Don't you just love mobile apps? So do malicious code writers.

Don't you just love mobile apps? So do malicious code writers.

Summary: There are some surprising numbers available that tell a dark story about mobile apps and what they can be doing on your device.


By now you've read about malicious apps that leak privacy data, but do you realize how serious it really is? If not, you'd better pay attention to the following statistics gathered by Symantec*. And if you think that Google Play is 100% safe, it isn't. I have some data that yields some shocking results about the number of malicious apps waiting to grab your data. Unfortunately, the playing surface for Internet naughtiness has changed in the past couple of years and you need to know that it's only getting worse.

Gone are the days of malicious code that just wants to annoy or to destroy. More than 75 percent of all malicious code these days has basically one goal: to steal your data.

Look at the top three mobile threats in the list below to see my point.

Mobile Threats by Type

  1. Collects Device Data - 28 percent.
  2. Tracks User - 25 percent.
  3. Sends Content - 24 percent.
  4. Traditional Threats - 16 percent.
  5. Changes Settings - 7 percent.

The number one threat collects device and user data that ranges from device configuration data to bank account details. Most of the data collected has to do with the operating system, patch levels, and applications that you've installed. Programmers gather this data to carry out further attacks on the device by exploiting security vulnerabilities associated with your configuration.

Rarer, but of greater concern, is code that gathers account data from your device as you're logging into your bank account, logging into social media accounts, or any site where you transfer funds such as auction sites, donation sites, or other bill paying sites.

The second most popular threat is user tracking code. This type of code can track your location, text messages, phone calls and pictures. Surprised? Don't be. There are some non-malicious apps that do the same thing but with your permission. How many times have you tapped, "OK" to the question, "Do you want to allow this app to access your location data?" And you tapped, "OK" because you thought that it might be necessary to have full use of the app and all of its features.

The third group of threats send content, usually in the form of SMS messages, to a premium service site that then shows up on your mobile bill. Or your device can be used as a relay for email or messages to your address book. This group of threats is focused on making money directly from exploits by placing charges on your monthly bill, tempting people you know to respond to a link or text or bumping search engine rankings for a site.

Threats are not only on the increase, they're also more sophisticated. For example, now malicious programmers create staged exploits. Staged exploits deliver their payloads in stages to confuse malware detection software. The payloads are smaller, appear as harmless updates, and are much more difficult to remove.

Another method of delivering harmful payloads is what's known as "In-app" promotions. You download and use a harmless app but a pop-up appears that entices you to download another app from a non-standard app store that isn't harmless. The app happily lands on your device, with your permission, and does its dirty work.

Malicious code is a lucrative business. Think about the number of mobile phone users and how easy it is to tap (pun intended) into the app market. Symantec and other industry observers expect exponential growth in the malware and threat "market" for 2012 and beyond. Stay tuned for an update when Symantec's newest report goes live.

Last year, researchers from two universities studied 13,500 apps from the Google Play store and found that 8 percent of them contained encryption technology that was vulnerable to "Man in the Middle" (MITM) attacks - where the programmer intercepts data as it travels between the user and its intended target.

The researchers picked 100 apps to manually audit for MITM attacks and found 41 were vulnerable despite their use of encryption technology such as TLS and SSL. 

"From these 41 apps, we were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others," the researchers stated in a research report that described their experiments.

In tomorrow's article, "10 security best practice guidelines for businesses," I'll outline ten best practices for business users of mobile technology, although these best practices apply to any computing technology.

*Data gathered by Symantec for its Internet Security Threat Report. Data from the 2011 report, published April 2012, Volume 17.

See Also:

Evernote hacked, forces password reset

Comodo IceDragon

Wifi Hacker root PLUS

Dropbox users report spam emails after last year's data breach

Topics: Malware, Mobility, Security


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Google/Android is pathetic when it comes to privacy

    Their focus on you as the product means that while they will do ANYTHING for your Personal Information they have also opened up an ecosystem for every malware developer and their state-sponsors to have first dibs at your PI too.

    If you're not smart enough to understand that scanning your emails, wifi networks, G+ profiles is all you're good for to them then shame on you.

    If you're not outraged that the Google/Android protection of your PI is not important then you are the perfect sap for the malware industry.

    Good luck with that ....
  • These aren't mobile apps

    They are android apps. Not iOS, not Windows 8, not Blackberry. Android. Quit soft pedaling it; you do your readers a disservice.
  • Article does not describe malware apps

    The article mostly describes apps using "encryption technology that is vulnerable". This is not the same thing as malicious apps. The apps simply send data in a way that it can be intercepted/decoded: they do not try to steal data. This is also not just an issue for mobile apps but for computer programs of all types including those running on desktops. Think your PC is safe from MITM attacks? Think again!

    The fact remains that very few active malware programs have been found on smartphones compared to the 100,000s regularly infesting Windows PCs.
    The Star King