Pausing Google Play: More Than 100,000 Android Apps May Pose Security Risks

redlemonbalmMobile - Wireless

Dec 10, 2013 (3 years and 10 months ago)

95 views

Pausing Google Play: More Than
100,000 Android Apps May Pose
Security Risks
Bit9 Report
With Mobile Security Survey
Table of Contents
Executive Summary ............................................. 3
Methodology ........................................................... 4
Key Findings ............................................................. 6
Conclusion ................................................................ 8
Recommendations .............................................. 9
Appendix .................................................................. 10
References ................................................................ 13
Attribution
Authors
Harry Sverdlove
Jon Cilley
Contributors
Anand Sundaram
Dan Brown
Kevin Flanagan
2
Executive Summary
little—or no—insight into what apps are run-
ning on their employees’ devices, with no way to
identify potentially malicious apps or activity.
We classified 25 percent of apps (more than
100,000) in Google Play as “suspicious” or “ques-
tionable,” based on the permissions requested,
categorization of the app, user rating, number of
downloads, and the reputation of the publisher.
When considering the average mobile device
has 41 apps installed on it, potentially 10 apps
could have some level of suspicious activity
2
. In
some cases, such as with Angry Birds, we noticed
115 variant apps containing the words “Angry”
and “Birds,” with only four coming from the of-
ficial Angry Birds publisher Rovio Mobile. Many
of them, including “Angry Birds Wallpaper,” access
fine-grained GPS location services that are not
essential to the apps’ functionality.
Our research shows that 26 percent of apps in
Google Play have access to personal information
such as contacts and email, and in our survey,
96 percent of employers, who permit personal
devices to access their networks, allow employ-
ees to connect to company email and contacts.
So as more companies allow their employees to
access their organizational data from personal
devices, employers must recognize the threats to
their intellectual property posed by unmonitored
devices.
In this report, we will provide key findings from
our Google Play app analysis and survey, while
weighing each apps permission request in rela-
tion to enterprises. Along with our key findings,
this report will offer recommendations to help
manage these threats, as well as limit their influ-
ence to businesses and their employees.
A rapidly growing number of employees are
using personal mobile devices to connect to
their employers’ networks. While this bring your
own device (BYOD) trend is popular with em-
ployees and businesses, it has a major downside:
The personal devices accessing business-critical
data enable a huge number of malicious and
unauthorized applications to access enterprise
networks. These applications pose an enormous
security risk.
More than half a billion Android devices have
been activated since 2008
1
, accounting for more
than half of the global smartphone market share.
With many of these devices being brought into
work, it’s essential to understand the Android
application ecosystem and how personal devices
connect to enterprise intellectual property.
For this report, Bit9 analyzed more than 400,000
apps out of the reported 600,000 in Android’s of-
ficial Google Play marketplace when the research
was conducted in early September 2012, a statis-
tically meaningful sample. We focused on Google
Play because of Android’s prevalence within the
smartphone space. We then leveraged this data
in relation to a targeted survey of IT security deci-
sion makers, responsible for the mobile security
posture of more than 400,000 employees. What
we identified is mobile policy largely driven by
convenience.
What we did not see is an increase in monitor-
ing of these employee-owned devices that have
access to company data. 71 percent of those
surveyed said their business allows employees to
access company networks using their personal
devices, but only 24 percent of organizations
have some level of app monitoring or control in
place. This means many of these employers have
3
Bit9 Report Pausing Google Play
Methodology
Using publicly available interfaces, we crawled the Google Play app store and cataloged detailed information of
more than 400,000 mobile apps, a statistically meaningful sample representing more than two-thirds of the total
apps available at the time we conducted our research. This information includes publisher, popularity, user rating,
category, number of downloads, requested permissions and price. In addition, we downloaded and analyzed the
binary packages for a random sampling of more than 100,000 of these apps.
By applying the same principles used in The Bit9 Global Software Registry (GSR)—the world’s largest and most
complete authority on software intelligence—to the mobile space, we examined the results from several dif-
ferent perspectives, including by publisher, category, permissions and popularity. We categorized permissions
based on group, as defined by the official Android SDK from Google
3
, and risk level, as defined by the open
source Android Guard project
4
.
