Bit9 combined two pieces of research: an analysis of the permissions requested by and so often allowed to Android apps, and a survey of companies’ mobile security posture – and came to a worrying conclusion.
Firstly, the app analysis looked at 400,000 of the approximately 600,000 apps in Google Play, and classified more than 100,000 as ‘suspicious’ or questionable.’ This doesn’t in itself mean that those apps are malware, but that they request more permissions than they need to perform their purpose. Bit9 goes on to point out that since “the average mobile device has 41 apps installed on it, potentially 10 apps could have some level of suspicious activity.”
It is when these findings are related to the separate ‘security posture’ survey that the risks become obvious. For example, 72% of the apps access at least one high-risk permission. But 71% of the survey respondents allow BYOD devices to connect to company servers. “While a majority of businesses allow personal devices to access the company network, many organizations have not deployed any app inventory or control measures.” In other words, companies have little insight into or control over the devices that connect – the majority of which have elevated permissions – because of a “mobile policy largely driven by convenience.”
One danger is that hackers will produce their own malicious apps with excessive permissions that will simply be ‘nodded through’ by the users and ignored by the company. This is already happening. Bit9 cites ‘Angry Birds’. “We noticed 115 variant apps containing the words ‘Angry’ and ‘Birds,’ with only four coming from the official Angry Birds publisher Rovio Mobile,” says the company. Many of these variants access fine-grained GPS location services that are not essential to the apps’ functionality.
Separately, Geoff Casely of NQ Mobile told Infosecurity this morning that the company’s security researchers are watching for the release (slated for 8 November) of Angry Birds Star Wars and are waiting for the inevitable release of fake versions immediately afterwards. “This could be hijacked,” he warned, “to propagate one of the biggest mobile malware instances ever yet seen.”
Bit9 offers four primary suggestions to regain and maintain BYOD security. The first is user education: “a major component of effective Android and mobile security is better education of end users to help them avoid common pitfalls.” The second is to restrict users to apps from official app stores. Users “should stay away from public app markets that lack trustworthiness.”
The third is to prevent the use of rooted or jailbroken devices. “Rooting provides unfettered access to all data on a device and allows risky apps to make changes to system resources,” warns Bit9. Finally, it suggests, users should make use of the security available on the device: screen locking, remote locate and wipe, and encryption.
Without action from users and companies now, the ticking mobile malware time-bomb will inevitably explode.