How to Fight Zombie App-ocalypse
"Zombie" apps are an often overlooked BYOD security threat. User education and application whitelisting can reduce risks associated with these dead and stale apps.
By Vidhya Ranganathan, Accellion
Like a George Romero-inspired horror movie, the cyber app-ocalypse is upon us. A new threat is emerging in the world of mobile enterprise BYOD, and it is not related to compliance issues or phishing emails. Dead apps, or apps that once thrived in large-scale app stores but are no longer supported or useful, can harbor vulnerabilities that hackers can exploit to implant malware.
When such apps are left on devices, they present an open door for hackers. At present there are no systems in place on Google Play, the Apple App Store or the Microsoft Windows Store to alert users when apps become unsupported.
Various scenarios can lead someone to download and then ignore a once useful app. Most of these situations follow a similar path: An app is used only once or perhaps a handful of times and then completely forgotten.
Imagine Sara, a product manager who attends a big conference in Chicago. It's her first time in town so she downloads the conference app, which provides helpful information about the event, a list of local restaurants and transportation services. At week's end she returns to her office in Orlando and quickly forgets about the app. The app's icon appears on the last screen of her phone, so it's easy to overlook. Occasionally she opens the app to dig up information about a contact from the conference.
One day, about six months after the conference, she launches the app, visits some of its custom Web content and is hit with a malware infection that hackers have embedded in the old, long-ignored pages of the conference website. Sara's smartphone now harbors a key-logger, which hackers can use to gain access to her login credentials and more.
Dead apps are not the only kind of unsupported mobile apps that harbor risks. Stale apps, older (read: unpatched) versions of apps that are still available in app stores, pose similar risks to dead apps.
Because stale apps are neglected and unpatched or become dead apps when they're no longer available in app stores, they lack critical security updates and are therefore easy targets for hackers to access personal or sensitive information. A user running version 1.7 of a stale app might be missing critical security updates that were included in versions 2.0 and 2.1.
In fact, these security vulnerabilities may lead to a stale app being re-classified as a dead app, prompting its removal from an app store. The problem is the app may have already contained malware, thus the damage has already been done.
How to Mitigate Zombie App Risks
Enterprise IT must remain vigilant and protect against the security dangers caused by "back from the dead" apps. So what can enterprises do to mitigate the security threat from stale and dead apps?
IT departments can proactively guard against unused or out-of-date apps by educating employees on the potential dangers of keeping them on their devices. They should encourage employees to regularly update apps when newer versions are made available or to delete them from their devices when they're no longer being supported by their developers.
IT departments can also implement a security solution that enforces a mobile app whitelist to monitor and prevent risky or infected apps from being stored and shared across internal networks. The whitelist allows only apps approved by the IT organization to access specific content located in protected folders and workspaces on mobile devices and desktops.
The whitelist also ensures that users never use questionable or infected apps to access content, which might then be uploaded to servers or shared across internal networks.
While many enterprises remain hung up on BYOD as a vector for hacks, they fail to realize the hacking gateway caused by dead or stale apps. Thankfully, there are precautions organizations can take to protect their critical data. Whatever safety measures are implemented, do not let an "out of sight, out of mind" mentality expose sensitive personal or corporate data to a zombie app-ocalypse.
Vidhya Ranganathan is senior vice president of Products at Accellion, a provider of enterprise mobile solutions that enable increased productivity and security.
September 14, 2015
Reduce the likelihood of having your mobile device hacked by using two-factor authentication.