Zombie Apps Want to Swarm Your Corporate Brain

What happens to dead mobile apps that never get a proper burial? Unfortunately, they often get re-animated.

Any time an app is removed from an app store, that app will still remain on users’ mobile devices but it will no longer be updated for bugs or security fixes – meaning it can easily be exploited by third parties to offer fake updates via vulnerabilities that were never patched. Unlike other consumer products and retailers, app stores (such as Google Play and Apple’s App Store) are under no regulatory requirement to notify users when or why an app has been removed – making these zombie apps a significantly more widespread risk than mobile malware, as we reported.

But what do these zombies do? One bite from an un-updated BYOD device can turn a whole enterprise network rancid – but imagine instead that it’s a whole plague of them, swarming towards the network brains of the organization.

“This year, we’ll likely see the first corporate breach traced back to a mobile app,” said Domingo Guerra, president and co-founder at Appthority. “The enterprise is experiencing a massive influx of new end-user devices and apps that offer new ways to perform workday tasks.”

The perception of data breaches in the enterprise has always been associated with the concept of one big breach, where sensitive data like email archives or financial statements is exfiltrated from a vulnerable server.

“But, in the context of BYOD, similar results can also be achieved if data is exfiltrated from individual mobile devices that held key information over time,” reads a report on dead apps from Appthority. “Unlike large data breaches behind the firewall, micro breaches are a lot harder to discover, and it is easier for attackers to cover up their tracks.”

An example scenario would be to target a company’s sales force to get to a list of their clients. By profiling the sales team using social networks such as LinkedIn and then using social engineering to uncover dead apps and exploit them, it would be trivial to access their phone contact list/address books.

So the question remains: mobile malware may occupy a lot of headlines, but why – WHY – has no one noticed the zombie scourge?? They’re hungry – so hungry – and enterprises would do well to invest in some worker education to avoid throwing open the doors to an easy feast.

What’s Hot on Infosecurity Magazine?