We assigned publishers a reputation based on correlation with known publishers within Bit9’s GSR according
to the number of mobile applications authored, the median age and popularity of those applications and their
distribution across categories. If a publisher is not a recognized software vendor, e.g., they have just one or two
apps across several different categories, this can adversely impact their reputation. We assigned a reputation to
individual apps based on their age, number of versions/updates, popularity, permissions requested (against the
norm for their category) and the reputation of their publisher. The weightings used in our formula were further
refined based on static and dynamic analysis of a large sampling of actual binaries. Ultimately, we classified every
app as either green (highly trusted), yellow (less trusted, but not likely to be malicious) or red (suspicious and
potentially unsafe).
Note that a low reputation or red rating for a mobile app does not necessarily mean the program is intentionally
malicious. It could mean that the program has access to resources or personal information that is uncommon or
considered high risk for most users.
For example:
• A popular game app developed by Microsoft that does not access any high-risk permissions will likely have a
high reputation (green/trusted).
• A free social media application from a small but known publisher that has been downloaded several thou-
sand times, but has access to permissions outside of its intended uses might have a medium (yellow) reputa-
tion.
• A personalization app, such as a custom wallpaper program, from a relatively unknown publisher that access-
es personal information (such as email) or can send premium SMS messages will have a low reputation (red/
suspicious and potentially unsafe).
Mobile App Report
4
Methodology
Survey
In August and September 2012, Bit9 conducted a targeted online survey of 139 IT security decision makers
responsible for the mobile security posture of more than 400,000 employees. Respondents represented a wide
range of industries including health care, finance, manufacturing, technology, retail and government. The sur-
vey focused on employee use of personal devices in the workplace, and the organizations’ mobile policy or lack
thereof.
5
Bit9 Report Pausing Google Play
Bit9 Report Pausing Google Play
Key Findings
Key Finding #1: 72 percent (290,000) apps access at least one high-risk permission.
Google defines a high-risk or dangerous permission as
a “permission that would give a requesting application
access to private user data or control over the device
that can negatively impact the user
4
.”
Out of the more than 400,000 apps evaluated, Bit9
found that 72 percent of all Android apps (more than
290,000) access at least one high-risk permission; 21
percent (more than 86,000) access five or more; and 2
percent (more than 8,000) access 10 or more permis-
sions flagged as potentially dangerous. We determined
the risk level by relating the degree of privacy intrusion
or the capability of the permission (e.g., ability to wipe
devices or change systems settings).
Risk levels, however, do not attribute malicious activ-
ity to the identified apps, but allude to the capability
of the app to do damage if compromised. Many apps
also ask for permissions that are not essential to their
advertised functions. Another concern is the significant
level of variant apps in relation to popular “known”
titles. For example, of the 115 apps that contain the
words “Angry” and “Birds” in the title, only four are from
Rovio Mobile (the official publisher of the Angry Birds
app). Among them, “Angry Birds Live Wallpaper” re-
quests twice as many permissions as the original Angry
Birds game app, including fine-grained GPS location
tracking.
Key Finding #2: 71 percent allow employee-owned devices to connect to their networks.
68 percent of respondents ranked “security” as the top
driver for their mobile policy, but 78 percent believe
phone makers do not focus enough on it. In spite
of that, 71 percent allow employee-owned devices
(BYOD) to access their organization’s network, with
only 24 percent actually deploying some level of app
monitoring or control, which would give them visibility
into what applications are on those devices.
Because of this, we observed a disparity between
respondents’ perceptions about mobile security and
whether they use any methods to protect business
data. While a majority of businesses allow personal
devices to access the company network, many or-
ganizations have not deployed any app inventory or
control measures. As apps access more business data
by connecting to company networks, the ability to
control certain apps or to have insight into which apps
employees have on their devices will be critical.
6
Bit9 Report Pausing Google Play
Key Finding #3: IT security decision makers view iOS as signifi-
cantly more secure than Android.
