Mobile app gamers are putting themselves at risk of social engineering by voluntarily allowing apps from official play stores to access, and in some cases control, their devices, it’s claimed.
A study by AppRiver, a cloud-based email and Web security product company, found that the top games listed in Googleโs Play Store demand permissions for full network access and read the contents of storage. This type of information if accessed by hackers, or even legitimately collected by criminals, can be used to create tailored scams that are will spoof even the most security savvy individuals. Looking at the some of the more invasive permissions, and whilst there is the option for โapprox. Location โ network basedโ, some apps insist on โprecise location (GPS and network based)โ. While this might be expected for games, such as Pokemon Go, this was a requisite for apps that donโt necessarily need to know where the player is โ such as Mobile Strike and Game of War.
Even if users check the fine print on installation, all apps include the disclaimer: โUpdates to [INSERT NAME OF APP] may automatically add additional capabilities within each group.โ This means that, even if you look at the Ts&Cs and agree with them, they can be changed without your knowledge. This potentially presents a big security risk as all apps had at least one condition labelled โotherโ, that includes โfull network access,โ โcontrol near field communication,โ โrun at startup,โ โdraw over other apps,โ โcontrol flashlightโ and more.
Troy Gill, manager of security research at AppRiver, said: โWith advances in technology, the money moved online and criminals simply followed. With the constant evolution of IT security enhancements, many of the virtual ways inare being systematically sealed with criminals looking for new ways to socially engineer their attacks and liberate the funds. What better way than collecting information that is given voluntarily?โ
Alsi identified by the research:
YouTube personality Felix โPewDiePieโ Kjellbergโs app PewDiePie’s Tuber Simulatorhas racked up millions of downloads in recent weeks, and lets you seek success by creating your own viral videos. The appdemands 15 permissions, including โfull network accessโ
Rolling Sky demands 13 permissions including the ability to โread the contents of and modify or delete the contents of USB storageโ
Shuffle cats has the ability to prevent the device from sleeping; and
FIFA Mobile Soccer has the ability to โuse accounts on the deviceโ.
Jim Tyer, EMEA channel director, says: โWe know criminals are collecting information from social network sites, such as Facebook and LinkedIn, to launch targeted attacks and this is potentially another avenue for them to exploit. Businesses need to carefully evaluate their policies and consider the introduction of both formal, or perhaps informal, rules about the use of company-owned equipment. The challenge is ownership of the devices connecting and extending the corporate boundaries, as the lines between what’s perceived as business and individual ownership becomes increasingly blurred. Organisations must introduce effective technical safeguards that prevent apps from accessing company networks and data at the very least. In tandem, user education is critical so that employees are not just aware but fully comprehend the potential hazards of social engineering and how it can be used to launch attacks against the company. Itโs unlikely that everyone is going to start carefully reading Ts & Cs, but knowing this information might be used against them could encourage workers to be more vigilant when clicking yes.”
While this research looked specifically at Google Play Storeโs ranked apps, those listed in Appleโs iTunes and Amazonโs Appstore all contain the same permissions, the firm adds.
