Mobile apps have become the key focus for major brands to engage with a more technology driven customer base. While official apps can benefit both customer and brand, up to 90% of the apps are unofficial and a security risk according to RiskIQ.
It’s latest report titled “Who’s Minding the Store?” looks at the risk from digital channels to large UK organisations.
Taking the top 9 or 10 companies in Retail, Banking, Travel, Gambling and Media & Entertainment, RiskIQ looked at all the apps they could find that focused on those brands.
Mobile app usage is exploding
Across all the market sectors RiskIQ looked at, the number of mobile apps per brand has exploded over the last year. The report details the average number of apps per brand which is made up of official apps, unofficial apps and feral apps.
Fabian Libeau, Technical Director EMEA, RiskIQ explains the difference between the app categories as being: “Official apps are owned and maintained by the brand owner. Unofficial apps sit in a range of app stores but are now owned or maintained by the brand owner. A percentage of these are blacklisted as they are already known to be malicious. Feral apps are distributed by websites and are almost always malicious.”
When broken down by market sector the average per brand works out as:
- Retail – 2,000 apps per brand with 8% official and 89% unofficial. Around 15% (300) are blacklisted and this includes 3% (70) which are known to be feral apps.
- Banking – 588 apps per brand with 10% official and 88% unofficial. Around 10% (60) are blacklisted and this includes 2% (10) which are known to be feral apps
- Travel – 1,984 apps per brand with 7% official and 91% unofficial. Around 11% (222) are blacklisted and this includes 2% (36) which are known to be feral apps
- Gambling – 12,000 apps per brand with just 3% official and 93% unofficial. Around 18% (2,300) are blacklisted and this includes 3% (446) which are known to be feral apps
- Media & Entertainment – 3,400 apps per brand with 5% official and 91% unofficial. Around 17% (600) are blacklisted and this includes 5% (161) which are known to be feral apps
According to Libeau: “The high number of apps per brand is because we have looked worldwide and counted all the apps in different languages. Some retail brands have a lot of different apps around the things that they offer.”
Brand protection varies across industries
According to the report, banking has been much more successful in brand protection and enforcing takedown notices than other sectors. There are many reasons for this not least the fact that they have better security processes and more security staff per brand than other industries. Banking has also become far more image conscious over recent years and being a highly regulated industry has had to invest heavily in security and user protection.
By comparison online gambling is a complete wild west and the place where users are likely to lose more than just their shirt. According to research from Juniper Research referenced by RiskIQ, online gambling is expected to reach more than $62 billion globally by 2018. This means that it is likely that the number of malicious apps will continue to rise making this a very risky sector.
One sector not looked at in this report is Health. The emergence of Health Apps and wearable technology has resulted in an explosion of apps from vendors to help monitor health. This data is highly sensitive and it will be interesting to see how long it will take for cybercriminals to target the sector.
User risk has to outweigh brand risk
It is tempting to see this as a mainly a brand risk story but that would be to ignore many of the key issues. For example, given the number of unofficial apps in the non regulated industries, why are vendors not making more effort to have them removed or even carry a page on their website naming the apps and warning users?
For Libeau it is about manpower and skills. “Many of the companies we deal with lack the manpower and skills to deal with this issue. We have relationships with many of the unofficial app stores and the infrastructure to detect these applications. When we ask for an app to be removed it normally happens. Many of the companies would struggle to achieve this on their own.”
The risk to brand is very different to the risk to customers. Cybercriminals can use the malicious apps to scoop up payment card and bank details. For end users, the problem is understanding how their details were lost. The press focus is often on security breaches rather than on bad apps leaving customers unaware that they need to delete certain apps before they get their replacement payment cards and have those stolen as well.
These are not the only risks. Malicious apps, especially mobile games, are a key installation vector for malware which can then infect corporate computers. Travel apps show when people are away from their home which makes it easier for cybercriminals to publish details that burglars can use to plan their crimes.
The risk from illegal gambling apps is even more insidious. Cybercriminals can change the odds and quickly push someone into debt at which point they have the opportunity to blackmail them.
There is much to be concerned with here, not least the lack of brand and user protection that the leading companies in five major sectors are showing. Let’s hope this acts as a wake-up call to both companies and users who need to check where the app they are using came from.