Posted September 2, 2014
By Andrew Sharetts
As more organizations release mobile applications to satisfy customer demand for on-the-go services, instances of rogue or spoofed mobile apps are rising. There are a lot of questions when it comes to this evolving sphere of cyber security, so we recently sat down with Tim Vert, a mobile security expert and Manager in Cyveillance’s Security Operations Center, to get some answers.
Andrew: Tim, what types of apps are most often spoofed?
Tim: Well, Andrew, traditionally financial institutions are always the first and biggest targets of fraud because that’s where the money is. That doesn’t mean other apps and other companies are safe, though. Even an innocuous app like a game can start to request access to all sorts of data that you wouldn’t want shared with strangers once installed on your phone. It’s just as bad as having a Trojan virus on your computer, and in some cases worse, considering how many aspects of our lives are integrated with our mobile devices these days.
Andrew: What type of rogue mobile app do you most frequently come across?
Tim: Unauthorized authentic apps – seemingly legitimate apps that are distributed on unauthorized storefronts – are the most common, and also the easiest for criminals to execute. These apps can contaminate a network with malware or other viruses, and pose as big of a threat as scarier sounding apps that deliver Trojans or malicious aggregators. A good rule of thumb is, if you don’t trust the provider, then you shouldn’t trust the content they are offering for download.
Andrew: Is one mobile platform more susceptible than another?
Tim: When it comes to fraudulent apps, Android is king. The combination of market share and the openness of the operating system make it the most obvious choice for spoofed apps. The next most popular platform is Apple’s iOS, also because of its popularity. But unlike Android, Apple reviews apps before allowing them to be posted in the App Store. This diligent curating of apps doesn’t mean bad apps can’t occur on iOS, but it’s much less likely and they have to be much more carefully executed. Other mobile operating systems are less likely to be used for broad exposure exploits because of their smaller market share.
Andrew: What’s the best way for organizations to detect and deal with rogue apps?
Tim: The best thing a company can do is make sure their customers find the legitimate app first so they don’t have a need to hunt for it and potentially find an illegitimate one instead. Next, companies should stay abreast of unauthorized use of their brand in the app market space. A third party site may be offering an app that looks exactly like yours, but if they’re not a trustworthy source then that app could do anything from using your legitimate app to generate advertising revenue for them, or in a worst case scenario, completely controlling a device. Know, defend and control the use of your brand and you won’t have to worry about someone else using it for their own benefit and potentially you or your customers’ detriment.
Andrew: How do “bring your own device” (BYOD) policies factor into the rogue apps discussion?
Tim: The increasing adoption of BYOD policies by companies means our devices are progressively overlapping between both business and personal use. This increases the number of ways a device can be compromised and also the amount and variety of data that can be affected by a compromise. BYOD needs to be a privilege, not a right, and it requires the cooperation of all employees in order to protect the company. Companies should be sure that their policies and IT teams are aware of and have vetted all the mobile apps that employees might be releasing, too. Often in large companies we find that marketing departments might develop applications for an event, for example, but use a third-party agency that hasn’t tested the apps from a security standpoint.
Andrew: And to further the BYOD conversation, is there a concern of a rogue app affecting a corporate network?
Tim: Absolutely. If attackers can compromise a device and then have the owner walk that device past all the network security and firewalls and plug it directly into the network, then the hard work for them has already been done.
Andrew: What about large organizations that have various apps being released by agencies, employees, internal teams, etc.? How can they keep track of all the different mobile apps that ARE legitimate?
Tim: It’s imperative that organizations understand these threats and have clear, enforceable policies in place for their employees. There are also software solutions that can help, but without company-wide cooperation implementation will be incomplete. It’s also important to let all employees know who to go to for review and approval when they’re releasing an application. In large corporations, it may be someone or a group within the information security team, or mobile security team if the company is large enough to have such a specialized group. In a smaller organization, it may be a single individual who bears responsibility for keeping an ongoing “inventory” of all legitimate and approved applications. In either case, having an ongoing monitoring plan in place can be very cost effective and help identify not only third-party rogue apps, but also apps that employees might have developed using a third-party agency that might not take the same security precautions as your in-house team.
Andrew: Last but not least, how can consumers determine whether they’re using a legitimate app?
Tim: The best option is always to go straight to the source. Most companies will have a link on their website to connect you to the best place from which to download their app. Barring that, official app stores such as Google Play or the Apple App Store will always be safer than a third-party website, although at times there may be a good reason the app you’re looking for isn’t available in an official store. Finally, do your homework. If the app is new and only has a few downloads, it’s going to be a lot riskier than an app with a proven track record, lots of downloads, and positive press. When in doubt, err on the side of caution and do a few quick searches online to see if there are reviews indicating that it’s a rogue or malicious application before you download it.
Want to learn more about rogue mobile apps and how to deal with them? Our Mobile Application Monitoring service can help.