Zombie apps haunt BYOD workplaces

One out of every twenty apps on employee smartphones is actually dead, removed from its respective app store and no longer supported

zombie dude
Daniel Hollister (Creative Commons BY or BY-SA)

According to a new study of around 3 million apps on employee smartphones, 5.2 percent of iOS apps and 3.9 percent of Android apps are actually dead, removed from their respective app stores and no longer supported.

Every single enterprise studied had at least some zombie apps on user devices.

These zombie apps can be harmful in a couple of ways, according to Domingo Guerra, president and founder at Appthority, the mobile app security company that did the research.

The apps could have been removed from the app stores because they are insecure or have malware in them, he said.

In addition, third parties could hijack the update mechanism for these apps in order to install new malware on user devices.

According to Appthority, this makes zombie apps a much more widespread risk to enterprises than mobile malware.

The problem is exacerbated by the fact that the app stores don't release information about why the apps were removed, he said.

"We'd like to see more transparency from the app stores, similar to what we see in other product recalls," Guerra said. "As consumers, if an app is recalled, we want to be notified."

[ Attackers clone malware-laden copies of popular apps ]

And the app stores don't automatically pull the zombie apps from user devices, he added.

"Google has announced the capability of removing malware apps from the devices -- but only if the users have set it up as acceptable on their device," he said.

Other than that, according to Appthority, neither Google nor Apple are offering any solutions to help protect enterprises from this risk.

In addition to the zombie apps, many employees also have outdated apps on their smarphones and tablets.

On iOS devices, just over 37 percent of all apps haven't been updated by the users, even though updates are available. On Androids, that is a little lower, at 32 percent.

"New versions are important because it's how developers push security updates and app fixes," said Guerra.

He said the solution is better training, so that users know to update their apps more often, or to set them to auto-update if the feature is available.

Meanwhile, identifying zombie apps is a trickier proposition. There are some mobile malware companies that are helping to address the issue, Guerra said, and Appthority itself works with mobile device management vendors such as MobileIron.

"We alert administrators so they can automate remediation in the mobile device management platforms," said Guerra.

According to Appthority, iOS devices currently dominate the enterprise, with an 85 percent market share, and Android is in second place with 14 percent. Microsoft and Blackberry have less than 1 percent market share.

According to the company, few devices have security applications installed. In particular, only 4 percent of Android devices in use within enterprises had on-device scanning solutions, according to the report.

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.