Study: Google Play Apps Go Beyond Need-to-Know
More than a quarter of the apps on Google Play ask for permission to access information that isn't critical to their performance. For example, why would a wallpaper app need your GPS position? "The model for many of these applications is get as many permissions as you can get and then figure out what you're doing later," said Bit9 CTO Harry Sverdlove.
11/05/12 5:00 AM PT
An analysis of more than 400,000 apps in the Google Play store has revealed that more than 100,000 of them pose a potential security risk to their users.
The analysis of the Android apps released last week by cyber security vendor Bit9 examined the security permissions requested by the programs. It found that 72 percent of the 412,000 programs examined used at least one potentially risky permission -- GPS location data, phone calls or numbers, information on contacts and such.
"We're not saying the apps are carrying viruses or malware, but they do things or have access to things that are questionable for the app that they are," Bit9 CTO Harry Sverdlove told TechNewsWorld.
For example, one wallpaper app in the analysis asks for permission to access a phone's GPS data. Why does the wallpaper app need access to that information?
"The model for many of these applications is get as many permissions as you can get and then figure out what you're doing later," Sverdlove said.
Bit9 also conducted a survey of IT decision-makers about mobile policies within their organizations which all told had more than 400,000 employees. It found that 71 percent of the businesses allowed employees to bring their own mobile device to work, but only 24 percent have deployed any applications to manage and control those devices. That indicates, the report said, that convenience, and not security, drives the growing BYOD trend in corporations.
Cybercrime Barriers Lowered
Cybercrime isn't a hobby anymore. That was evident in a report released last week by Trend Micro on the cyberunderground.
"The most surprising thing about that report is that it details the maturity and the extent of the cyber crime market," said Rik Ferguson, director of security research at Trend Micro.
A niche market has developed around the tools and services of cybercrime. "With this fragmentation, the market has become compartmentalized," he told TechNewsWorld. "Individual vendors can create software, find exploits, offer services, like VPN or bulletproof hosting."
Not only has the sale of tools and services become fragmented, but so have the players. "Smaller groups, smaller cells, are doing it now rather than big criminal organizations," he said.
One of the reasons for that is that the barriers to entry for cybercrime have been lowered over the years. "It takes less knowledge and it takes less money to get up and running and off the ground in the world of cybercrime," Ferguson said.
Phishing -- a form of spam that tries to pry personal information from a target or detour them to a malicious website -- has greatly evolved over the last 10 years. It's losing its shotgun spam qualities and becoming more refined through spear phishing.
"With spear phishing, you know something about the target," ESET security analyst Stephen Cobb explained. "That acts as a multiplier of the deception factor."
If a target receives a message from a mass phishing campaign aimed at the customers of the bank they have no accounts with, they would probably just delete the missive. On the other hand, if the target is a defense contractor and they receive an email with an attachment with "defense" in its filename, the target's name on the "to:" line and a known associate's name on the "from:" line, the message will have a measure of credibility with the target.
"If your phishing message contains something that your target is interested in, then it's more effective and you have a greater probability of succeeding," Cobb told TechNewsWorld.
Data Breach Diary
- Oct. 26: South Carolina Gov. Nikki Haley confirms cyber intruder infiltrated the state's department of revenue and stole 3.6 million Social Security numbers and 387,000 credit/debit card numbers. The breach affects more than half the population of the state.
- Oct. 26: Federal Trade Commission announces final settlement in an action it took against EPN, a debt collecting agency in Utah, for exposing sensitive personal information of thousands of consumers by allowing peer-to-peer file-sharing software to be installed on the company's systems. Under the settlement, EPN is barred from making misrepresentations about the privacy, security, confidentiality and integrity of any personal information collected from consumers. In addition, the agency must establish and maintain a comprehensive information security program.
- Oct. 26: Employees of the Hillsborough Area Regional Transit Authority were notified that their Social Security numbers and bank information may have been compromised in any internal data breach. It is unknown yet how many of the authority's 750 employees are affected by the incident.
- Nov. 1: Report on DigiNotar certificate breach delivered to Dutch Ministry of the Interior and Kingdom Relations by security firm Fox-IT. During the breach last year of the now defunct DigiNotar, some 300,000 Iranians were victimized and 531 fraudulent certificates were issued, including certificates for Google, Microsoft, MI6, the CIA, Mossad, Skype, Twitter, Facebook, VeriSign and Comodo.
- Nov. 2 Tampa Bay Business Journal reports employee of Florida Hospital accessed without authorization more than 763,000 patient records from 2009-2011. Some 12,000 records of patients involved in automobile accidents may have been sold to personal injury attorneys.
- Nov. 2: Cornell University reports that personal information for as many as 2000 people was exposed to the public for five days from computers the school's athletics department. The institution does not know if anyone has maliciously used that data yet.
Upcoming Security Events
- Nov. 4-6: Information Security Forum Annual World Congress. Chicago.
- Nov. 14: How to choose the right authenticator to meet the CJIS requirement for advanced authentication. 1-2 p.m. ET. Free webinar. Sponsored by Entrust.
- Nov. 15: Getting the Cyber Future We Want, Not the One We Deserve. 1 p.m. ET. Free webcast sponsored by RSA.
- Nov. 28-29: Smart Strategies for Secure Identity. Washington convention Center, Washington, DC. Registration by Nov. 6: $1080. By Nov. 27: $1,200.
- Nov. 28-29: Strategic Security Response Summit: The Detecting and Preventing Emerging Threats. Washington Convention Center, Washington, DC. Regular registration: $470. Government registration: $230.
- Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration is now open.
- Dec. 3-6 Black Hat Abu Dhabi 2012. Emirates Palace, United Arab Emirates. Registration by Dec. 2: $1,895. On-site Registration: $2,595.
- Jan. 7-9: Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. sponsored by Oxford Computer Group. Early registration: $450. Registration after Nov. 21: $650.