Is Nothing Sacred?

It isn’t exactly a revelation that religious apps are popular. People carry them to church, temple and synagogue, and they rely on them for information, prayers and much more.

By some estimates, more than 202 million smartphones now have religious and Bible apps, such as YouVersion, loaded onto them. During the holidays, these apps are especially popular, and people use them frequently.

But these apps may not be the answer to your prayers. Mobile app security firm Proofpoint has just analyzed 38,000 iOS and Android apps to identify the risk to users, including personal and company data.

What they found is disturbing. An assortment of apps—ranging from card games and flashlights to holy books—are stealing data, tracking the location of users, sending unauthorized messages to contacts, and even making unauthorized phone calls.

While the problem is widespread, Bible apps had the highest rate of malicious code: 3.7 percent out of 5,654 apps. This works out to 208 apps containing malicious code and 140 apps that fall into the high-risk category.

By contrast, when Proofpoint scanned Quran apps, it found 16 with known malicious code and another 38 that it classified as high risk. And only two of 200 unique Torah apps contained malicious code.

The offenders contain riskware, the company notes. They install on the device as a boot-time app so they can communicate with remote servers. In some cases, these apps interact with dozens of different servers.

Risks and malicious behaviors include zero-day malware infections, accessing Super User permissions, stealing login credentials, covertly uploading the address book and reading various types of messages.

“When it comes to malicious apps, apparently nothing is sacred,” said Kevin Epstein, vice president of threat operations for Proofpoint. “The surprising prevalence of riskware in religious texts’ apps provides further evidence that mobile users—and their employers—need to be far more security-conscious.”

As the dream of digital technology improving the world continues to morph into a nightmare, IT professionals must be on guard. It’s critical to adopt data-driven tools that determine what types of data the apps access and transmit and where they are sending that data. It’s also necessary to have systems that identify malignant apps and remove them from devices.

Finally, and perhaps most importantly, an organization should have clear guidelines and policies about accessing corporate networks and data—as well as mechanisms to enforce those policies. Enterprises should also provide plenty of security training to employees.

Anything less is like simply praying for positive results without doing anything to achieve them. If you choose that option, be sure you don’t consult an app without checking to be sure it’s not “possessed.”