This blog was written by Bruce Snell.
If you’re like me, you probably have at least a dozen apps on your smartphone that you never use. They just sit around taking up space in some forgotten corner of your device. When you combine these unused apps with the tendency many people have of not keeping all of the apps updated, you’re looking at some potential for trouble.
This week’s McAfee Labs Threats Report: June 2016 gives us some insight into the potential trouble brewing with forgotten and out of date apps. The McAfee research team reported on the growing trend of mobile app collusion, which we define as two or more mobile apps working together to:
- Steal personal information off your smartphone
- Read your personal or work emails, notes, and other files
- Send fake text messages on your behalf
- Load viruses onto your phone without your knowledge
- Conduct financial transactions using your online payment accounts.
McAfee Labs has observed such behavior across more than 5,000 versions of 21 apps designed to provide useful services such as mobile video streaming, fitness tracking, and travel planning. But because many mobile apps haven’t been updated, criminals can exploit their out-of-date designs and security flaws, commandeer the capabilities of benign apps, and use them to attack the smartphone’s owner.
Let’s be honest: we can’t get enough mobile apps.
We want any app that can possibly be of use to us, we want our apps to be able to work together, and we don’t want any limitations that might separate us from the value they can provide us. We want to be able to use our Facebook account to register on dating services. We want to buy groceries from Amazon using our PayPal or Venmo accounts. We want to be able to find people, places, and things, whenever we desire them. We want them all right away, without any inconveniences.
Accordingly, the mobile operating systems that run your smartphone are designed to help mobile apps communicate with each other, and, together, do more and more things to make our lives easier.
Cybercriminals are aware of our behavior and the operating systems’ features that support it. They know that if they can design a seemingly legitimate app that provides a useful service and doesn’t appear to pose a security threat, their app could be able to slip through some mobile security protections.
Once these malicious apps are on your phone, they take advantage of the connectivity built into legitimate apps to steal information. For example, it’s very common for games to have Facebook connectivity built in to allow you to compare scores with your friends. A malicious app could pose as a legitimate game using Facebook connectivity. On the surface it is claiming to do this to find friends to challenge, but in reality it is farming the contact info of your friends and family to use for a phishing attack. This is an example of a very basic form of app collusion, but the possibilities are endless for a determined cybercriminal.
Fortunately, there are some basic safety tips that can help you protect yourself from the threat of colluding mobile apps:
- Be diligent about updating your smartphone’s software. The cybercriminal community is always a step ahead in creating new threats to attack us. But, at the end of the day, there’s also a tremendous amount of work going into developing safer smartphones and other technologies. You will miss out on the benefits of all that work if you fail to regularly update the software for your smartphone’s operating system and your favorite apps. Develop the habit of checking regularly for new software updates, and take a few minutes to implement them.
- Delete the old apps you don’t really use. I understand that you don’t think you can live without that Wine Country Mapping app from that day trip two years ago, that video streaming app from the last Olympics, that obscure dating app that could only match you with people on other continents, or that sleep monitor app that you used just two nights in 2009 and never opened again. You’re wrong. Each app you forget about and never use will likely be an app you don’t regularly update. If you don’t use them, lose them.
- Only download apps from trustworthy sources. Acquiring your mobile apps exclusively through smartphone vendors’ app stores and trustworthy websites is the best way to avoid those malicious apps trying to disguise themselves as safe. Downloading every app you come across with no thought as to the legitimacy of the source is the best way to have your smartphone compromised.
- Always use mobile security protection. Whether you acquire it from your smartphone vendor, your carrier, or third-party security providers, you must use the widely available mobile security solutions, and keep those solutions updated so they can detect the very latest known and unknown threats on the Internet.
While the idea of malicious apps hiding in plain sight is disturbing, each of us is very capable of protecting ourselves. Our irrational hunger for mobile apps won’t likely change. But we can apply rational common sense to the questions of what we should allow on our smartphones, where our software should come from, and how often we should tap our app store icon to seek, find, and implement software updates.