The official UEFA Euro 2016 Fan Guide App is leaking users’ personal data, according to security researchers.
Analysis of the data traffic patterns from enterprise mobile devices by Wandera reveals that highly personal user credentials, including user names, passwords, addresses and phone numbers, are being transferred over an insecure internet connection. The app, which has more than 100,000 downloads, could therefore provide an access point for hackers to access, and potentially steal, valuable user data.
“While the public has been made aware of malware concerns associated with fake FIFA apps, it should be noted that even an official app such as the UEFA Euro 2016 Fan Guide App is not secure,” the company said in its report on the subject.
The issue affects both the iOS and Android versions, the firm said, adding, “these exposed vulnerabilities represent the tip of the iceberg in terms of the collective threat to enterprise mobiles brought about by the football tournament.”
More specifically, since the tournament started, Wandera has discovered 72% of recognized malicious websites and 41% of exposed passwords were detected on smartphones in France—a situation most likely linked to an increasing number of mobile ads.
Traffic related to online advertising almost doubled during Wandera’s investigation, and peaked in Portugal, Ireland, Turkey and Spain. News and sports website traffic also increased by 38%, and the use of social networks saw a 67% surge during the month-long period. All of this adds a greater chance for exposure to malicious actors’ gambits and traps.
“Increased data usage during the beginning of Euro 2016 will come as no surprise to anyone,” said Eldar Tuvey, CEO of Wandera. “What is clear however, is that football fans are travelling across Europe, accessing apps and websites that are unfamiliar to them to access the up-to-date information they crave. Our analysis proves that even so-called ‘trusted sources’ carry risk and vulnerability—something that enterprises must be equipped to deal with.”
The global hacking community isn’t just focused on France and the tournament, it should be noted. Wandera has also seen a significant phishing threat in Russia that has continued despite the start of Euro 2016. In fact, a staggering 73% of all phishing incidents occurred there during the time period.
“In February this year, reports were released about phishing attacks on Russian banks,” the report noted. “Russian hackers managed to steal over $27m from Russian banks, first by going after their clients, before moving on to the banks themselves. Following this and the practices put in place to prevent further attacks; we expected the threat actors to have moved on to other targets, particularly with the start of Euro 2016 and the upcoming Olympics. This is not the case however.”
Photo © Mathias Rosenthal