"These apps often perform multiple functions--not just the game or utility they were supposed to do. They'll do location tracking for key executives, share the corporate address book, corporate calendars, or share data with app network providers or third parties," says Domingo Guerra, founder and president of Appthority. The applications may then circumvent the permission model of the smartphone in order to report that data--often to a network of advertisers.
Appthority yesterday released its July App Reputation Report, which takes a top-level view of mobile apps and how they affect security and privacy.
"We took the top 50 iOS free apps and the top 50 Android free apps to see what they're doing," says Guerra. "We weren't expecting to see malware, and we didn't."
The survey gave some insight into other mobile trends, however. According to the report, 96% of iOS apps and 84% of Android apps have some ability to access sensitive information on the mobile device. That access is most often supplied to games, but, frequently business, healthcare and finance apps, as well.
Numerous factors are causing the security gaps, from the wide pool of app developers, to the fact that the developers themselves might not know how the data is being used. What's more, the safeguards put in place to detect malware in the various app marketplaces do little to detect bad behavior on seemingly legitimate apps. Researchers at Trustwave's SpiderLabs yesterday presented a way to get around Google Play's Bouncer malware filter by progressively updating a benign app to execute more and more malicious activity unbeknownst to the app's user. In the process, the researchers submitted 11 versions of the same app through Google and the app was never filtered by Bouncer.
"The end-game version of that is an application that looks like an SMS blocker application," says Nick Percoco, senior VP of SpiderLabs at Trustwave and co-presenter with his colleague Sean Schulte. "It's fully functional, it doesn't look malicious, and basically at that point we're able to turn on malicious functionality in that application to do things like steal photos, steal contacts, steal SMS messages and steal phone records."
Percoco says the malicious features also allowed his team to hijack a user's interface by pushing a Web page to that user--and even more significantly, by creating a botnet using the application.
"We can command and control that application and then have the ability to have it send a DoS attack against any website for any domain that we choose," he says.
Next: What's to Blame for Mobile Apps Gone Bad