| Executives October 13, 2015

October 13, 2015

Risky v. Malicious apps: How they're different & why you need to care about both

By Lookout

There’s a hidden challenge enterprises face when securing mobile devices: some apps that are legitimate and useful in a personal context may introduce a major risk for an enterprise.
While it may not be immediately evident, there are in fact two different categories of harmful applications to an enterprise: malicious apps and risky apps.
As the person responsible for securing mobile devices in your enterprise, you must focus on those apps that intend to do harm, but not forget those that may not be intentionally harmful, but still introduce risk. What’s the difference?
Malicious apps
Malicious apps set out to harm a device or the data on the device. They often steal user data, commit financial fraud, negatively impact device performance, and more. Whether or not it is actually able to execute its malevolent aim, malicious apps are defined by their intent.
Take, for example, a piece of malware called BankMirage. The creators cloned an Israeli bank’s mobile app in an effort to trick victims into believing the app was real. After victims downloaded the app, it phished their banking login username.
AndroRATIntern is another example of a malicious app. This malware, in the form of an app called Android Analyzer, took advantage of the Android accessibility API in order to steal data specifically from a popular Japanese messaging platform.
Risky apps
Risky apps, on the other hand, are those apps that may not be a binary “good” or “bad,” but an enterprise may deem its activity risky due to its own risk tolerance.
For example, apps that collect location data may pose great risk to an enterprise or government organization deploying employees to sensitive locations.
Another example is a doctor working for a healthcare organization. She might store sensitive patient information in her phone’s contacts and will want to restrict apps that access contact information in order to retain HIPAA compliance.
We think Craig Shumard, the former CISO of Cigna (who is also a consultant for Lookout) puts it well, “If you’re an enterprise that supports BYOD, this kind of ‘annoying threat’ should sound alarms … The fact that contacts and personally identifiable information is taken puts your employees and your proprietary secrets, your competitive edge, at risk.”
Which apps an enterprise deems risky is highly dependent on the company’s industry vertical and the kinds of data mobile devices have access to. Progressive organizations are even adjusting risk level based on the individual employee. For example, a factory line worker or a software engineer may have a different risk level than the CFO and a blanket policy across the organization would be considered too restrictive.
You need to see both
IT departments should understand the nuances between malicious and risky apps and implement security technologies that provide visibility into and protection against both. You want to know and define what kinds of apps pose risk to your company and have a product that both gives you visibility into those apps as well as malicious apps it has already identified.
Want to continue learning about these nuances and more? Read our Why Mobile Security whitepaper.



Leave a comment



Robert Williams says:

September 16, 2016 at 11:56 pm

I believe some has deleted files and contacts from my phone.....

Meghan Kelly says:

September 20, 2016 at 11:02 am

Hi Robert, I'm not sure what's going on here, unfortunately. Would you please reach out to our support team? support [at] lookout [dot] com

Curious says:

October 17, 2015 at 10:33 am

Sorry you say, "After victims downloaded the app, it phished their banking login credentials", however the link referenced says only the username is taken? Is this really phishing your banking login credentials?

Meghan Kelly says:

December 08, 2015 at 2:08 pm

BankMirage only phishes username, that is correct! I've updated the post to reflect that a little more directly. Thanks for the note.

John says:

October 14, 2015 at 8:09 am

Great article. I also found value in the whitepaper. Thank you guys!