Hackers' new target: Getting paid subscriptions for free

Man with mobile phone in sun
Ezra Bailey | Getty Images

With alarming frequency, companies disclose data breaches or hack attacks that compromise the personal data of their consumers. Yet a new fear that may keep company executives up at night may not be from hackers, but the risks posed by their own client base.

A new study from Bluebox found that popular mobile applications like Hulu and Tinder have major security holes that allow hackers to fool the system into believing they obtained a premium account, when, in fact, they hadn't actually paid. The study suggested these apps have flaws that lack basic defense capabilities that guard against tampering.

Read MoreHulu seeks to sell stake to Time Warner: Report

Considering their large user bases, it could mean these popular apps could end up losing money, especially as the landscape becomes increasingly competitive and premium subscriptions become a revenue driver for developers. Hulu, for instance has a commercial-free option for $4/month in addition to its regular $7.99 subscription fee. It is estimated that the company's earned around $1.6 billion from both subscriber and advertising revenue in 2015.

"The mobile app ecosystem is still in the very early stage of security," Andrew Blaich, lead security analyst at Bluebox Security told CNBC. "Most of them are not protected and not secured."

The findings come at a time when the app economy is booming. According to eMarketer, mobile download and in-app revenue is projected to hit $10.4 billion this year, after growing from $7.7 billion in 2013.

The study conducted by Bluebox examined three popular mobile apps: Hulu, Tinder and Kylie Jenner's official mobile application that gives users an exclusive peek into the world of one of the Kardashian's more famed siblings. Bluebox's study also found that hackers can easily disable advertising, access premium features for free, and bypass subscription payments. The firm worked with all three app makers to resolve the problem.

The problem with phony premium pays, however, is hardly unique to those three developers. Apple and Google Play stores account for the majority of app downloads, but more than 40 percent of consumers download apps using other methods. Bluebox said that gray area is where the majority of paid subscription circumvention takes place.

Still, most companies are primarily worried about hackers breaking into their customer information.

"We're seeing them scramble to build out their apps to protect ... personal information of users," Blaich said. "But you have to start thinking about the revenue stream, as an enterprise developer, if your revenue stream can be bypassed — and if all it takes is one app that can circumvent your payment code, you should be concerned."