Company’s data at risk due to the use of mobile gambling apps

Pierluigi Paganini September 03, 2015

Veracode has conducted a research on the security of several mobile gambling apps and discovered a number of flaws that expose enterprises to serious risks.

If you belong to a global corporation, the most probably think you will find out is that some of your colleagues have installed mobile apps that don’t belong to the work environment, and now a study says that some of these people are installing gambling apps in their work mobile devices, putting in risk the company’s data.

Veracode security firm conducted an interesting analysis that led to this disconcerting conclusion about the promiscuous use of mobile devices.

Veracode scanned around hundreds of thousands mobile apps installed in their corporate mobile environment, some of these companies had 35 mobile gambling apps in their environment.

The problem with these gambling apps is that enlarge the surface of attack of the company by leaving employees mobile open to cyber attacks. The researchers discovered critical vulnerabilities that could lead hackers to gain access to the mobile running the gambling app, then access corporate emails, call history and collect any kind of data from corporate repositories.

“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode.

A casino app available in the market contains a code that checks if the device is rooted/jailbroken and has the ability to record video and audio from the device, and is vulnerable to man-in-the-middle attacks. This is what a hacker need to sniff user information and access to employee communications.

In another case, a slot machine app doesn’t encrypt communication with his back-end servers, leaving the app vulnerable to cyber attacks, attackers can intercept the app’s traffic and extract user information such as gender, birthday, and other sensitive data.

Nearly ten gambling apps had access to local file system with full permissions and were able to open network communications with any server.

Veracode didn’t specify the names of the “flawed” apps, but we know that the study analyzed the following set of gambling apps:

Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker.

gambling apps

I think corporations and their employees can do better, they need to adopt an effective BYOD policy to regulate the use of mobile devices in work spaces and avoid risks. In the specific case it could be useful to implement application blacklisting and implementing a strong MDM solution.

Companies need to educate their employers with awareness campaigns on cyber threats, teaching them the best practices to mitigate risks.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – IoT, Shodan)



you might also like

leave a comment