As companies increasingly allow workers to use personal smartphones and tablets on the job, they are confronting a potential new security threat: malicious software embedded in games and apps.
App stores, the online marketplaces where consumers can buy programs for their devices, "are fast becoming the prime delivery mechanism for infected applications," says Dan Hoffman, who heads mobile-security efforts for Juniper Networks Inc.
Because consumers have free rein over what programs they download to their gadgets, the barrier to entry is low. Hackers simply hide their so-called malware within an attractive game or app, hoping to entice users to download it.
Once embedded, the malware goes to work. It may generate calls to for-profit phone numbers or send text messages to premium sites without the user's knowledge, steal passwords and other account numbers or track a user's whereabouts.
The fear for businesses is that malware could be used to access corporate data that has been downloaded onto a personal device.
Devices powered by Google Inc.'s Android operating system were the prime target for malware last year because they dominated the smartphone market, says Juniper's Mr. Hoffman.
It isn't clear what threats, if any, emerged on Apple Inc. devices, because Apple's operating system is closed and outside security vendors aren't allowed to independently track threats.
Google says its app store, Android Market, is safer than it ever has been. It now scans apps for malware before making them available in the store, and the Android operating system has a feature that prevents the downloading of apps from third-party vendors. Still, users can turn that feature off.
Apple didn't respond to requests for comment. The firm has long vetted apps before allowing them in its App Store.
Security experts say apps are ideal vehicles for digital theft because even legitimate programs may request permission to access a user's email or social-networking accounts. And while smartphone software updates sometimes alert users to problem apps, they typically don't remove them from the device once they have been downloaded.
To keep company data safe, corporate information-technology managers traditionally have relied on virtual private networks requiring strong passwords, refreshed often. But Mr. Hoffman and other security-firm officials say companies need to step up their defenses.
To that end, dozens of security products have emerged that scan mobile devices for malicious apps before allowing them to connect to corporate networks. Some will wipe devices clean of corporate data if trouble emerges.
So far, malicious apps haven't emerged that can forward malware onto a company's server network, experts say. But as the devices multiply in the workplace, so will the threat.
"Phones are legitimate computing devices now, and companies need to treat them that way," says Brian Duckering, senior manager of endpoint and mobile management for Symantec Corp.
Mr. Jones, a reporter for The Wall Street Journal, is based in the U.S. Northwest. He can be reached at steve-d.jones@wsj.com.
![[APP]](http://si.wsj.net/public/resources/images/LE-AA230_APP_D_20120328174134.jpg)
0 comments:
Post a Comment