Corporate phones are for work

September 14, 2016

Hold on to your hats for this shocker: Companies are staffed with actual humans who have their own interests, habits, and quirks. Some can’t work without music, others compulsively check to see if their ships are back with loot in a slow-paced online game. And these days, indulging their humanity at the workplace is easier than ever. Just about everyone has a smartphone, and app stores are packed with entertainment apps to suit every taste.

Employers approach this issue in different ways. Some companies take a hard line, with policies enforcing the ideal that the workplace is for work alone; and they prohibit any irrelevant activities during work hours, enforcing with the threat of termination. Some more broadminded bosses take the view that a few minutes of freedom increases motivation and productivity.

Both of these approaches have merit. What no company should stand for, however, is unauthorized apps installed on corporate phones used to access sensitive working data. Even a mundane contact list of your coworkers may be of interest to cybercriminals.


What if a user installs apps from official sources only — surely nothing bad will happen, right? That’s wishful thinking, unfortunately. Of course, Google keeps track of what is distributed through its official store, but criminals regularly find ways to circumvent its control mechanisms. Here’s just one of their tricks: An app starts out working exactly as stated, with no malicious functionality, and continues that way through several updates. Only later do the criminal developers add some illicit code, which proceeds to steal data or take other malicious action. And even if the perpetrators are caught, they won’t stop for long. The same trick can be performed multiple times; all they have to do is to alter the app’s name.

For example, about a year ago, we published an article on Securelist about the VK Music app, used to listen to music uploaded by users of Russian social networking site VKontakte. It also stole users’ passwords to this social network. Of course, we quickly notified Google, and the app was removed from Google Play. But even a year later, our experts still register attempts to spread new versions of this app under an array of new names via Google Play; and of course, the password-stealing payload is still there. According to our stats, there have been no fewer than 7,000 installation attempts of just one version.

Why should you care about the passwords of some foreign social network? That’s a fair question. Consider this: Password reuse is rampant, and therefore, a social network password can open the door to corporate services. Another thing: False posts appearing to be from employees can amount to a serious risk to a company’s reputation.

Okay, let’s try something a little closer to home. Do you have any Pokémon aficionados in your company?

Our experts recently discovered an app called Guide for Pokémon Go distributed via Google Play. It looks like a single app created to help players of the much-hyped gaming title. But a little while after it’s installed, the app roots the device. Rooting makes the malware capable of installing and deleting additional apps.

As far as we know, the malicious app was downloaded at least 500,000 times before we busted it, and on at least 6,000 occasions it was successfully installed. The peril for a corporate device is obvious here, don’t you think? If anything can be installed on a rooted smartphone, the possible consequences are endless: the perpetrators may access corporate e-mail, calendar, contact lists, or data in other working apps.

That’s why we strongly recommend protecting all devices — whether corporate-issued or employee-provided (aka BYOD, or bring-your-own-device) — from threats such as this using specifically tailored security solutions. We offer Kaspersky Security for Mobile, which allows an administrator to set up plain and clear security policies for employees’ handheld devices. For example, the solution might prevent employees from using certain apps or even entire categories of software. (The definitions for these categories are taken from our own Kaspersky Security Network service, not Google Play. This is an important distinction; criminals may publish their apps in different areas of the store to evade Google moderators’ scrutiny.)

As a result, banned apps and apps in banned categories fail to launch on employees’ smartphones, and previously installed ones get blocked. Users are then advised to remove the apps.

Using settings like these helps decrease the risk of losing valuable corporate and personal data through corporate mobile devices.