Of the two major smartphone platforms (Android and iOS), 84 percent of
IT security decision makers feel iOS is more secure. 93 percent of respon-
dents allow iOS to access their network, while only 77 percent allow
Android devices. Surprisingly, 13 percent of respondents allow rooted
Android or “jailbroken” iPhone devices to access their network.
Currently, Android devices can access apps from “unknown sources”
or third-party marketplaces without having to root the device. With a
simple settings change, users can install apps from “unknown sources”
or third-party marketplaces. With the iPhone, devices must be jailbroken
to accomplish the same task. Regardless, the allowance of jailbroken
iPhones exposes organizations to more untrusted apps, while the of-
ficial Android platform exposes organizations to the same risks across
all Android devices, without rooting. Factoring in that only a quarter of
respondents have some level of app monitoring, many may lack visibility
into apps from third-party marketplaces as well as the official Google
Play marketplace.
of apps access location data (GPS)
of apps access phone calls or phone #’s
of apps have access to personal info
of apps use permissions that can cost $
of apps have access to account info
Key Finding #4: Nearly all organizations allow email and calen-
dar access, while 26 percent of apps access personal informa-
tion such as email and contacts.
96 percent of respondents that allow BYOD also allow employees to
access company email using their personal device, while 85 percent al-
low access to company calendar data. When looking at our app data, 26
percent of apps access private information such as email and contacts,
with only 2 percent of these apps (more than 8,200) coming from highly-
trusted publishers.
Half of respondents rank intellectual property (IP) loss as their chief
concern among common mobile threats, but the majority of them allow
email correspondence to be accessed and inventoried by apps that are
largely unmonitored. A potentially harmful app that accesses phone
or email contacts could leverage this information on more traditional
endpoints by recording and sending data to a command-and-control
server. From here, social engineering attacks could deploy this data to a
compromised employee’s email contacts, delivering malicious payloads
to laptops or desktops. Because of this, it is important to understand
how compromised data can be repurposed from the mobile space by
distributing it through different channels than originally acquired.
of employers allowed
personal devices to
access corporate email
of employers allowed
personal devices for cal-
endar/scheduling
7
Bit9 Report Pausing Google Play
Conclusion
Mobile is the fastest growing technology market segment. Increasingly—thanks to liberal BYOD policies—em-
ployees’ personal smart devices are able to access sensitive company content more frequently than even laptops
and desktops. As these personal devices access more organizational data, most employers lack true visibility into
the integrity and vulnerabilities of many of the apps on employees’ devices.
With more than 600,000 Android apps in Google Play, and a significant percentage of them having permissions
that go beyond the apps’ intended use, what should be of even greater concern to employers is the third-party
markets available to Android users. Unlike iOS, Android device owners do not have to root or “jailbreak” their de-
vices to install apps from “unknown sources.” This gives Android users broad capability to install pirated, corrupted
or banned apps from Google Play simply by changing a systems setting. This provides further incentive for the
user to install third-party applications, but exposes organizations to significant security risks.
8
It is because of this framework that Android has be-
come the primary target of hackers. On Android, the
barriers to entry are lower and the market share is
higher. This provides a unique opportunity for hackers
to exploit Android devices that remain largely unpro-
tected.
10 apps on the average employee’s
personal device could have some
level of suspicious activity.
The average smartphone has 41 installed apps
2
. Our research identified that 25 percent of our sample size (more
than 100,000 apps) are at least suspicious or questionable. That means about 10 apps on the average employee’s
personal device could have some level of suspicious activity. This does not suggest that mobile devices are cur-
rently ground zero for intellectual property theft, but they could be very shortly. It is more likely that hackers will
repurpose the data they collect from mobile devices by using it for social engineering attacks on more traditional
endpoints (laptops and desktops). In fact, 78 percent of respondents feel phone makers do not focus enough on
security.
The primary permissions accessed by most apps, aside from Internet access, are GPS tracking or access to phone
numbers and personal information such as email and contacts. As a growing number of these apps request more
user data, it opens the door for hackers to acquire this information as well. Whether by exploiting trusted apps
through unknown vulnerabilities or building their own malicious apps for distribution through official or third-
party marketplaces, but nonetheless, mobile threats remain very real.
