Any time a user downloads a vulnerable or malicious mobile app, they could put your organization’s data at risk. Ironically, some malicious apps masquerade as ways to improve security, which can ensnare your most well-intentioned users. Research by AV-Comparatives, and independent organization that tests the performance of security software, suggests that most antivirus apps for Android devices are ineffective, malicious or introduce new security risks.
Malicious apps typically attempt to gather or compromise information and access services on the device and can expose organizations to numerous security risks. Vulnerable or malicious antivirus apps pose a graver threat, since they require extensive access and permissions to function. As Brian Barrett noted in Wired, “You’re basically inviting all-seeing, all-knowing software onto your device, trusting that it’ll keep the bad guys out and not abuse its own access in the process.”
This invitation consists of an OAuth token the user grants to the app. The risk is especially pernicious because user approval of the app onto their mobile (corporate or personal) device typically occurs without IT involvement. Worse, app access is often persistent until the OAuth token is manually removed.
Putting Antivirus Apps to the Test
Researchers at AV-Comparatives downloaded 250 antimalware security apps from the Google Play Store, then tested them against 2,000 common Android malware threats and 100 clean .apk files. Of those tested, only 80 (32%) of the apps detected at least 30% of the malware samples. (Since 23 of these apps identified all of the malware samples, 30% doesn’t seem like a very high bar.)
Another 138 apps (55%) detected less than 30% of the malware “or had a relatively high false alarm rate on popular clean files from the Google Play Store.” At best, these apps proved ineffective or unreliable, but some “have in the meantime already been detected either as Trojans, dubious/fake AVs, or at least as ‘potentially unwanted applications’ (PUA) by several reputable mobile security apps.” The remaining 32 apps were removed from the Play Store shortly before the research was published.
Can Your Users Spot Risky Apps?
Vetting mobile apps can be difficult and, in some cases, counterintuitive. For example, even genuine user reviews may not mean much when considering an antivirus app. AV-Comparatives suggests that “the vast majority of users will give their rating based solely on the user experience, without having any idea as to whether the app offers effective protection.” Their speculation seems to bear fruit, at least in this case, as most of the 250 apps they tested had a review score of 4 or better.
Their solution? AV-Comparatives recommends only using antivirus apps from “well-known, verified and reputable vendors.” But the key word here is “verified.” Plenty of malicious apps attempt to trick users by imitating the name and look of a well-known brand, and some details in an app store can be easily faked.
What organizations need is a one-two punch to combat the risk of third-party mobile apps. First, users should undergo security awareness training and learn additional steps towards mobile device security. Second, technical detection plays an important role because people will ultimately be prone to advanced social-engineering schemes. Beyond antivirus mobile apps, there is a high prevalence of third-party mobile apps that users connect into key sanctioned corporate apps, such as Office 365, G Suite, and Salesforce. This unchecked access often occurs without direct involvement of the user’s IT department. With just a couple of clicks, the user creates new risk that can access corporate data with little control or oversight.
Combining Technical Tools and Security Awareness Training
Faced with this challenge, the best solution for many organizations is to combine technical tools with a commitment to cybersecurity education.
In its 2017 Study on Mobile Device Security, the U.S. Department of Homeland Security detailed a number of technical strategies for defending against vulnerable and harmful mobile apps, but it emphasized that “user awareness and training is the first and often the best defense against many threats.” When users are browsing mainstream cloud app stores those who have participated in security awareness training will be more likely to identify and avoid potentially vulnerable and malicious apps.
Technical detection – the other half of the defense – serves as an important failsafe and way for IT and security teams to scale their staff. Organizations gain visibility into the risk score of apps that have been granted an OAuth token by your users, including unlisted and custom OAuth clients. You can see how widely adopted these third-party mobile apps are in your environment and create policies to define and automate actions based on the analysis results for each app.
Given that many users conduct both personal and business activities from a single device, both training and technology are important elements that benefit mobile security practice for organizations as well as individuals.