More mobile app security headaches have popped up, including a new one discovered by mobile security firm Zimperium that not only steals data, but can silently control mic and camera as well as secretly delete security apps.

IT has, for the most part, gotten fairly decent at controlling apps on corporate-owned devices, but safeguards about apps being added after they are issued to employees is weaker than it should be. When it comes to BYOD devices, which are owned by employees and contractors, IT and security admins need to get far more strict.

Most mandate a variety of (more or less) secure enterprise apps for functionality, as well as critical security apps for protection. That’s where things get sticky. How far can — and should — the IT and security folks go in protecting corporate data, networks and devices?

On the one hand, the device is owned by the employee/contractor and they seemingly have the right to download whatever app they want. But does that right have a limit when it threatens the security of the enterprise? Is partitioning enterprise systems enough? (You already know the answer: No, of course it’s not enough.) Once a malware app gains control of the device, it typically can access everything or almost everything.

Let’s look at the latest threat. 

Unlike other spyware campaigns that typically take advantage of on-device vulnerabilities, this campaign, known as PhoneSpy, hides in plain sight on victims’ devices, masquerading as legitimate Android lifestyle apps, from TV streaming to yoga instruction. In reality, however, the spyware is stealthily exfoliating data from the victim’s device, including login credentials, messages, precise granular location and images. PhoneSpy is also capable of uninstalling any apps, including mobile security apps,” noted an excellent report in TechCrunch.

Copyright © 2021 IDG Communications, Inc.

Source link