Bit9 Report Pausing Google Play
Recommendations
1. Employee education: The Android model of capability-based security squarely places responsibility on de-
vice owners to know what apps they are running and whether they can access their employers’ sensitive data
and system services. Thus, a major component of effective Android and mobile security is better education of
end users to help them avoid common pitfalls.
2. Preventing use of apps from third-party markets: Another aspect of education is for each user to know
the capabilities of their mobile devices and whether it will allow apps to be loaded from sources other than
Google Play. In general, users should stay away from public app markets that lack trustworthiness.
3. Preventing use of rooted/jailbroken devices: Rooting provides unfettered access to all data on a device
and allows risky apps to make changes to system resources. This gives malware a foothold to install other
apps that could steal data and monitor its use across the device’s capabilities such as voice calls, SMS, camera,
etc., while sending the data to a command-and-control server.
4. Establish typical security (screen locking, PINs, encryption, remote wipe, etc.): Securing a mobile
device and its data starts with screen locking. Additional features such as remote locate and wipe allow users
to find lost or stolen devices and remove data. Encryption applies to DIM (data in motion) and DAR (data at
rest). These are key methods of securing personal data and an organization’s intellectual property on mobile
devices. Whole device encryption exists for Android devices starting with version 3.0.
9
1. How many employees does your organization have?
(Pick one)

100 or fewer 9 6%
101-500 31 22%
501-1,000 19 14%
1,001-5,000 47 34%
5,001-10,000 18 13%
10,001+ 15 11%
Total 139 100%
2. What industry are you in? (Pick one)
Education 3 2%
Entertainment/Media 7 5%
Finance/Insurance 15 11%
Government 8 6%
Healthcare 27 19%
Hospitality/Restaurant 1 1%
Manufacturing 34 24%
Pharmaceuticals 4 3%
Retail 2 1%
Technology 14 10%
Utilities/Energy/Telco 9 6%
Other, please specify 15 11%
Total 139 100%
3. Does your organization allow employee-owned (personal)
mobile devices to access your network?
Yes 99 71%
No 40 29%
Total 139 100%
About Bit9
Bit9 is the global leader in Ad-
vanced Threat Protection. Our
mission is to protect the world’s
IP by providing innovative and
powerful solutions to detect
and prevent Advanced Persis-
tent Threats. We protect the
world’s leading brands.
Our company’s award-winning
endpoint protection and server
security solutions provide total
visibility and control over all
software on endpoints and serv-
ers, eliminating the risk caused
by malicious, illegal and unau-
thorized software.
Bit9 leverages the Bit9 Global
Software Registry™ – the world’s
largest database of software
intelligence – to identify and
classify software, delivering the
highest levels of endpoint secu-
rity, compliance, and manage-
ability. The company’s global
customers come from a wide
variety of industries, such as
government, financial services,
retail, healthcare, e-commerce
and education. Bit9 is privately
held and based in Waltham,
Mass. For more information,
visit www.bit9.com, follow us
on Twitter @Bit9, Facebook and
Google+, or call +1 617-393-
7400.
2012 Bit9 Mobile Security Survey
Respondents: 139 Countries surveyed: U.S. and Canada
Survey conducted online from August 15 - September 7, 2012
Appendix
10
4. What mobile device operating systems can access your orga-
nization’s network? (Check all that apply)
Apple iOS 112 81%
Apple iOS (jailbroken) 16 12%
Android 93 67%
Android (rooted) 16 12%
BlackBerry 101 73%
Windows Phone 56 40%
We do not allow personal
device access 18 13%
Other, please specify 3 2%
5. Which mobile operating system do you feel is the most se-
cure? (Drag each selection to the right, placing the most-secure
mobile operating system at the top with the others in descend-
ing order) Top number is the count of respondents selecting the op-
tion. Bottom % is percent of the total respondents selecting the option.
