The data security risks of foreign-developed mobile apps are coming under sharper scrutiny, as the Federal Bureau of Investigation (FBI) issues a fresh warning on how widely used applications could expose sensitive user data. In a new public service announcement, the agency highlights that many of the most popular mobile apps used in the United States—especially those developed by companies based in China—may pose significant privacy and security concerns. At the core of the warning is a simple issue: users often do not fully understand how much data these apps can access—and where that data ultimately ends up.

Data Security Risks of Foreign-Developed Mobile Apps 

The data security risks of foreign-developed mobile apps are not limited to what users see on the surface. According to the FBI, once permissions are granted, apps can continuously collect data from across a device—not just while actively in use. This includes access to contacts, messages, location data, and even system-level information. In many cases, users unknowingly allow apps to collect information not only about themselves but also about people in their contact lists. Apps that offer features like inviting friends can access and store contact details such as names, phone numbers, email addresses, and physical addresses. This expands the risk beyond individual users, pulling non-users into the data collection ecosystem. The concern is not just the volume of data—but the persistence of access.

Where the Data Goes Raises Bigger Concerns

A key issue highlighted in the FBI’s advisory is data storage and jurisdiction. Many apps clearly state in their privacy policies that user data may be stored on servers located in China. This is where the data security risks of foreign-developed mobile apps become more complex. Companies operating in China are subject to national security laws that can require them to provide data access to government authorities when requested. For users, this creates a gap between consent and control. Even if data collection is disclosed, there is limited visibility into how that data may be accessed or used beyond the app itself. Some platforms offer local versions that allow users to run the app without relying on cloud-based systems, potentially reducing data transfer risks. However, not all apps provide this option. In some cases, users must agree to data sharing as a condition of using the service.

Malware Risks Add Another Layer of Threat

The data security risks of foreign-developed mobile apps are not limited to data collection practices. The FBI also warns that some apps may contain hidden malware. This can include malicious code designed to exploit vulnerabilities in mobile operating systems, install backdoors, and enable unauthorized access to sensitive data. In more advanced cases, such malware can download additional malicious packages without the user’s knowledge. The risk increases significantly when apps are downloaded from unofficial sources. Third-party app stores and unknown websites are more likely to host compromised applications, while official app stores typically conduct security checks to reduce such threats. Still, the presence of malware—even in seemingly legitimate apps—remains a concern.

FBI Urges Stronger Cyber Hygiene

While the spotlight is on foreign-developed apps, the FBI makes it clear that these data security risks of foreign-developed mobile apps are part of a broader digital security challenge. The agency emphasizes the importance of basic cyber hygiene. Users are advised to:

• Disable unnecessary data sharing permissions
• Download apps only from official app stores
• Regularly update passwords
• Keep device software up to date
• Review terms of service before installing apps

These steps may seem routine, but they are often overlooked—creating easy entry points for data exposure.

A Growing Concern Beyond the U.S.

Although the advisory focuses on users in the United States, the data security risks of foreign-developed mobile apps are not limited by geography. The same apps are used globally, often with similar permissions and data handling practices. This makes the issue less about nationality and more about transparency and control. Users are increasingly dependent on mobile apps, but visibility into how their data is collected, stored, and shared remains limited. The FBI also encourages users to report any suspicious activity linked to mobile apps, including unusual data usage, unauthorized access, or signs of malware. Incidents can be reported to the Internet Crime Complaint Center (IC3), along with details such as the app name, permissions granted, and type of data potentially compromised.

Scammers are already gearing up for the FIFA World Cup 2026 with phishing attacks, online scams and a whole lot of social engineering as emotions and reckless behavior runs high among fans. 

The post FIFA World Cup 2026: A Match Between Fans and Scammers   appeared first on Security Boulevard.

Introduction With recent technological advancements, cyber hygiene has become an important factor in digital safety and security. As cybercrime risks continue to rise, individuals and organizations must implement cybersecurity measures to prevent unauthorized access to sensitive, personal, and identity data online. Definition Cyber hygiene or cyber sanitation may be defined as a proven set ofRead More

The post Cyber Hygiene: Safeguarding Your Digital Life in a Cyber-Threat Landscape appeared first on EncryptedFence by Certera - Web & Cyber Security Blog.

The post Cyber Hygiene: Safeguarding Your Digital Life in a Cyber-Threat Landscape appeared first on Security Boulevard.

Misconfigurations remain a popular compromise point — and routers are leading the way.

According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using “admin” and “password” as credentials?

It’s time for a router reality check.

