If you belong to a global corporation, the most probably think you will find out is that some of your colleagues have installed mobile apps that don’t belong to the work environment, and now a study says that some of these people are installing gambling apps in their work mobile devices, putting in risk the company’s data.
Veracode security firm conducted an interesting analysis that led to this disconcerting conclusion about the promiscuous use of mobile devices.
Veracode scanned around hundreds of thousands mobile apps installed in their corporate mobile environment, some of these companies had 35 mobile gambling apps in their environment.
The problem with these gambling apps is that enlarge the surface of attack of the company by leaving employees mobile open to cyber attacks. The researchers discovered critical vulnerabilities that could lead hackers to gain access to the mobile running the gambling app, then access corporate emails, call history and collect any kind of data from corporate repositories.
“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode.
A casino app available in the market contains a code that checks if the device is rooted/jailbroken and has the ability to record video and audio from the device, and is vulnerable to man-in-the-middle attacks. This is what a hacker need to sniff user information and access to employee communications.
In another case, a slot machine app doesn’t encrypt communication with his back-end servers, leaving the app vulnerable to cyber attacks, attackers can intercept the app’s traffic and extract user information such as gender, birthday, and other sensitive data.
Nearly ten gambling apps had access to local file system with full permissions and were able to open network communications with any server.
Veracode didn’t specify the names of the “flawed” apps, but we know that the study analyzed the following set of gambling apps:
Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker.
I think corporations and their employees can do better, they need to adopt an effective BYOD policy to regulate the use of mobile devices in work spaces and avoid risks. In the specific case it could be useful to implement application blacklisting and implementing a strong MDM solution.
Companies need to educate their employers with awareness campaigns on cyber threats, teaching them the best practices to mitigate risks.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – IoT, Shodan)