Shadowy IT: Mobile Gambling Apps Pose Security Risks in Enterprise

Mobile gaming applications are common in enterprise mobile environments - and pose security risks, Veracode reports.
Mobile gaming applications are common in enterprise mobile environments – and pose security risks, Veracode reports.

In-brief: Mobile gambling applications are becoming common in enterprise mobile environments, posing a risk to enterprise security and the security of enterprise data, the security firm Veracode reports. 

In what might be considered the “hangover” to the party that is the “bring your own device” phenomenon, mobile gambling applications are becoming common in enterprise mobile environments, posing a risk to enterprise security and the security of enterprise data, the security firm Veracode reports.

Veracode tested mobile applications with names like Big Fish Casino, Gold Fish Casino Slots, Heart of Vegas, Texas Poker, Wonderful Wizard of Oz and Zynga Poker. The company found a slew of suspicious and troubling behaviors, including at least one mobile application that could record audio and video, mobile adware features, trivial and exploitable software vulnerabilities and weak- or no encryption of data to and from the mobile applications. If left unchecked, the mobile gambling applications could open a door to network compromise and data theft, Veracode warned.

The company, which sells mobile application security testing services, compiled the report from the results of “hundreds of thousands of scans of mobile apps installed in actual corporate environments.” While mobile applications for gambling were no less secure than mobile applications in general, that’s not saying much. Veracode said three quarters of mobile applications fail standard security scans such as checks for OWASP Top 10 vulnerabilities.

The company did observe common and insecure behavior in the mobile gambling applications it did test. According to the company, one mobile gambling application appeared to test whether the phone on which it was installed had been jailbroken. On phones that had, the app would attempt to disable anti-malware, replace firmware or view cached credentials such as banking passwords. The same application had features to record audio and video and access user identity information, Veracode reported.

Another mobile gambling application used unencrypted HTTP traffic to communicate with cloud-based management services, exposing user data to casual man in the middle attacks. Ten of the mobile gambling applications Veracode tested sported features to read, write and delete local files and leverage networking features on the phone that could allow them to make connections to arbitrary servers and receive data from external sources.

Smart phones are ubiquitous in corporate environments, but often fall outside the purview of IT departments and enterprise monitoring tools. Still, the devices store sensitive company data – from corporate documents to e-mail – and frequently harbor malicious software. Palo Alto Networks and the firm WeipTech recently published research linking mobile malware that runs on jailbroken Apple iPhones to the theft of credentials to over 225,000 Apple accounts.

That malware affected iPhone users in 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea, the companies said.

The firm GData also released a report this week suggesting that smart phones manufactured by Huawei, Lenovo and Xiaomi were being outfitted with malware prior to being sold to consumers. That same report found a 27 percent increase in mobile malware samples for Google’s Android platform from the first quarter of 2015.

Companies that want to control mobile application use within their environments typically adopt mobile device management platforms that can enforce policies on employees phones using application “white” and “black lists,” Veracode notes.

 

Comments are closed.