Rising router risks

Routers allow multiple devices to use the same internet connection. They accomplish this goal by directing traffic — internal devices are routed along the most efficient path to outside-facing services, and incoming data is sent to the appropriate endpoint.

If attackers manage to compromise routers, they can control both what comes out of and what goes into your network. This introduces risks such as:

• Redirecting users to malicious web pages
• Conducting man-in-the-middle (MiTM) attacks to steal data
• Carrying out DDoS attacks as part of a larger botnet
• Monitoring user behavior with IoT devices

The nature of router attacks also makes them hard to detect. This is because cyber criminals aren’t forcing their way into routers or taking circuitous routes to evade security defenses. Instead, they’re taking advantage of overlooked weak spots to access routers directly, which means they aren’t raising red flags.

Consider a router with “admin” as the login and no password. A few simple guesses get attackers into router settings without triggering a security response since they haven’t breached a network service or compromised an application. Instead, they’ve accessed routers the same way as staff and IT teams.

Explore IBM Instana

Exploring the defensive disconnect

Companies recognize the need for robust cybersecurity. According to Gartner, spending on information security will grow 15% in 2025 to reach $212 billion. Common investment areas include endpoint protection platforms (EPPs), endpoint detection and response (EDR) and the integration of generative AI (gen AI). Routers, however, are often overlooked.

For example, 89% of respondents have never updated their router firmware. The same number have never changed their default network name, and 72% have never changed their Wi-Fi password.

This is problematic. A recent report found that popular OT/IoT router firmware images were outdated and contained exploitable N-day vulnerabilities. The report found that, on average, open-source components were more than five years old and were four years behind the latest release.

As noted by GovTech, meanwhile, an attack on a Pittsburgh-area water authority succeeded in part because the default password to its network was “1111”. Other common passwords include “password” and “123456;” in some cases, routers have no passwords. All attackers need is the login credential — which is often “admin” — and they have full access to router functions.

Even more telling is the fact that router security is getting worse, not better. Consider that in 2022, 48% of respondents said they had not adjusted their router settings, and 16% had never changed the admin password. In 2024, over 50% of routers were still running on factory settings, and just 14% had changed their password.

By spending more on security tools but not changing default configurations or updating router firmware, businesses are closing the doors but leaving the windows wide open.

Minimizing misconfiguration mistakes

So, how do companies minimize the risk of misconfiguration mistakes?

It starts with the basics: Change passwords regularly, update firmware and ensure that routers aren’t left on factory settings. Simple? Absolutely. Common? As survey data indicates, not so much.

In part, the disconnect between router risks and security realities stems from the sheer volume of cyberattacks. For example, 2023 saw 94% of companies hit by phishing attacks, and as noted by the IBM Cost of a Data Breach Report 2024, the average cost of a data breach is now $4.88 million, up 10% from 2023 and the highest ever reported. This puts cybersecurity teams on the defensive and on high alert for common attack vectors such as phishing, smishing and the use of “shadow IT” applications that haven’t been vetted or approved.

As a result, routers can slip through the cracks. The first step in solving this problem is creating a regular update schedule. Every four to six months, schedule a router review — put it in a shared calendar, and make sure all security staff know it’s going to happen. When the designated day comes, update firmware where possible and change login and password details. It’s also worth establishing a weekly schedule to review router traffic for any odd behaviors or unexpected login requests.

Shoring up security

While basic cyber hygiene helps lower the risk of router attacks, shoring up security requires a more in-depth approach.

The first step is finding and securing every router on your network. Given the increasingly complex nature of enterprise networks, the easiest way to accomplish this goal is by using automation. Solutions such as IBM SevOne Automated Network Observability provide pre-built workflow templates for IT teams to identify connected devices, collect performance data and make data-driven decisions.

Companies also need to consider what happens when a router compromise occurs. Despite best efforts by security teams, the growing number of end points means it’s only a matter of time until attackers manage to find unprotected routers or circumvent existing defenses.

Effective response requires effective incident management. Solutions such as IBM Instana offer full-stack visibility, one-second granularity and three seconds to notify, giving teams the information they need when they need it to reduce security risks.

Bottom line? Failure to monitor and update router settings can open the door to compromise. To solve the problem, teams need a router reality check. By combining security hygiene best practices with intelligent automation solutions, enterprises can keep unauthorized users where they belong: 0utside protected networks.

The rising risk of router attacks, paired with a growing list of unreasonable expectations, creates complex challenges for security teams. The solution? Unreasonable observability. Learn more on IBM Instana and how it can help.

The post Router reality check: 86% of default passwords have never been changed appeared first on Security Intelligence.