Millions of mobile app gamers are putting themselves at risk of social engineering by allowing apps to access and sometimes control their devices.
A study conducted by AppRiver discovered that the top games listed in Google's Play Store, having millions of global downloads, demand permissions for full network access and read the contents of storage. This information can be used by hackers to create tailored scams that will trick even the most security savvy individuals.
Researchers examined the permissions requested by the top five apps in each of Google's Play Store's Top Charts.
Even if users check the fine print on installation, all apps include the disclaimer that says, “Updates to [INSERT NAME OF APP] may automatically add additional capabilities within each group.” This means that even if you look at the Ts&Cs and agree with them, they can be changed without your knowledge, presenting a potential security risk.
Other anomalies and abuse of permissions that the research identified include:
YouTube personality Felix “PewDiePie” Kjellberg's app, PewDiePie's Tuber Simulatorhas, gained millions of downloads in recent weeks and allows users to seek success by creating their own viral videos. However, the app demands 15 permission, one of which includes full network access.
Rolling Sky demands 13 permissions including the ability to read the contents of and modify or delete the contents of USB storage.
FIFA Mobile Soccer has the ability to use accounts on the device of the user.
“We know criminals are collecting information from social network sites, such as Facebook and LinkedIn, to launch targeted attacks and this is potentially another avenue for them to exploit,” said Jim Tyer, EMEA channel director at AppRiver.“Businesses need to carefully evaluate their policies and consider the introduction of both formal, or perhaps informal, rules about the use of company-owned equipment. Organisations must introduce effective technical safeguards that prevent apps from accessing company networks and data at the very least. In tandem, user education is critical so that employees are not just aware but fully comprehend the potential hazards of social engineering and how it can be used to launch attacks against the company.”