They’re coming. Dead apps are apps that once lived on large-scale app stores such as iTunes and Google but have been removed and are unsupported and no longer useful. However, according an Infosecurity Magazine article on a recent mobile threat report from security vendor Appthority, these apps have a kind of perverse second life. Many enterprise users keep applications on their phones and tablets long after they’ve been removed from stores, putting network infrastructure at risk.

Night of the Living App?

What’s the greatest threat to enterprises when it comes to mobile security? Experts often point to the challenges of bring-your-own-device compliance, the risk of malware through phishing emails and users downloading malicious third-party apps. Dead apps, however, present a unique and growing threat vector. Removed from official app stores, these programs still work on mobile devices but aren’t supported, aren’t secured and aren’t the responsibility of Google, Apple or even the app creators to maintain and secure. This means inherent flaws that were never corrected — and may have been the reason for the app store removal — could compromise both corporate data and personal information.

According to Appthority’s Q1 mobile threat report, 5.2 percent of iOS apps and 3.9 percent of Android apps are dead and have been removed from app stores. However, these companies are under no obligation to notify users that apps have been pulled or that they’ll no longer be updated. Stale apps — apps that are still active on app stores but go for long periods without any updates or bug fixes — are also a problem.

Appthority said that users can also be responsible for outdated apps since they don’t always update to the latest version, even though newer versions may have fixed bugs, patched vulnerabilities or addressed security concerns. In some cases, users are still running apps that are several versions old, presenting a threat. The numbers are also much higher, with 37.3 percent of iOS and 31.8 percent of Android apps considered stale.

Brains… Brains…!

While dead apps won’t claw their way out of mobile devices to turn users into the living dead, these so-called zombie apps do present a real risk to employees. The first issue is baked-in malware. If an app is found to contain malware, both Apple and Google pull it from store shelves but don’t always tell users, according to CSO Online. Domingo Guerra, president of Appthority, said he wants to “see more transparency from the app stores, similar to what we see in other product recalls.” There is also the issue of hijacking. If malicious actors discover dead apps are no longer being updated, it’s possible for them to hack the update mechanism and deliver malware through what appears to be an approved software upgrade.

The mobile threat report recommends two courses of action: more oversight from IT administrators and better training for employees. IT professionals must be diligent about seeking out possible dead apps and removing them from devices, while users must be educated on the necessity of regular updates and searching their devices for applications that are no longer supported or offered in major app stores.

Dead apps won’t go down without a fight, and enterprises need to ensure they have the right weapons to put these apps back in the ground.

Image Source: iStock