Hackers target work apps through employees’ phone, shows study
Corporate-owned and bring your own device (BYOD) mobile phones are becoming a key target for hackers, according to a new study released on Monday.
The study done by cyber security firm McAfee said that nearly one-fourth or 23% of threats that McAfee identified were in the “Tools” app category. According to the report, work-related apps for mobile devices such as PDF editors, virtual private networks (VPNs), messaging managers, document scanners, battery boosters, and memory cleaners are great productivity boosters.
At the same time, these types of apps are targeted for malware because people expect the applications to require permissions on their phone. Also, asking for permissions to storage, messaging, calendars, contacts, location, and even system settings are not unusual and enables the scammers to retrieve all sorts of work-related information, it said.
“This is becoming an ultimate target for land-and-expand attacks,” said McAfee researchers in which they explained that “an attack on a mobile device sets the stage for another attack on a back-end system or cloud application”.
A typical corporate user’s mobile device may have business email, a unified communications application such as Slack or Teams, and a Salesforce or other customer relationship management (CRM) client. When attackers compromise such a device, they have full access to the corporate network resources — as if they're authorised users of the device, the study said.
Another study published by IT networking giant Cisco in January this year showed that companies face high risks of hacking as eight out of 10 employees are using unregistered devices to connect to company networks. In a company’s network, unlike registered devices which include laptops and mobile phones that have been verified by IT teams using digital certificates and have the right kind of security tools built-in to ensure security, unregistered devices are not verified and may have vulnerabilities that hackers can exploit. When employees use such devices to connect to company systems, attackers can use the vulnerabilities to exploit those systems.
The McAfee study further said that even the "seemingly legitimate" apps can create an opportunity for scammers, who exploit fraudulent messages to trick users into clicking on a malicious link, trying to get them to share login credentials, account numbers, or personal information. Earlier, while these messages often contain spelling or grammar errors or use odd phrasing, the emergence of AI tools like ChatGPT can help scammers clean up these errors, making it tougher to spot scam messages and allowing hackers to make use the situation.
Rahul Aggarwal, cyber security expert and partner at PwC told Tech Circle that “while BYOD creates better convenience for employees as we’ve seen over the last three years, it has put thousands of devices on corporate network increasing the risk factor. “It is more about the maturity of a company on how it invests in security solutions, create policies and give access to employees and other stakeholders,” he said.
To ensure the safety of mobile users and sensitive corporate resources, McAfee researchers too believe that IT team must know how attacks on mobile applications can take place and proactively defend against them. They agreed that as an organization's use of BYOD and corporate devices evolves, so must its mobile security strategies in securing the employees.