The latest results from the McAfee mobile security report for June has revealed new ways that cyber criminals abuse app permissions to commit fraud and install malware.
McAfee Labs found that cyber attackers are using the camouflage of free apps to get consumers to agree to invasive permissions that allow scammers to deploy malware.
According to the report, the permissions in free apps, funded by adware, leak personal information which ad networks use to serve targeted ads; however, it also found that 26% of apps are likely more than just adware.
SMS scams and rooting exploits were among the most common types of threats seen across a variety of apps.
The report identified games and personalisation apps as the most popular apps that carry malware. It also points out that Android is the most vulnerable operating system, with the Ice Cream Sandwich version cited as the most popular platform for malware.
Russia has been cited as the number one source of malicious apps, followed by the US and China in third place.
Consumer vigilance
Vice-president of mobile product development at McAfee, Luis Blando, says most consumers do not understand or even worry about the app permissions they agree to.
"Because of that, cyber criminals are increasingly abusing app permissions as an efficient way to deliver mobile malware. Through these agreements, mobile consumers are unwittingly putting their personal information into the hands of criminals disguised as ad networks, and opening up endless doors for scammers."
Country manager at Blue Coat Systems, Justin Lee, says most mobile attacks fall into the social engineering category. "Users are tricked into thinking that they want the app, so they'll download it. We find that most people are so keen to get the app installed and to start using it that they don't stop and actually look at what the app is requesting access to."
Lee says certain apps request access to the calendar, contacts and location, to which most users blindly agree. He adds the most common way for hackers to gain access to personal data is simply ripping an existing app and repackaging it with a malware payload, and then offering it on a site other than the main/official app store.
"Another common attack involves a rogue app that goes after other data on the phone. Many apps do not adequately protect sensitive data, so if a rogue app can get to it, it's easy to read it," notes Lee.
Lee adds that Apple and Google tighten restrictions and close holes in their channels on a regular basis. He warns that these protections are a good reason to think twice about "jailbreaking" a phone. "Jailbreaking your phone may give you unrestricted access to free and paid applications, but these free/unrestricted apps are most certainly not guaranteed to be safe."
Lee urges mobile users to only download apps from an official source. "If you're really paranoid, then you want something to help keep an eye on traffic, and spot changes and anomalies of how the apps communicate. Organisations and individuals should not only worry about securing the device, but also securing the content that goes to and from the device's applications."
Share