The average enterprise has over 2000 unsafe or malicious apps installed on staff mobiles, exposing sensitive information and performing suspicious actions, according to new research from security vendor Veracode.
The secure application firm claimed to have analyzed hundreds of thousands of mobile apps already installed in enterprise environments across a variety of industries and found 14,000 of them to be “unsafe”.
Of these, 85% exposed sensitive phone data such as device location, call history, contacts, SMS logs and SIM information, Veracode said.
A further 37% apparently performed “suspicious” actions such as recording phone conversations, installing or uninstalling apps, running additional programs or checking to see if the device is rooted or jailbroken.
Smartphones which have been jailbroken are more at risk from malware because it can do things like disable AV and view sensitive cached information without the user’s consent.
Over a third (35%) of those unsafe apps found by Veracode pilfered sensitive info on the user including browser history and calendar data – potentially enabling hackers to launch phishing or other follow-up attacks.
The findings are in line with Gartner research from last September which claimed that 75% of mobile apps will fail security tests in 2015, Veracode said.
Theodora Titonis, vice president of mobile at Veracode, argued that it’s difficult to precisely identify whether an app is purposefully malicious or unintentionally suspicious.
She told Infosecurity this makes it important for IT managers to develop a baseline around what is an acceptable amount of risk and then “craft strong policy designed to mitigate risk accordingly.”
“The sheer volume of mobile applications that are found in most BYOD environments necessitates automated app blacklisting across all devices, based on this policy,” she added.
“For example, a policy should have the ability to identify risky applications based on code inspection, unsafe network and device behavior, improper permissions, or the presence of malware, tied to groups of users or devices.”
Veracode’s cloud-based app reputation service has now been integrated into major MDM products from the likes of AirWatch by VMware, MobileIron and Fiberlink – providing up-to-the minute intelligence on apps installed on corporate managed devices.