Following the emergence of the Cambridge Analytica and Facebook data sharing scandal earlier this year, the issue of understanding where and how our data is being accessed has become even more prominent for both individuals and organizations alike. This concern has especially increased for many companies operating Bring Your Own Device (BYOD) policies, allowing employees to carry out work on their own, non-business owned devices. In 2015, 74% of organizations were using or planning to introduce a BYOD policy in the workplace due to its cost and convenience benefits. There are, however, significant risks to this practice to consider. Fundamentally, enabling employees to use their own devices reduces the control of the company over its IT infrastructure. Unlike with company-owned desktop devices, organizations are often unaware of where mobile devices originated from and how they came to be used by their employees and in particular, it can be difficult for the company to protect these devices from malware and other cyber threats. What’s more, it is almost impossible to monitor what data is being collected and distributed.
Spyware and Adware
The presence of spyware and adware on mobile devices has been a significant concern to organizations for many years as they are not only a nuisance for users but also pose serious security risks to both personal and company data. Spyware is usually installed onto a device without the user’s consent or knowledge and generally runs in the background collecting information such as login details or monitoring the activities of the device such as web browsing patterns. Adware is slightly different in that its primary purpose is to display advertising content on the device through pop-up windows and links to other websites. While these ads are often legitimate and do not necessarily direct to malicious websites, they can seriously affect the functionality of devices and productivity of users. Adware can also be used to monitor browsing history and device usage to deliver targeted marketing content, a significant invasion of privacy if not done with explicit consent. As well as coming pre-installed on mobile devices, often spyware or adware can get bundled up with software downloaded from the internet, taking advantage of the long, complicated licensing agreements that usually get ignored by device users. Malicious software can also use pop-up windows in internet browsers containing ‘urgent’ messages or ‘yes’ or ‘no’ options to entice the user to trigger a download and infect the device.
Pre-installed tracking apps
A particularly insidious form of spyware is that which comes pre-installed on mobile devices. The Wall Street Journal recently reported that millions of people in developing countries are being sold inexpensive smartphones with pre-installed apps designed to collect personal data such as user location, usage behavior and unique device identifying numbers. This data is then being sent to advertising companies in China and Taiwan in order to better understand users and improve targeted advertising. Device users in Brazil, Egypt, Myanmar, and Cambodia have reportedly been monitored by these ‘firmware’ apps while unaware that their data is being collected and used for this purpose. One advertising company that supplies the preloaded firmware, GMobi, maintains that these apps are not malware. They state that their company is not responsible for any malicious activity emanating from the apps and that they are simply ‘following the law of the land’. However, in this case, the law of the land consists of weak privacy protection laws and a growing population of novice smartphone and internet users to exploit.
Malware like this is one reason for organizations to be cautious when allowing employees to use their own devices for business purposes. Many apps collect user data for advertising and intelligence purposes with user consent, however, in cases where users have no control over the apps installed on their device and the information they collect, organizations could face serious security threats. According to 78% of organizations, the number one hesitation for implementing a BYOD policy in the workplace is potential security risks, as many spyware and adware threats like this exist and can often go undetected for long periods of time.
Activity recording software
Another potential spyware attack that has commonly been feared by mobile device users is the possibility that devices are listening to their users’ conversations and using this information to target them with advertising content. This concept has been speculated about for years, with many people claiming to have received ads online for very specific items that they had only recently talked aloud about. However, a recent comprehensive study by researchers at Northeastern University in Massachusetts found no clear evidence of smartphones or apps unexpectedly activating the microphone or sending audio to a third party when not actually prompted by the user to do so. One strange practice that they did notice, however, was apps sending screenshots and screen recordings of user activity to unrecognized destinations. Screens with sensitive information such as zip codes and login credentials visible were included in the data collected and for most of the apps involved, it seemed that the user had no idea that their behavior was being recorded. The researchers determined that most of these recordings did not seem to be done for malicious reasons and were simply used to learn about user behavior and preferences to optimize the performance of the app. Nonetheless, these findings highlight the ease with which a malicious body could potentially collect information from a mobile device. A seemingly innocent app could capture and distribute personal information, passwords or private messages without the knowledge of the user which could have serious security implications for the company as a whole.
What to do?
So what can organizations do to avoid a spyware attack? Educating end users to be vigilant of possible attacks is one of the most effective methods of prevention. Device users should always be cautious of what apps they download and what links they click on, checking that the source is trusted and reliable.
However, if the user fails to follow these precautions or if their device becomes infected without their knowledge due to pre-installed software, external protection may be needed. Corrata’s Mobile Internet Security Solution offers organizations comprehensive protection for all of their employees’ devices from all types of malware attacks. Not only does Corrata prevent the device from downloading malicious software or visiting suspicious sites, the solution also constantly monitors where information from the device is being sent and alerts IT administrators if any suspicious activity occurs. This can give organizations piece of mind when implementing a BYOD policy that even if an employee uses a device that becomes infected or compromised by spyware or adware, it can be detected and taken care of before causing any serious damage to the company.