Millions of mobile app gamers are putting themselves at risk of social engineering by voluntarily allowing mobile games from official play stores to access, and in some cases control, their devices.
A study conducted by AppRiver, a cloud-based email and Web security company, finds that the top mobile games listed in Google’s Play Store – which have had millions of global downloads – demand permissions for full network access and read the contents of storage.
This type of information, if accessed by hackers, or even legitimately collected by criminals, can be used to create tailored scams that are will spoof even the most security savvy individuals.
Looking at the some of the more invasive permissions, and whilst there is the option for ‘approx. Location – network based’, some apps insist on ‘precise location (GPS and network based)’. While this might be expected for mobile games, such as Pokemon Go, this was a requisite for apps that don’t necessarily need to know where the player is – such as Mobile Strike and Game of War.
Even if users check the fine print on installation, all apps include the disclaimer, ‘Updates to [INSERT NAME OF APP] may automatically add additional capabilities within each group.’ So even if you look at the terms and conditions and agree with them, they can be changed without your knowledge.
This potentially presents a big security risk as all apps had at least one condition labelled ‘other’, that includes ‘full network access,’ ‘control near field communication,’ ‘run at startup,’ ‘draw over other apps,’ ‘control flashlight’ and more.
Troy Gill, manager of security research at AppRiver, thinks that, with advances in technology, the money moved online and criminals simply followed.
Gill adds, ‘With the constant evolution of IT security enhancements, many of the virtual ways are being systematically sealed with criminals looking for new ways to socially engineer their attacks and liberate the funds. What better way than collecting information that is given voluntarily?’
Jim Tyer, EMEA channel director, knows that criminals are collecting information from social network sites, such as Facebook and LinkedIn, to launch targeted attacks and this is potentially another avenue for them to exploit.
Tyer continues, ‘Businesses need to carefully evaluate their policies and consider the introduction of both formal, or perhaps informal, rules about the use of company-owned equipment.’
He says that organisations must introduce effective technical safeguards that prevent apps from accessing company networks and data at the very least.
Tyer concludes, ‘It’s unlikely that everyone is going to start carefully reading terms and conditions, but knowing this information might be used against them could encourage workers to be more vigilant when clicking yes.’