Unsanctioned software and applications running on corporate mobile devices is a security nightmare. These can range from meeting genuine business needs—commonly referred to as Shadow IT—such as efficient, remote communication with colleagues or corporate document management via downloadable messaging and file sharing apps, to using apps for non-work-related lifestyle or entertainment purposes such as socializing, fitness, gaming, and watching sports.
“Unmanaged, personal apps on corporate devices introduce numerous vectors and vulnerabilities for exploitation, including avenues for data exfiltration, cyberattack, surveillance of employee activity from a malicious third party, and so many other things that we see as potential risks to organizations,” Steve Turner, security and risk analyst at Forrester, tells CSO. “These apps aren’t vetted by the organization and can expose employees to a variety of different data, privacy, and other policies that they’ve inadvertently agreed to by downloading and using them.”
The risks posed to businesses by unsolicited apps have intensified since the outbreak of the COVID-19 pandemic and subsequent move to mass remote working, says Kelvin Murray, senior threat researcher at Webroot. “With fewer face-to-face meetings and interactions, employees are looking for new methods to communicate without the formality of an email or Teams call,” he says. “However, with new attack tactics, exploits, and tools emerging through unsolicited apps, mobile devices and apps have never posed as great a threat to organizations as they do now.”
Murray says users tend to disbelieve that cybercriminals will target them, but these apps often request a lot of access to personal information or integration with privileged accounts. “They can be quite effective threat vectors for cunning attackers.”
Popular attacks on mobile devices include remote access Trojans (RATs) and man-in-the-middle (MITM) attacks for accessing user data or eavesdropping, ransomware for restricting access to devices, and fake certificates for side-loading malicious apps, adds Dominic Grunden, CISO at financial service platform Wave Money.
