By now you've read about malicious apps that leak privacy data, but do you realize how serious it really is? If not, you'd better pay attention to the following statistics gathered by Symantec*. And if you think that Google Play is 100% safe, it isn't. I have some data that yields some shocking results about the number of malicious apps waiting to grab your data. Unfortunately, the playing surface for Internet naughtiness has changed in the past couple of years and you need to know that it's only getting worse.
Gone are the days of malicious code that just wants to annoy or to destroy. More than 75 percent of all malicious code these days has basically one goal: to steal your data.
Look at the top three mobile threats in the list below to see my point.
Mobile Threats by Type
- Collects Device Data - 28 percent.
- Tracks User - 25 percent.
- Sends Content - 24 percent.
- Traditional Threats - 16 percent.
- Changes Settings - 7 percent.
The number one threat collects device and user data that ranges from device configuration data to bank account details. Most of the data collected has to do with the operating system, patch levels, and applications that you've installed. Programmers gather this data to carry out further attacks on the device by exploiting security vulnerabilities associated with your configuration.
Rarer, but of greater concern, is code that gathers account data from your device as you're logging into your bank account, logging into social media accounts, or any site where you transfer funds such as auction sites, donation sites, or other bill paying sites.
The second most popular threat is user tracking code. This type of code can track your location, text messages, phone calls and pictures. Surprised? Don't be. There are some non-malicious apps that do the same thing but with your permission. How many times have you tapped, "OK" to the question, "Do you want to allow this app to access your location data?" And you tapped, "OK" because you thought that it might be necessary to have full use of the app and all of its features.
The third group of threats send content, usually in the form of SMS messages, to a premium service site that then shows up on your mobile bill. Or your device can be used as a relay for email or messages to your address book. This group of threats is focused on making money directly from exploits by placing charges on your monthly bill, tempting people you know to respond to a link or text or bumping search engine rankings for a site.
Threats are not only on the increase, they're also more sophisticated. For example, now malicious programmers create staged exploits. Staged exploits deliver their payloads in stages to confuse malware detection software. The payloads are smaller, appear as harmless updates, and are much more difficult to remove.
Another method of delivering harmful payloads is what's known as "In-app" promotions. You download and use a harmless app but a pop-up appears that entices you to download another app from a non-standard app store that isn't harmless. The app happily lands on your device, with your permission, and does its dirty work.
Malicious code is a lucrative business. Think about the number of mobile phone users and how easy it is to tap (pun intended) into the app market. Symantec and other industry observers expect exponential growth in the malware and threat "market" for 2012 and beyond. Stay tuned for an update when Symantec's newest report goes live.
Last year, researchers from two universities studied 13,500 apps from the Google Play store and found that 8 percent of them contained encryption technology that was vulnerable to "Man in the Middle" (MITM) attacks - where the programmer intercepts data as it travels between the user and its intended target.
The researchers picked 100 apps to manually audit for MITM attacks and found 41 were vulnerable despite their use of encryption technology such as TLS and SSL.
"From these 41 apps, we were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others," the researchers stated in a research report that described their experiments.
In tomorrow's article, "10 security best practice guidelines for businesses," I'll outline ten best practices for business users of mobile technology, although these best practices apply to any computing technology.
*Data gathered by Symantec for its Internet Security Threat Report. Data from the 2011 report, published April 2012, Volume 17.