I’m pretty sure most of us pay very little attention when our mobile phones ask to update the installed apps, even if during that process your phone asks if its OK to grant new permissions to an app that needs access to your contacts, camera, phone or local filesystem. The app is already installed on the phone and you use it (sometimes), so where’s the harm? Unfortunately for millions of Android users who had an app called CamScanner on their phone, the latest version came with a malware delivery vehicle called a Trojan Dropper. This bit of software, once installed, can reach out to a designated server on the internet and download encrypted code which can then be decrypted and run on the device without any action required by the phone owner.
What this means for you
Unfortunately for Android users, even the ones that keep on the straight-and-narrow and only install Play Store apps, staying inside Google’s “walled garden” is sometimes more like wandering around a hedge maze full of holes, thorny bushes and no clear exits. Earlier this month, Google had to remove 34 apps that collectively had been downloaded over 100 million times because they contained a similar bit of malware called a Clicker Trojan. In cases like the Dropper and this Clicker Trojan, the software is designed to allow hackers to covertly subscribe the users to costly subscription services and repeatedly open websites in massive advertising click-fraud campaigns, generating millions of dollars for the attackers, often going completely unnoticed on the compromised phones.
As with many types of malware infections, the underlying cause is often either a lack of understanding of how phones can be infected or what that behavior might look like on a mobile device, or, in many cases, a lack of patience or even care for the diligence required to notice the problem in the first place. If you need some basic guidelines on navigating the mobile app safety maze, here are some things you should always observe:
- Remove any apps you aren’t using, especially ones you don’t remember installing.
- Always read the reviews on apps that you are considering installing. Look for complaints about ads, popups, unusual behavior or suspicious permissions requests.
- Keep track of what you install, and observe your phone closely after installing a new app. The Clicker Trojan mentioned above didn’t activate until 8 hours of being installed to avoid detection.
- Always be suspicious of an app’s request for unusual permissions. If you want to be on the safe side, deny all permissions during install, but be aware that many legitimate apps need access to various functions of your phone to operate properly, and denying permissions will likely cause the app to function poorly or not at all.
- Never install apps from any store other than the official Apple or Google stores. Jailbreaking or rooting your phone, even if you know what you are doing, is not recommended, and at minimum will void your warranty and absolve the carrier and phone manufacturer from providing any kind of support.
- Watch your phone bill and credit cards for unusual charges, especially if you have your bill set to auto-pay through credit card.