Research has revealed that third-party applications are putting the businesses in greater danger than ever before, introducing a myriad risks into the IT environment, said Simon Campbell-Young, CEO of Phoenix Distribution.
As the mobile threat landscape grows, knowing what the risks are involved remains the best defence, he said. "Many dangers lurk in the shadowy corners of third-party app sites - from tricking users into downloading malware-laden apps, or clicking on malicious links, to mobile devices being used in cybercriminal botnets. These are real dangers that mobile users are facing today. Cyber criminals look for the low-hanging fruit. They are focusing on the application layer, as this has traditionally been ignored in terms of security."
Third-party apps are serving up malware and facilitating drive-by downloads. Many of the vulnerabilities are being exploited as the attackers do not even need the user's permission to execute malware downloads.
Attacks on the application layer are growing because they work, said Campbell-Young. "Unfortunately, outside applications are not subject to the same rigorous updates as the applications by major vendors are and, as such, are leading to a huge increase in malicious infections."
Cyber crooks are cognisant of the fact that although organisations have most of the other bases covered, including end-points and operating system protection, and even make sure they apply patches from commercial vendors on a regular basis, they still are woefully inadequately prepared when it comes to protecting against flawed apps. Research estimates that there are several million unpatched apps running on machines around the world as we speak.
He added that huge volumes of targeted attacks that use spear phishing are exploiting vulnerabilities in third-party apps to achieve their malicious ends. "This is currently the most popular attack vector, used by cyber criminals to access a target's network."
The same vulnerabilities are being used by criminals to exploit users who visit infected websites - victims are tricked into downloading documents from sites they know to be reputable, but those documents can exploit those third-party flaws.
"For some of these exploits to succeed, the user does not even need to open the document, merely visiting the infected site is enough. Downloading from third-party app sites is understandably tempting - free versions of desirable apps are there for the taking, as well as other apps that you cannot get from first-party providers. "However, question whether it is worth putting your devices, and, with them, your most sensitive information at risk," concluded Campbell-Young.
