Security researchers have warned that innocuous looking smartphone apps could be hiding malicious code or “risk ware”—even Bible and Quran applications.
Proofpoint analysed 38,000 gambling, flashlight and holy book mobile apps and found that a worryingly high percentage try to steal data, track location and sometimes make unauthorized calls.
The aim of the research is to warn end users and security managers not to make assumptions about how secure an app is just based on the type of content within.
Instead, managers should make a “real, data-driven assessment of its behavior and risk to personal data and to organizations,” the firm advised.
To this end, Proofpoint found that 3.7% of the 5,600 Bible apps it studied contained malware which tried to access data and services illegally—a higher rate of malicious code than any other category.
Some communicate to over 50 servers, and others have a wide variety of social networking and advertising features, which exposes users even more, Proofpoint warned.
Quran apps fared slightly better, with just over 1% classed as “high risk” or containing malware. Some of these applications communicated with as many as 35 different servers, the vendor claimed.
Away from religion, other innocuous-looking Android and iOS apps were found wanting.
For example, 14% of gambling apps were said to exhibit some form of risky behavior. Some 52 of the 23,000 studied were found to contain known malicious code and another 379 were classified as ‘high risk,’ while over 3,200 were deemed a ‘moderate risk.’
According to Proofpoint, “malicious” apps attempt to exploit the OS in order to access things for which they don’t have permission. “High risk” apps have known security vulnerabilities, communicate personal info like contacts or calendar, or leak location and activity information.
Kevin Epstein, vice president of threat operations at Proofpoint, argued that the research proves mobile users and employers need to be far more security conscious.
“The findings are also a valuable reminder of the importance of a mobile app security strategy for organizations,” he added, in a statement.
“To protect employees and users from unscrupulous scammers and cybercriminals—and against riskware and malicious apps in general—organizations should define policies and deploy solutions that enable them to identify and control these apps before they can impact the organization’s security posture.”