Millions of mobile app gamers are putting themselves at risk of social engineering by voluntarily allowing apps from official play stores to access, and in some cases control, their devices.
A study conducted by AppRiver, the cloud-based email and Web security specialist, found that the top games listed in Google’s Play Store – which have had millions of global downloads – demand permissions for full network access and read the contents of storage. This type of information if accessed by hackers, or even legitimately collected by criminals, can be used to create tailored scams that are will spoof even the most security savvy individuals.
Looking at the some of the more invasive permissions, and whilst there is the option for ‘approx. Location – network based’, some apps insist on ‘precise location (GPS and network based)’. While this might be expected for games, such as Pokemon Go, this was a requisite for apps that don’t necessarily need to know where the player is – such as Mobile Strike and Game of War.
Even if users check the fine print on installation, all apps include the disclaimer: “Updates to [INSERT NAME OF APP] may automatically add additional capabilities within each group.” This means that, even if you look at the Ts&Cs and agree with them, they can be changed without your knowledge. This potentially presents a big security risk as all apps had at least one condition labelled ‘other’, that includes ‘full network access,’ ‘control near field communication,’ ‘run at startup,’ ‘draw over other apps,’ ‘control flashlight’ and more.
Troy Gill, manager of security research at AppRiver, said: “With advances in technology, the money moved online and criminals simply followed. With the constant evolution of IT security enhancements, many of the virtual ways in are being systematically sealed with criminals looking for new ways to socially engineer their attacks and liberate the funds. What better way than collecting information that is given voluntarily?”
Other anomalies and abuse of permissions identified by the research include:
- YouTube personality Felix “PewDiePie” Kjellberg’s app PewDiePie’s Tuber Simulator has racked up millions of downloads in recent weeks, and lets you seek success by creating your own viral videos. The app demands 15 permissions, including ‘full network access’
- Rolling Sky demands 13 permissions including the ability to ‘read the contents of and modify or delete the contents of USB storage’
- Shuffle cats has the ability to prevent the device from sleeping
- FIFA Mobile Soccer has the ability to ‘use accounts on the device’
Jim Tyer, EMEA channel director, concludes, “We know criminals are collecting information from social network sites, such as Facebook and LinkedIn, to launch targeted attacks and this is potentially another avenue for them to exploit. Businesses need to carefully evaluate their policies and consider the introduction of both formal, or perhaps informal, rules about the use of company-owned equipment. The challenge is ownership of the devices connecting and extending the corporate boundaries, as the lines between what’s perceived as business and individual ownership becomes increasingly blurred. Organisations must introduce effective technical safeguards that prevent apps from accessing company networks and data at the very least. In tandem, user education is critical so that employees are not just aware but fully comprehend the potential hazards of social engineering and how it can be used to launch attacks against the company. It’s unlikely that everyone is going to start carefully reading Ts & Cs, but knowing this information might be used against them could encourage workers to be more vigilant when clicking yes.”
While this research looked specifically at Google Play Store’s ranked apps, those listed in Apple’s iTunes and Amazon’s Appstore all contain the same permissions.