1 2 3 4
Apple iOS 66 (47%) 51 (37%) 18 (13%) 4 (3%)
Android 13 (9%) 33 (24%) 51 (37%) 42 (30%)
BlackBerry 58 (42%) 37 (27%) 25 (18%) 19 (14%)
Windows
Phone 2 (1%) 18 (13%) 45 (32%) 74 (53%)
6. Do you think phone makers focus enough on security?
Yes 31 (22%)
No 108 (78%)
Total 139 (100%)
7. What business services can employee-owned (personal)
devices connect to via your organization’s network? (Check all
that apply)
Company email 106 76%
Company calendar 93 67%
Company documents 47 34%
Mobile-specific
enterprise apps 40 29%
Company social
media accounts 26 19%
Company
messaging and chat 25 18%
We do not allow
personal device access 29 21%
Other, please specify 6 4%
Bit9 Parity is designed to help
companies implement best
practices and improved security
policies for protection against
advanced threats— without
putting undue burden on IT and
security professionals.
• Deployment of application
control and whitelisting pro-
tection strategies for both
applications and devices
through a rules engine that
allows for flexible configura-
tion of policies and roles-
based access control;
• A security policy based on
actual, relative risk metrics
allows for more informed,
targeted policy creation and
enforcement; policy simula-
tion to assess the impact of
default-deny policies be-
fore they are implemented
without impeding legitimate
enterprise activity;
• Automatic and intelligent
correlation of endpoint data
through building a library
of event correlation experi-
ential knowledge that helps
companies better adapt to
evolving threats and prevent
future attacks.
About Bit9 Parity
11
8. What are the primary concerns driving your organization’s position on use of employee-owned
(personal) mobile devices on your network? (Drag each selection to the right, with the primary con-
cern at the top and the others in descending order) Top number is the count of respondents selecting the
option. Bottom % is percent of the total respondents selecting the option.
1 2 3 4 5
Security 94 (68%) 16 (12%) 9 (6%) 9 (6%) 11 (8%)
Convenience 21 (15%) 32 (23%) 32 (23%) 37 (27%) 17 (12%)
Employee happiness 10 (7%) 15 (11%) 27 (19%) 32 (23%) 55 (40%)
Budget 7 (5%) 28 (20%) 36 (26%) 36 (26%) 32 (23%)
IT management 7 (5%) 48 (35%) 35 (25%) 25 (18%) 24 (17%)
9. What company data are you most concerned about cyber criminals accessing through employee-
owned (personal) devices? (Drag each selection to the right, with the greatest concern at the top and
the others in descending order) Top number is the count of respondents selecting the option. Bottom % is
percent of the total respondents selecting the option.
1 2 3 4 5 6 7 8
Contacts 9 (6%) 10 (7%) 26 (19%) 45 (32%) 27 (19%) 10 (7%) 8 (6%) 4 (3%)
GPS location 1(1%) 1(1%) 5 (4%) 4 (3%) 13 (9%) 24 (17%) 35 (25%) 56 (40%)
Company social media accounts 3 (2%) 5 (4%) 4 (3%) 17 (12%) 23 (17%) 24 (17%) 27 (19%) 36 (26%)
Work email 17 (12%) 35 (25%) 51 (37%) 22 (16%) 4 (3%) 7 (5%) 3 (2%) 0 (0%)
Browser activity 0 (0%) 1 (1%) 3 (2%) 15 (11%) 40 (29%) 32 (23%) 35 (25%) 13 (9%)
Logins and passwords 39 (28%) 55 (40%) 25 (18%) 14 (10%) 2 (1%) 4 (3%) 0 (0%) 0 (0%)
SMS (text) messages 0 (0%) 4 (3%) 7 (5%) 14 (10%) 26 (19%) 35 (25%) 29 (21%) 24 (17%)
Intellectual property
(sensitive company documents) 70 (50%) 28 (20%) 18 (13%) 8 (6%) 4 (3%) 3 (2%) 2 (1%) 6 (4%)
10. Do you feel your organization is secure against mobile malware?
Yes 90 65%
No 49 35%
Total 139 100%
11. Do you feel that your organization will be the target of a mobile malware attack in the next year?
Yes 52 37%
No 87 63%
Total 139 100%
12. What mobile-security features are most important to your organization? (Drag each feature to the
right, with the most important feature at the top and the others in descending order) Top number is the
count of respondents selecting the option. Bottom % is percent of the total respondents selecting the option.
