IT security specialists working with small and medium-sized businesses are well aware of the potential pitfalls of a BYOD approach to provisioning employees with mobile handsets and tablets. The need for such awareness was underlined this month by news that the Apple App Store's efforts to keep out malware did not managed to stop an app known as ‘Find and Call’ from being listed. The same app also made its way into the Google Play marketplace, with the result that Android as well as iOS devices became vulnerable to the Trojan.
The problem with Find and Call is that it includes a feature known as ‘find your friends.' Unlike most such functions that are carried out at the discretion of a phone's owner, Find and Call carries out the function automatically. The result is that a phone's contact list is uploaded to computers that are maintained and controlled by the authors of the app.
IT risk management for business should take into account the disturbing nature of the behavior exhibited by the Find and Call app. Not only is user permission not even requested for the harvesting of personal data, but also the program's terms of service and EULA (end user license agreement) makes no mention of the fact that the application will behave in a way associated with malware. Nor should users' concerns end there. According to senior malware analyst Denis Maslennikov, who works for Kapersky Lab, the app also reads the GPS coordinates of the phone and logs them. This log is then uploaded as well.
Perhaps even more disturbingly, the Find and Call server proceeds to harvest phone numbers from the contact lists it receives. These numbers are then used to send text messages urging others to give the Find and Call application a try. A ‘handy’ link is provided to facilitate the spread of the program.
This last behavior has strong implications for small and medium-sized businesses. Should a customer contact list be compromised, the result could be that hundreds or thousands of clients are sent unwanted texts. This can cause a business to become associated with unprofessional conduct and could bring IT security provisions into serious question, possibly even causing some customers to pull their business from the firm.
One solution for BYOD organizations is to transition to a managed programs model for IT support. With a managed programs approach, the business will have an additional ‘gatekeeper’ helping to control what apps are loaded onto phones and devices allowed to connect to the company network.