Free Android apps? BYOD users should beware

The latest survey by Juniper networks suggest that rogue Android apps stores offering free apps are a major source of malicious apps, fanning security fears for BYOD users

  • 11 years ago Posted in

The growing prevalence of Bring Your Own Device (BYOD) approaches to staff working has a great deal going for it, particularly as an integral part of a cloud services environment. But it does bring with it some justifiable fears about security. And the latest annual security report data from Juniper Networks has highlighted one of the main potential culprits of the moment – smartphones and tablets running Google’s Android operating system.

What the survey also highlights is that most of the benefits of BYOD can be maintained while significantly reducing the current risk potential with some simple management and policy changes within the business.  

Juniper’s Mobile Threat Center has analysed some two million mobile applications, year on year. Between Q1 of 2011 and Q1 a year later the number of malicious Android apps available rose by over 600 percent. No figures are available for Q1 this year, as yet, but if the same growth rate is maintained there are now likely to be over a million and half suspect apps floating around by now.

Android is, of course, widely available and is the OS of choice for a large number of smartphone and tablet suppliers. It is therefore likely to be a favourite for staff working in a BYOD environment. And it appears that it is the outlets for the apps which is one of the causes of the problem.

Google itself maintains good control over its own outlet, Play Store, but the number of independent  apps stores that have sprung up can be numbered in the hundreds. The largest number, 173 of them offering malicious apps, are based in China, according to the Juniper survey. Russia is the next largest source, with 132 apps stores, while the US is third with 76 of them.

Many of the apps available on these sites are free, and therefore particularly enticing. Appearing enticing is, of course, the object of the exercise.

The types of malware most commonly buried in the free apps from such stores work classic scams, such as sending SMS messages to premium rate lines, where the scammer  is usually long gone with the cash before anyone realises what has happened. Mobile banking is also a lucrative target, and third-party mobile wallet systems are also gaining attention.

From a BYOD perspective, it is more worrying that the survey also identified a rise in botnet software for smartphones. Towards the end of last year, the Tascudap Trojan began spreading on handsets. This works with command and control servers at a remote host to upload attack code into any enterprise network to which the handset is connected.

IT managers at business running a BYOD policy therefore need to be aware of such possibilities and institute policies that can inhibit the chances of infection. Some of these policies may require inhibiting the freedoms of staff just a bit. One of the easy steps, for example, is for the IT department to resource an app store of its own. This would contain all the apps staff are likely to require, each of which can be tested and validated before being placed in the store.

Should staff need new apps they can easily nominate them to IT and, if approved, IT can test their validity. The biggest issues here may well be licence management so that apps providers can be properly recompensed.

Another simple tactic will be to create centralised backup routines that run on BYOD devices when they are connected to the central services. The backups can then be checked for malicious code as part of that process and known malicious apps removed from the client device.

The biggest issue of course, is that IT staff need to be aware that steps such as this need to be an integral part of any policies for managing a BYOD environment.    

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.