Religious smartphone apps are more likely to contain malware than are online gambling apps, according to a new study.
On Wednesday, cybersecurity outfit Proofpoint released the findings of a study it conducted to determine whether gambling apps truly deserved their reputation as fertile ground for malware and for engaging in unwarranted activity without the user’s permission.
Proofpoint’s study checked out 23k iOS and Android ‘card game’ apps – defined as poker, blackjack, solitaire, bingo and other card games – that collectively accounted for 5.6b downloads.
Of these gambling apps, 52 contained known malicious code while 379 were classified as ‘high’ risk – they uploaded user info without their permission, contained SSL vulnerabilities that enable communications to be intercepted, installed a boot-time startup item, etc. – and another 3,200 were deemed ‘moderate’ risk.
By contrast, a study of 5,600 Android flashlight apps found 26 with malware and 36 classified as high risk. Alarmingly, despite the simplicity of their functionality, most of these flashlight apps were found to be communicating with 678 external servers scattered across 28 countries.
Surprisingly, Proofpoint’s study of 5,600 Bible verse iOS and Android apps found 208 containing malicious code and 140 deemed high risk (all on Android). Worse, the apps communicated data with over 2,500 servers in 42 countries. The sketchy activity wasn’t limited to obscure apps, as one of the most popular Bible apps was capable of reading the user’s SMS messages and making phone calls without the user’s knowledge.
Muslims aren’t immune from these incursions. Proofpoint studied 4,500 apps that delivered messages from the Quran and found 16 containing malware and 38 classified as high risk. Meanwhile, a scan of 200 known Torah apps turned up only two containing malware.
In percentage terms, 3.7% of Bible apps were found to contain malware compared to just 0.22% of card game apps. Proofpoint suggests the lesson to be learned here is not to judge a book by its cover and that mobile security strategy has to be based on more than just “preconceived notions of legitimacy.”