actors and pose a threat to devices and organizations. When downloading a known app, many users blindly accept whatever permissions the app asks for. That means many applications — especially free apps that make revenue from selling data to third parties — are accessing massive amounts of user data and are, therefore, enticing targets for bad actors.

Knowing that these types of applications are a threat to personal and professional security, let’s look at how they make their way onto employees’ devices and into your networks. 

How bad apps end up on employee devices

Keeping malicious applications off devices that are connected to company networks seems like it should be a simple task, but that’s not often the case.  This is because these applications make their way onto employee devices in pretty harmless ways.

Third-party or sideloaded applications

There are many reasons users choose to download applications from third-party app stores like Amazon Appstore, Aptoide, and F-Droid. These app stores offer a wider variety of applications than the Apple Store or Google Play, especially when it comes to free applications or apps from smaller companies or individual developers who want to minimize revenue sharing with the app store. They also allow users to purchase or download apps without setting up an account.

Unfortunately, not all third-party have the built-in security checks that are available on Google Play and Apple Store, so malicious apps can get through. Third-party app stores are also at risk of code injection attacks. This leads to compromised legitimate apps that then affect any device that downloads and installs an app or even an update.

Larger companies and developers don’t necessarily monitor third-party app stores at the same pace as the Apple Store or Google Play, so an outdated version of a legitimate app may be living on a third-party app store with a host of security issues that bad actors know how to exploit.

Lastly, the biggest risk factor comes when downloading apps from non-traditional sources such as websites, forums, or social media posts. There’s no security check, and it’s a very common way for hackers to compromise a device simply by promising to install a genuine app or a “free” version of a common app.

Malicious apps sold on legitimate app stores

Any application available on Google Play and Apple Store needs to go through rigorous security checks. Though the security review process is extensive, thousands of apps are being reviewed by each store; and, occasionally, a malicious app gets through.

Depending on where the app is being downloaded, the best hackers have also found ways to bypass security checks by displaying a fake UI that avoids triggering security red flags. Other bad actors utilize a common code base to build an app that looks like a popular app, then they edit the code with subsequent updates that don’t need to go through the security review. Earlier this year, security researchers found a new malware on App Store apps that utilized screenshot reading technology to steal passwords tied to crypto accounts.

The Apple Store also allows users to bypass security checks when uploading beta versions of applications. So, bad actors will submit malicious beta applications, especially those that mimic popular crypto apps, to avoid going through the security screening. Once accepted by Apple, developers change the URL to a malicious server that steals data from the user’s device or takes over the phone.

There have been multiple instances of benign or legitimate apps turning bad after some time. This has occurred with a popular screen recording app that was updated a year after launch with backdoor malware. In another instance, a barcode scanner app with over 10M downloads changed ownership, which resulted in malware almost overnight. The owner signed a contract with a different development agency that installed malware in the form of adware over an update. 

Legitimate applications

Unfortunately, sometimes even legitimate applications downloaded from legitimate app stores can become compromised. Many applications ask for far more permissions than they need to function, including access to location data, address books, text you’ve copied to your clipboard, your camera and microphone, as well as the ability to track device activity. Many users have become so accustomed to accepting the “necessary” permissions that they hit accept without thinking about it.

While it’s not innately harmful for the app developer to have access to your data, it opens users to risk if the application or developer is hacked and user data is compromised. The aforementioned risk of an app changing owners can also lead to a shift in user privacy and security policy. A new owner could choose to eschew data security or outright monetize it, making data available to any buyer. This happened recently with Amazon,  when they reversed course on their handling of voice data on Alexa-powered devices. Previously, Amazon supported users’ requests to not send voice recordings to the company.  Users are no longer allowed that option, and Amazon will now process all voice data to train its AI.

Regardless of how a malicious or compromised app makes its way onto an employee’s device, any compromise means a bad actor now has access to all data stored on that phone, including your company data. This makes it essential to educate employees on mobile security best practices to avoid a costly breach.

How Apps Compromise Devices

Whether employees download a malicious app or a legitimate app, what happens if they are hacked? There are a number of ways in which bad actors can pose a threat. Generally speaking, hackers compromise devices by installing some type of malware. This can include:

• Trojan horses: These malicious applications look legitimate, but, when installed, allow hackers to access a device to further install malware, read data, or exfiltrate the phone’s data, including any apps or communication.
• Ransomware: Much as with laptops and other devices, bad actors may install ransomware on targeted company devices, hoping to collect a ransom or brick the device to cause disruption.
• Spyware: Activity monitoring spyware and data exfiltration perhaps pose the biggest threat to organizations, as this malware allows bad actors to track users’ activity, intercept sensitive communication, extract valuable data, and access passwords for company software via keylogging.
• Adware: Adware allows bad actors to engage in ad fraud by running applications in the background and clicking on ads to generate income. Running adware can drain phone battery and resources, which can cause several issues for employees and also impact productivity.
• Cryptojacking software: Similar to adware, cryptojacking software is a popular type of malware that allows hackers to use a person’s phone to mine cryptocurrency without the device owner’s knowledge or consent. Some cryptojacking or hacking software seeks to harvest crypto-related credentials, which can easily shift to harvesting important organization account-related credentials.

Via these methods, an employee’s personal device can become compromised, which can then lead bad actors to your data. It’s only a matter of time before the unauthorized actor finds something on the employee’s phone that leads to your company, at which point, they will strike.

Malicious Apps are a Major Risk for Organizations

Whether they are employer or employee owned, mobile devices pose a significant threat to organizations. Mobile phones inherently have less security than other devices; and, when the device is owned by employees, they are more likely to download untrustworthy apps, visit sketchy websites, and sideload apps for work or pleasure. These potentially malicious applications can then access, read, and compromise company data and accounts. Without a holistic mobile security plan in place, employee-owned mobile devices pose a huge risk to companies.

Organizations have historically invested in mobile device management (MDM) to protect company data from mobile threats. But due to its limitations, low user adoption, and the fact that most employees are now using their own devices to access work applications and databases, MDM has proven to be insufficient.

Mobile threat detection and response (MDR) is significantly more effective at protecting companies with BYOD policies. MDR shifts the focus from devices to threats and more proactively hunts for and responds to threats on mobile devices, including malware and social engineering attacks.

If your company has a BYOD policy in place, you need to invest in MDR. SolCyber’s mobile protection services extend beyond that of traditional MDM, helping you proactively hunt for threats to ensure they don’t reach your organization. Learn more about our mobile protection services and reach out to the security experts to get started today.