Everywhere in our lives, mobile is big and getting bigger. From $1.2 Billion in mobile purchases made on Black Friday to gaming and dating, mobile is increasingly the way we buy, play and connect. Work is now mobile too with 97% of enterprises say a portion of their workforce uses mobile devices for work. With so much of our lives connected to mobile devices, you’d think our awareness of mobile privacy and security issues would be high. But, you’d be wrong.
To prove this point, a team of investigative journalists from the Canadian Broadcasting Corporation’s (CBC) Marketplace program contacted Appthority as a trusted enterprise mobile security company to help them conduct a field study. The team wanted to see how easy it was to build an innocent looking app that could gain access to a wide range of personal data and then how easy it was to get people to download the app away from an approved app store and give it permission to access their data. By later revealing the info the app had collected, the CBC team and Appthority hope to create awareness about the risks inherent in mobile apps and the rampant ignorance around mobile security.
Step 1: Building the app
The CBC team had an idea to build a simple app folks would use daily during the one week field study, and opted to develop a daily horoscope app. The Appthority Mobile Threat Team (MTT) knew that a popular attack vector bad actors leverage is inserting malicious code into otherwise benign apps, and decided this would be the best course of action. The CBC team was surprised at just how easy it was to create a spying app. Our MTT researchers were quickly able to use an off-the-shelf Android spyware called DroidJack and insert it into the horoscope app, and voila… step 1 of the project was complete. The team now had an app that could give users their daily horoscope, but would also read all of their SMS and email messages, listen in on calls, see pictures and videos, record audio or video at any time, and serve as the perfect 24/7 spy tool. [For a more in depth look at how the team built the app, and how easy it was to defeat the native Android antivirus engines from detecting the spyware, please read our technical blog here.]
Step 2: Distributing the app
The team hosted the app on a 3rd party private server and only gave access to the participants of the study. Both the CBC and Appthority wanted to make sure the field test was implemented in a secure, controlled environment and wanted to showcase the risks of downloading from unofficial app sources which have not gone through the security vetting that Apple and Google provide in their official app stores. While our security measures were unique, this distribution method was not a theoretical or academic one. A recent Android malware campaign called Gooligan compromised over 1 million Google accounts. Gooligan was found on 86 infected apps available for download in third-party stores, and can root 74% of devices.
Step 3: Finding the subjects
Step 4: Harvesting data
The CBC team was shocked at how much data the app was able to collect. One journalist described it as “creepy” when she realized just how much personal information could be collected from a mobile app given how intimate we all are with our phones. After all, these devices are always on, with us everywhere, and have cameras, microphones, and are used for the majority of our conversations via SMS, email, chat, and phone. Needless to say, the CBC team had to be careful not to collect anything too personal. They collected just enough to shock each subject when the truth was revealed.
Step 5: The reveal
When the CBC team went back to those who downloaded the app, the consensus was “It’s disturbing.” According to a CBC post on the topic, “the most shocking app permission for one of the testers, Shahbaz, was the ability to turn on his camera and microphone unprompted. “I should have read those terms and conditions,” he said.”
Each of the users was visibly shocked by what they had shared via the app, but grateful for learning about the consequences of mobile risks in a secure field study rather than out in the wild. Unfortunately, it often takes an eye opening experience to change our habits for the better, and both the CBC and Appthority hope the story of these ten subjects serve as a warning to millions of others. [For tips on secure smartphone use, see this companion video from the CBC].
Step 6: The cleanup
All data collected, apps used, and even servers used in the study were completely deleted at the conclusion of the field test.
So, what does this mean for enterprise security?
The key takeaway for enterprises from this field study is that employees are consumers too. And, as much as we’d like to think that employees are following enterprise security best practices all of the time with the devices they use in their work and personal lives, they are not. Mobile users make choices every day that impact an enterprise’s security profile. As shown in the field study, they don’t always make the best security choices for themselves. Further, in a world connected by mobile, users often share things they like, including risky apps. An employee that sideloaded our example spyware app, could easily have shared it with work colleagues and, in so doing, created a spy network in your corporation, recording all conversations, streaming live video, etc.
Both personal and corporate data are targeted in mobile security attacks and, as more work is done via mobile, the risk to enterprise data grows. But, while mobile adoption in the enterprise keeps up its explosive growth, mobile security projects are severely underfunded. As PWC puts it, at the very least, enterprises should strive to not be the “low-hanging fruit” for attackers by investing in comprehensive mobile threat protection.
Like the subjects of this study, we hope that in this 2017, more enterprises open their eyes to mobile threats and finally eliminate their mobile blindspots. To help you take the next step in avoiding mobile risk, we’ve put together a free Guide to Securing Enterprise Data and Employee Privacy from Mobile Threats.
Appthority’s enterprise Mobile Threat Protection solution responds to active threats and proactively lowers mobile security risk with a comprehensive suite of mobile threat analytics and intelligence, continuous monitoring and research, and best-in-class EMM integrations and workflows. We keep security teams informed, employees productive and enterprise data private and secure. To get started securing your employees and your enterprise from mobile threats, contact Appthority.