Mobile devices are critical in today's modern workplace. Allowing employees to be more productive, working from anywhere and on-the-go, smartphones now hold more sensitive corporate information than ever before.

A survey from Comscore highlights that smartphone apps now represent 87% of all time spent on a mobile.

Targeting the applications on a mobile device to gain access to the phone and ultimately corporate data is becoming a popular route for cyber criminals due to the lack of security on the devices. Threats continue to evolve in sophistication and quantity, outpacing the security architecture enterprises have in place.

Review the Mobile App Threat Killchain infographic to learn how a single employee download of a risky app can lead to a major corporate data leak.

Application-based risks generally fit into one or more of the following categories:

• Malware is software that performs malicious actions while installed on your phone. Without your knowledge, malware can add charges to your phone bill, send unsolicited messages to your contact list, or give an attacker control over your device.
• Spyware is designed to collect or use private data without your knowledge or approval. Data commonly targeted by spyware includes phone call history, text messages, user location, browser history, and contact lists. This stolen information could be used for identity theft or financial fraud.
• Privacy risks may be caused by applications that are not necessarily malicious, but which gather or use more sensitive information (e.g. location, contact lists, personally identifiable information) than is necessary to perform their function.
• Vulnerable applications are apps that are known to contain flaws which could be exploited for malicious purposes. Such vulnerabilities may allow an attacker to access sensitive information, perform undesirable actions, or stop a service from functioning correctly.
• App Behaviors & Configurations have the potential to lead to leakage of enterprise data to which the insecure application has access. Data leakage, in addition to having a high impact on the enterprise itself, can also pose a significant regulatory compliance risk.

Real-life examples:

• ToTok. Objective-See discovered a massively popular mobile chat app for iOS and Android that was built by the United Arab Emirates to "track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones." ToTok didn’t break Apple or Google developer guidelines, asking only permissions available to most developers. That said, the app enables broad surveillance of millions of users around the world.
• BeiTaAd is a well-obfuscated advertising plugin hidden within a number of popular applications in Google Play. The plugin forcibly displays ads on the user's lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device.
• Last year Facebook announced a vulnerability CVE-2019-3568 in WhatsApp, related to a bug in the Voice over IP (VoIP) calling feature of the app on both iOS and Android. This vulnerability allowed a VoIP caller to install surveillanceware on a user’s device whether the user answered the call or not. The spyware installed was reportedly Pegasus – spyware built by NSO Group and originally discovered by Lookout and The Citizen Lab in 2016.

Take a couple of minutes to answer this Mobile Risk Assessment and get a custom report highlighting strengths and weaknesses with your organisation’s mobile threat defence strategy.

About Lookout

Lookout is a cybersecurity company for the post-perimeter, cloud-first, mobile-first world. Powered by the largest dataset of mobile code in existence, the Lookout Security Cloud provides visibility into the entire spectrum of mobile risk. Lookout is trusted by hundreds of millions of individual users, enterprises and government agencies and partners such as AT&T, Verizon, Vodafone, Microsoft, Apple and others.

Request a demo today.