Confirming what many commercial security companies already claim, a security bulletin published on the Public Intelligence website by the Department of Homeland Security and the Federal Bureau of Investigation identifies the Android OS as the most attacked mobile operating system. Nearly 80% of all malware threats in 2012 targeting mobile devices were focused on Google’s platform. The distant second place (19%) was held by Nokia’s Symbian OS, most commonly found on older feature phones. At the other end of the spectrum was Apple’s iOS, which despite being one of the most popular mobile devices on the planet, was only targeted less than 1% of the time in 2012.
What this means for you:
The malware focus on Android is not unexpected: the platform is fractured across multiple versions and multiple carriers, and there are hundreds of thousands of phones running older versions of Android that have well-documented security flaws that have been fixed in later versions. Unlike Apple’s relentless updating of the iOS, many Android phones rely on the carrier to push OS updates, which they do reluctantly, if at all, especially to hardware lines that are no longer being sold or considered a significant portion of the market.
Unfortunately, the carriers have also locked down the OS on many models, requiring a series of highly-technical processes to “unlock” and “root” the phone to force an update to the OS. Of course, doing so voids any warranties with the carrier, and has a chance of “bricking” the phone itself if the process is done incorrectly, or if it is updated with an OS that has bugs or is incompatible with that specific model phone.
Here are some things you can do if you find you are using an Android phone running an older version of the OS:
- Contact your carrier to request an OS update. If they tell you one is not forthcoming immediately, or that your particular model is essentially no longer receiving updates, let them know you are concerned about security flaws in the older OS, and ask for an upgrade to recent model phone.
- Whether or not a new Android phone is in your future, you should be extremely careful about “sideloading” apps. Only install apps from Google’s Play store, and be very careful following app install links from anyone. Instead, get the name of the app you want to install, go to the Google Play app already installed on your phone, search and install from there. If you can’t find the app, it’s likely the link was to a sideloading site (and potentially unsafe), or a disguised attempt to get you to install malware on your device.
- Install a malware protection app. Several reputable companies make apps for Android. I’ve been using SecureAnywhere from Webroot for several months now, without issue, and I will soon be testing Kaspersky’s app. Look for a name you recognize, and give their app a try. Some of them might slow your phone down on ocassion as they scan for issues, but the temporary inconvenience may save you from serious heartache later on.
Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.
You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.
What this means for you:
Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).
Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.
Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.
According to analyst IDC, Android-based smartphones account for three out of every 4 phones sold worldwide in Q3 2012. As anticipated, this expansion of the market has also prompted a surge in fraudulent apps being developed and installed on phones. Security firm F-Secure reports a 10X increase in the number of distinct malware apps detected in the marketplace, finding over 50k apps this quarter alone. Most of these apps appear to be making their debut on 3rd party apps stores outside of the US looser security standards allow the malware to slip into the marketplace undetected.
What this means for you:
Earlier this year, Google implemented a security review process on its official “Play” store, reducing the number of fraudulent apps significantly. However, unlike the iPhone ecosystem, which locks users into only getting apps through its tightly controlled and reviewed iTunes appstore, Androids can bypass the Google’s official appstore to “sideload” apps on their smartphones via a single checkbox setting that is available in the operating system. Just because you can do something doesn’t mean you should. With the possible exception of Amazon’s App Store, I would not recommend installing apps from any 3rd party app store. Amazon.com led the way in sideloading by announcing their own appstore in early 2011, primarily as a means to avoid paying distribution fees to Google to service their own Android-based Kindle devices. Given that keeping their user base safe is probably of utmost concern, it’s likely that Amazon will be carefully reviewing apps distributed through their ecosystem.
If you insist on sideloading apps from a 3rd party app store, make sure you know what you are doing, review the apps carefully, and when in doubt, do your research before installing that magical app that will do it all, and is also free. It may not cost you any money up front, but the longterm damage to your security and identity may be a cost you can’t afford.