Latest Android security hole shows why IT should consider a mobile app allow list

More mobile app security headaches have popped up, including a new one discovered by mobile security firm Zimperium that not only steals data, but can silently control mic and camera as well as secretly delete security apps.

IT has, for the most part, gotten fairly decent at controlling apps on corporate-owned devices, but safeguards about apps being added after they are issued to employees is weaker than it should be. When it comes to BYOD devices, which are owned by employees and contractors, IT and security admins need to get far more strict.

Most mandate a variety of (more or less) secure enterprise apps for functionality, as well as critical security apps for protection. That’s where things get sticky. How far can — and should — the IT and security folks go in protecting corporate data, networks and devices?

On the one hand, the device is owned by the employee/contractor and they seemingly have the right to download whatever app they want. But does that right have a limit when it threatens the security of the enterprise? Is partitioning enterprise systems enough? (You already know the answer: No, of course it’s not enough.) Once a malware app gains control of the device, it typically can access everything or almost everything.

Let’s look at the latest threat. 

Unlike other spyware campaigns that typically take advantage of on-device vulnerabilities, this campaign, known as PhoneSpy, hides in plain sight on victims’ devices, masquerading as legitimate Android lifestyle apps, from TV streaming to yoga instruction. In reality, however, the spyware is stealthily exfoliating data from the victim’s device, including login credentials, messages, precise granular location and images. PhoneSpy is also capable of uninstalling any apps, including mobile security apps,” noted an excellent report in TechCrunch.

“Researchers at mobile security firm Zimperium, which discovered PhoneSpy inside 23 apps, say the spyware can also access a victims’ camera to take pictures and record video in real time, and warned that this could be used for personal and corporate blackmail and espionage. It does this without a victim knowing, and Zimperium notes that unless someone is watching their web traffic, it would be difficult to detect.”

There are a lot of good and frightening thoughts in that quote. Let’s start with “unless someone is watching their web traffic.” That is an excellent practice, and yet few IT operations do that even with their corporate-issued phones, let alone BYOD devices.

The worst part of PhoneSpy is its ability to surreptitiously delete security apps, which effectively obliterates most enterprise mobile security programs. 

Of course, the real question is why Google has such weak security screening for its apps. (And, yes, Apple’s system is just as bad.) But not all apps come via Google Play and PhoneSpy is one of them. It is pushed through social media and other environments, and the user needs to agree to download it.

These kinds of security woes are one reason Apple has so publicly taken a stance against “side-loading” apps outside its own App Store. That doesn’t mean app stores are 100% malware free, but it’s the wild west outside those marts. 

That’s the reality enterprise IT — and certainly enterprise CISOs — must deal with. One solution would be to require that IT at least approve any app not on a widely-disseminated corporate allow list. But that doesn’t mean admins should voice any judgments on personal apps, be it a game, a health program, or something more saucy. The focus needs to remain on what’s dangerous.

And as PhoneSpy shows, there’s a lot of danger out there.

Copyright © 2021 IDG Communications, Inc.