1 2 3 4 5 6 7
Malware protection 22 (16%) 21 (15%) 19 (14%) 17 (12%) 25 (18%) 24 (17%) 11 (8%)
Data encryption 45 (32%) 32 (23%) 20 (14%) 7 (5%) 19 (14%) 10 (7%) 6 (4%)
Mobile device management 20 (14%) 13 (9%) 28 (20%) 22 (16%) 24 (17%) 21 (15%) 11 (8%)
Remote locate and wipe 14 (10%) 30 (22%) 20 (14%) 28 (20%) 16 (12%) 14 (10%) 17 (12%)
Network access control 21 (15%) 26 (19%) 26 (19%) 22 (16%) 17 (12%) 17 (12%) 10 (7%)
App control/inventory 0 (0%) 1 (1%) 7 (5%) 14 (10%) 22 (16%) 32 (23%) 63 (45%)
Password screen locking 17 (12%) 16 (12%) 19 (14%) 29 (21%) 16 (12%) 21 (15%) 21 (15%)
12
13. What mobile-security solutions has your organization already deployed? (Check all that apply)
Malware Protection 52 37%
Data encryption 68 49%
Mobile device Management 71 51%
Remote locate and wipe 76 55%
Network access control 70 50%
App control/inventory 33 24%
Password screen locking 84 60%
We do not have a mobile
security solution in place 22 16%
Other, please specify 3 2%
References
1. Chloe Albanesius, PC Magazine, Android Device Activations Top 500 Million, http://www.pcmag.com/ar-
ticle2/0,2817,2409601,00.asp (September 12, 2012)
2. Nielsen Wire, State of the Appnation – A Year of Change and Growth in U.S. Smartphones, http://blog.nielsen.
com/nielsenwire/online_mobile/state-of-the-appnation-%E2%80%93-a-year-of-change-and-growth-in-u-s-
smartphones (May 16, 2012)
3. Google (Android Developers site), Manifest.permission_group, developer.android.com/resources/dashboard/
platform-versions.html (September 12, 2012)
4. Google (Android Developers site), <permission>, developer.android.com/guide/topics/manifest/permission-
element.html (September 12, 2012)
13
• Frederic Lardinois, TechCrunch, McAfee: Mobile Malware Explodes, Increases 1,200% In Q1 2012, http://tech-
crunch.com/2012/05/23/mcafee-mobile-malware-explodes-increases-1200-in-q1-2012/ (May 23, 2012)
• John Paczkowski, All Things Digital, 84 Million iPads, 400 Million iOS Devices and More Big Numbers From
Apple, http://allthingsd.com/20120912/84-million-ipads-400-million-ios-devices-and-more-big-numbers-
from-apple/ (September 12, 2012)
Related Articles
266 Second Avenue Waltham, MA 02451 USA
P 617.393.7400 F 617.393.7499
www.bit9.com
About Bit9, Inc.
Bit9, the global leader in Advanced Threat Protection, protects the intellectual property (IP) of the world’s lead-
ing brands with innovative, trust-based security solutions that detect and prevent sophisticated malware and
cyberthreats. Bit9 stops advanced persistent threats (APTs) by combining real-time sensors, cloud-based software
reputation services, continuous monitoring and trust-based application control and whitelisting. Bit9 is the only
company to stop both Flame and the malware that caused the RSA breach. For more information, visit
www.bit9.com, follow us on Twitter @Bit9, LinkedIn, Facebook and Google+, or call +1 617-393-7400.
Copyright © 2012 Bit9, Inc. All Rights Reserved. Bit9, Inc. and Parity are trademarks or registered trademarks of Bit9, Inc. All other names and trademarks
are the property of their respective owners. Bit9 reserves the right to change product specifications or other product information without notice.
14