Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Mobile Gambling Apps Expose Enterprise Data: Report

The number of gambling applications installed on mobile devices used in corporate environments is on the rise, which creates an increasingly favorable environment for data theft and other types of cyberattacks, a recent report from enterprise security company Veracode shows.

The number of gambling applications installed on mobile devices used in corporate environments is on the rise, which creates an increasingly favorable environment for data theft and other types of cyberattacks, a recent report from enterprise security company Veracode shows.

According to Veracode, on average, multiple gambling apps are installed in an enterprise environment, and many of these programs are plagued by critical vulnerabilities that can result in privacy breaches and enterprise data theft.

The company notes that the issues often reside in the way the applications are built, as some come with adware or weak encryption, which could allow cybercriminals to access user information such as contacts, emails, call history, or phone location.

Mobile gambling apps are often offered for free, but include advertising software development kits (SDKs) that send user information to third-party servers and can allow outsiders to track individuals and steal corporate intellectual property.

Data from Veracode’s cloud-based platform revealed that some enterprise environments contain as many as 35 unique gambling apps and showed that unsafe slots, poker, black jack and bingo apps are being used on corporate devices.

The company found a popular casino app to be vulnerable to man-in-the-middle (MiTM) attacks, potentially allowing cybercriminals to eavesdrop, and witnessed that the program also checks whether the device is rooted or jailbroken, to determine if it can disable the anti-malware software, view banking passwords and other cached credentials, and even replace firmware.

Veracode also discovered a slots application that uses unencrypted HTTP to communicate with back-end cloud services, thus potentially exposing user information, and which downloads encrypted data without user’s permission. Overall, Veracode found ten digital gambling apps that can read, write and delete local files, while also having the ability to directly access network functions, allowing them to connect to arbitrary servers.

“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode.

Popular attacks on mobile devices include Remote Access Trojans (RATs) and man-in-the-middle (MITM) attacks for accessing user data or eavesdropping, ransomware for restricting access to devices, and fake certificates for side-loading malicious apps, industry research shows.

According to a Juniper Research report, smartphone and tablet owners are estimated to place over $60 billion in bets through casino-type gambling apps by 2018, while Gartner suggests that enterprise users download and install apps that have little security assurances and that 75 percent of mobile apps will fail basic security tests this year.

Veracode’s study analyzed mobile gaming apps including Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz, Zynga Poker, and others.

Mobile gambling applications are certainly not alone in the risks they pose to corporate data. Just about any poorly designed or maliciously developed app can be risky.

Earlier this year, IBM’s Application Security Research Team conducted a study of 41 popular dating applications for Android and determined that more than 60 percent of them are potentially vulnerable to cyberattacks.

“Mobile applications can pose serious risk to enterprise data, customers and security in general, so it is especially important for organizations to be able to identify these apps,” Adam Ely, Founder and COO of Bluebox, wrote in a 2014 SecurityWeek column.

“The first step is to determine if the application is genuine in intention or malicious. It’s difficult to establish the threat without knowing the application’s intent,” Ely continued. “Moreover, mobile malware is often a lesser threat than insecurities in legitimate applications. As such, when identifying risky apps, we must also look at the legitimate applications that have good intent, but may not be as secure as we need them to be.” 

So how can IT and security teams determine what apps could be harmful?

According to Ely, some characteristics of mobile apps that should be evaluated include the security posture of the application, how the application handles data storage, how or if the application writes to disk, if data (especially sensitive or PIIA data) is encrypted, and how long data resides on the device or if it purges data after it’s utilized.

“No mobile app is an island,” Ely said.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.