Kern Smith, VP of Global Solutions at Zimperium, explores the growing risks of sideloading in the financial services sector. While sideloading enables organisations to bypass app store restrictions for proprietary applications, it also exposes devices to significant security threats, with cybercriminals increasingly targeting financial firms. Smith highlights the importance of integrating Mobile Threat Defence technology to safeguard sensitive data and protect businesses from cybercrime.
The global economy moves quickly and the financial services sector has to keep up. The mobile device has been a central part of transformation in an industry where stakeholders have to stay available around the clock and tuned in to economic changes that can happen on the other side of the world at a moment’s notice.
Given the amount of money, proprietary information and intellectual property that these kinds of organisations handle, one might think that these devices would be at the centre of any cyber-resilience strategy a financial services firm maintains. Yet, Zimperium’s 2024 Global Mobile Threat Report (GMTR) shows one particularly grave mobile risk in the sector: Sideloading. This is by far the largest mobile threat to the sector, accounting for 68% of the risk against the sector.
It’s not clear why this should be such a disproportionately large problem within financial services, but there are some possibilities. Firstly, financial services organisations are often early adopters and pioneers when it comes to IT. Investment in this area gives them a real edge in what are often tight competitions. It’s conceivable then, that custom applications such as trading platforms and analytics tools may be present on those devices. On top of that, sideloading may help financial services employ tailored mobile solutions for employees and partners, for which they may want to bypass app store controls which will also allow them to roll out apps quicker. It’s important to note that sideloading applications is often carried out for legitimate reasons and even companies like Amazon once had to ask users to sideload their proprietary apps.
Sideloading is simply a way of loading applications for unofficial sources. It sounds innocent enough and the people who do it, certainly don’t intend to harm themselves or their employer. But therein lies the problem – sideloaded apps are an easy way to smuggle malware onto a phone and thus exploit the user and everyone they associate with them.
The sideloaded app ecosystem
In fact, cybercriminals are anticipating exactly these kinds of opportunities. Official app stores – such as the Google Play Store – are replete with vetting processes and security controls that ensure the trustworthiness of the apps they allow on there. The rules are there for a reason – and although that might seem overly restrictive to many – they generally keep users safe from malware and malicious intrusion.
That is too restrictive for many, who go to unofficial app stores to find apps with functionality they can’t get on the official app stores. Yet these unofficial app stores – as mentioned – are packed with malicious apps – masquerading as legitimate ones just waiting to infect unsuspecting users. Most of that – 73% – will be riskware which introduces spyware, adware and other unwanted programmes along with the desired application. A smaller proportion – 11% – will be trojans pretending to be legitimate apps and a further 10% are pure malware, meant to do nothing else but steal or destroy. In fact, the GMTR shows that users who sideload apps are 200% more likely to have malware on their devices.
On top of that, Zimperium has reviewed its collected data on the malware found in these sideloaded applications by extracting the unique hashes of those apps. Over half – 56% – of those hashes were from completely unknown threats.
The problem doesn’t end there. In order to actually go through the process of sideloading an app onto a device, users often have to jailbreak their own devices, overriding those phones’ inbuilt security controls and actually weakening the devices resilience against threats.
From that point of view, it’s quite easy to see how sideloading can become a serious risk for a sector, especially one that handles proprietary information, intellectual property and capital on the scale that the financial services sector does. Corporate spies and cybercriminals will be actively looking for targets in this sector, seeking valuable targets to exploit. Financial services is also a highly regulated sector and the theft of valuable personal data or proprietary secrets may well invite compliance penalties.
Sideloading is a problem everywhere. The European Digital Markets Act has now compelled Apple to accept unofficial app stores on its devices. While well intentioned – this will likely heighten the risk profile for devices across all sectors.
The financial services sector may engage in sideloading for good reasons, employing proprietary technologies which aren’t meant for public use, but they need to also accommodate the risk that comes with that. That should start with embedding Mobile Threat Defence technology on the devices themselves so that they can continuously check whether a sideloaded app is behaving safely, and respond to shut down that risky behaviour when it is spotted. Make no mistake, the mobile device is the most important modern endpoint in business. Those that ignore that fact will watch it change from a valuable asset to a serious risk.
