Vulnerable gambling apps put corporate data at risk
Based on an analysis of hundreds of thousands of scans of mobile apps installed in actual corporate environments, Veracode found that the average global enterprise has multiple gambling apps installed in its mobile environment. In fact, some environments were found to contain as many as 35 unique gambling apps.
Many of these apps contain adware as well as critical vulnerabilities, such as weak encryption, enabling cyberattackers to gain access to contacts, emails, call history, and phone locations as well as to record phone conversations.
The use of mobile gambling applications is growing exponentially. Juniper Research estimates that smartphone and tablet owners will place upwards of $60 billion in bets by 2018 using casino-type gambling apps — roughly five times the current size of the overall mobile gaming market. Another telling data point is that spending on casino and card games for Android was up 105 percent from November 2013 to November 2014.
At the same time, Gartner estimates that 75 percent of mobile apps will fail basic security tests through 2015. While some of this is due to sloppy programming and the use of insecure open source and third-party libraries, cybercriminals and nation-states are also constantly looking to exploit insecure apps in order to steal corporate intellectual property, track high-profile individuals and/or dissidents, and insert aggressive adware for monetary gain. In addition, free apps typically incorporate advertising SDKs that monetize by sending user data such as identity and location to advertising servers located around the world.
Veracode has identified a number of unsafe slots, poker, black jack and bingo apps, including examples of vulnerabilities and malware such as the following:
A popular casino app checks to see if a device is rooted or jailbroken, thereby determining if the app has the ability to install additional functionality enabling it to disable anti-malware, replace firmware or view cached credentials such as banking passwords. Additionally this app has the capability to record audio and video and access user identity information, and it can be exploited using a man-in-the-middle (MITM) attack that allows cyberattackers to eavesdrop and even alter network communication.
A major slots app communicates with its back-end cloud services using unencrypted HTTP rather than the more secure HTTPS protocol. This can be used to build a target profile by revealing sensitive demographic data such as gender, birthday and last login timestamp. Further analysis reveals that the app also downloads up to 24 megabytes of encrypted data from servers located outside the US — without the user’s permission — indicating that it can potentially install malicious software on the fly.
Ten digital gambling apps — including Gold Fish Casino Slots, Jackpot Party Casino and Texas Poker — can read, write and delete local files as well as directly access network functions such as creating connections to arbitrary servers and receiving data from any source.
More than three-quarters of all mobile apps fail basic security policies such as the Mobile OWASP Top 10. Further industry research shows that top attacks include Remote Access Trojans (RATs) for accessing user data, man-in-the-middle (MITM) attacks due to weak cryptography, ransomware that restricts access to devices until the ransom is paid, and fake certificates that enable attackers to side-load malicious apps.
Apps analyzed for this study include, among others: Big Fish Casino, Gold Fish Casino Slots, GSN Casino, Heart of Vegas, Hit it Rich Casino Slots, Jackpot Party Casino, Slot Machines House of Fun, Slots Pharaohs Way, Texas Poker, Wonderful Wizard of Oz and Zynga Poker.