Why You Should Care More About Popular Mobile Apps Rather Than Mobile Malware

We hear about cyber criminals targeting mobile devices with malware-ridden apps, but no one tells us about the threats we face with popular apps we download from the Apple App Store or the Google Play Store. As an aside, did you know that mobile malware is virtually non-existent on the Apple App Store and the Google Play Store and in fact only accounts for 0.1% of malware?

The average mobile user has 50 to 250 mobile apps on their device and free mobile apps are riskier than paid apps. This is because, to generate revenue, app developers often share your app data with advertising and analytics companies, which compromises your privacy and security. (AppThority App Reputation Report, 2014).

This poses a security risk by exposing your highly sensitive data to hackers when they gain access to your phone, either by physically possessing the device or by remote exploits. Either way, this could result in significant consequences.

Does your work allow for Bring Your Own Device (BYOD)? If so, your mobile device contains your personal as well as your company data, which puts your company data at great risk, namely for intellectual property loss and theft.

So what do we mean by risky? 95% of the top 200 free iOS and Android apps exhibited at least one of the following risky behaviors (AppThority App Reputation Report, 2014):

  1. Track your location: Many apps are running in the background and capturing your location. Of course this is useful when hailing an Uber, Lyft or using maps, however, how many apps are reporting on your location in the background that you aren’t even using to get from point A to point B?
  2. Store your credit card number unencrypted: When your apps are not securing your data using encryption, they are much easier to intercept. For example, Starbucks, the most popular mobile payment app, saves your password in clear text and contains links to your credit card information, all of which is not encrypted within the app.
  3. Access your private info such as your Contacts: Developers of apps, especially social networking apps, often transfer the contacts or address book from the device without permission. Usually they are trying to increase the viral effects of the app. In the hands of hackers, your contacts can be used to create a targeted phishing attack. Typically, targeted phishing attacks start with an email which contains a link to a trusted site where hackers pose in order to collect your usernames, passwords, and credit card numbers.
  4. Use the device’s microphone: Scarily enough, there are apps that have access to turn on the microphone of your mobile device and without even your permission. Malicious users can then record private conversations.
  5. Use your social apps login: There are many apps that leverage your FaceBook and/or Twitter log in information in order to sign into their mobile application. Single sign-on does make for a better user experience but it is also riskier since if your social login is hacked, all of the apps that you have logged into using the same password might be compromised as well.

Steps you can take to reduce your risk of being hacked:

  • Set a passcode for your device.
  • Encrypt your device and app data. Download NowSecure to your mobile device to find out if apps are storing data encrypted on your device. NowSecure will also tell you if your apps are sending data to foreign countries where cyber crime is high.
  • Only install apps from approved app stores such as the Apple App Store and/or the Google Play Store.
  • For Android devices, ensure Google App Verification is turned on. This way, you will be alerted if you attempt to install a harmful app on your device or if one is already installed.
  • Don’t recycle app passwords, use a unique and difficult password for each mobile app. Use the Dashlane app to create and store these difficult to crack passwords.
  • Don’t connect to an open public Wi-Fi hotspot. Hackers could be masquerading as the hotspot ready to steal your personal data.