Google

Malware in the Google Play Store: Enemy inside the gates

Google Play has experienced some recent malware infestations. Learn about the details and how to protect yourself and your users.

Last month a form of malware called BadNews was downloaded several million times from the Google Play store. This malware impersonated an ad network and leaked personal information from affected phones to a designated offshore server. It also prompted users to install a Trojan application (AlphaSMS) which produces expensive text charges. All in all, it wasn't pretty.

According to an article on arstechnica.com, Google examines all apps uploaded to Play (they use a cloud service called Bouncer to verify new apps against known malware signatures and test them for malware-like behavior). In this instance the BadNews-related apps were clean upon upload. The designers introduced the malware components to these programs several weeks later. I'm sure these tactics will evolve, as they always do, but fortunately there are a few principles you can rely on to avoid malware infections from Google Play (or elsewhere).

A changing perspective

Reports of malware on cell phones are nothing new; I first heard rumors about the topic as far back as 2005 (which impacted Symbian phones via Bluetooth connections). I didn't take the threat seriously then, since it seemed an abstract concept not likely to impact any of the users I supported. Furthermore, I had to wonder if the subject wasn't being "ginned up" by overzealous security software companies looking to augment their income.

Several years later, it's long past time to recognize cell phone malware as a valid and substantial threat, especially given the improved features on these devices such as web browsers and Wi-Fi capability. Those same features can lead to greater vulnerabilities. Statistics indicate there were more than 65,000 Android malware variants found last year and that almost 33 million of these devices were impacted, over twice the amount plagued in 2011. Compounding the issue is the fact that antivirus software, which has so long been a staple on Windows desktops, is rarely found or even considered on Android devices.

What can we do about it?

The Google Play help file doesn't mention malware, but the issue is really broader than just being wary about apps from Google Play. Security is a concept that transcends any one site, device, or operating system. Some tried and true techniques come into play here (no pun intended), but it's important to reiterate that the game is always changing so the rules will evolve as well.

For instance, years ago I advised my users to only open email attachments from people they knew. This was sound advice at the time, but then virus designers began spoofing the email addresses of these "trusted senders" (usually after these so-called trustworthy people got a virus which then emailed itself out using their address book) to add legitimacy to their malware-laden emails. My formerly-useful advice then became detrimental to security.

In similar fashion, one common security tip is to "only download applications from trusted sources." Normally, that's a good idea, but in this case Google Play WAS a trusted source. You don't want to get caught up in the notion that one site is 100% safe so you can trust anything they have to offer. The "safe site" concept does still apply to some degree - obviously, you can trust Google Play more than some weird foreign site extolling you to install their free money-making app - but there are no absolutes.

Security tips

With that in mind, present day Android security tips include the following concepts:

  • Install the latest updates for your Android. These will include better security options and patch as many vulnerabilities as possible.
  • For Android 4.1.2 and above versions, go to the Settings menu, examine the Security section and make sure that "Unknown sources" ("Allow installation of apps from unknown sources") is unchecked. This will prevent the piggybacking of apps which can surreptitiously install as you're browsing the web.
  • Avoid suspicious apps - a no brainer, but it should be noted that the easy installation/removal of Android programs makes it more likely for some users to try a broader variety of programs than they may on a desktop PC or laptop, where installations and removals can be more cumbersome.
  • Before installing anything, Google search the app/read reviews to see if it's on the level.
  • If you're a system administrator, provide list of recommended apps for users. This can be useful in a business with remote or traveling workers who have specific mobile device needs you can help address with known good programs. This list could be kept on a company website with links users could access directly. It will also be easier to support these users if they're all running standard apps (c'mon, we all know that the BYOD movement didn't free the IT department from supporting user mobile apps!)
  • Review all permissions requested by an app upon installation to determine whether it requires too much access (e.g. requesting to work with your contacts).
  • Be careful of links you click in email or the web browser, and always scrutinize any "I agree" screens or boxes to see if there are hidden details. No, you may not find a "Ha Ha, this is malware!" admission in tiny font, but poor grammar or incoherent terminology could be a sign of something sneaky.
  • Keep your device locked with a password so only you can control it.
  • Don't save passwords in Android. I know it's convenient to do so, but a malicious program can capitalize upon that with grave results.
  • Be on the alert for anything strange your phone might be doing, even if it is just consuming excess battery power. You can review data usage as well (steps vary depending on your Android version) to see if you've been using more bandwidth than usual.
  • Install an anti-malware product for Android. There are several versions on the market, such as:
  • For extra protection, make sure your security app can also warn you when navigating to unsafe websites.
  • In a corporate environment it might be worth checking out a product which can offer centralized Android device management. Products by MaaS360, Boxtone and Citrix are available.
  • Keep up to date on the latest Android threats, through security and device newsletters. Where applicable, educate your users with the same details. If you're interested in Android OS security, here is a good article which discusses the matter.
  • Be wary if you've rooted your phone; your admin access levels may be different than that of the standard OS and thus you may be more susceptible to malware as a result (though you would still have to approve access for it to run).
  • Always be prepared to wipe and reinstall your Android. If you've implemented a good backup solution this should be simple. Never keep critical data on your device which isn't also synchronized elsewhere for safekeeping.

Looking forward

I hope you find these tips useful and that they help keep your enterprise secure. Just remember, however, that malware designers live by the maxim that when a door closes a window opens somewhere else. When it comes to protecting your environment make sure you don't just watch the doors but also keep an eye on the windows, skylights, ventilator shafts, emergency exits, and laundry carts as well!

Also read:

About

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

41 comments
aidemzo_adanac
aidemzo_adanac

Votes do matter after all! -2 BOY, they showed me a thing or two alright! OMG, now I won't eat properly, won't be able to enjoy a beer, won't sleep tonight until I see it hit at least zero again. I don't mind being a zero but a -2 is really pushing it, what about people's impressions of me?! OMG, my self image, my ego, ouch, I'm doomed!!! Oh well, f'k it.

Slayer_
Slayer_

As of now, I'm +1 and your -2 lol

BobTec
BobTec

Tossed my I Phone for Window 8 phone. Best thing I ever did.

JCitizen
JCitizen

that the apps are what introduces most of the vulnerabilities to the mobile operating system anyway. Anybody tried Secunia PSI for Android mobile?

aidemzo_adanac
aidemzo_adanac

Having done a bit of reading on the subject already, while Android is more prone to picking up a virus, there are more possibilities to exploit iOS. [i]"But when looking at platform vulnerabilities Symantec said there were 387 documented vulnerabilities for iOS vs just 13 for Android. Elsewhere, BlackBerry also had 13, and Windows Mobile had two."[/i] That's a big difference, in fact it places iOS as the most INsecure mobile OS available. I think it is down to user stupidity, as usual with viruses.

rfbati
rfbati

This is a good andrid security awareness article. Best because practical recommendations for Android users. I have to mention that also Google Docs, or Gdrive if you like, is a cybercriminal paradise by allowing malware files host, which are being spammed since more than an year. Malware files stays there for weeks and months.- Seems that Google did not scan Google Docs files for malware and make it nearly imposible to report it. Help is defective since many months ago as one can see specific complaints in google groups .

JCitizen
JCitizen

I will definitely pass this on to my clients. I still use a relatively dumb phone, but that doesn't mean I won't mess up an download a malicious weather radar app. I'm sure Motorola chips have their own malware to contend with! I don't think I have any anti-malware available on mine, but now I think I better take a look. Fortunately it is turned off most of the time.

Slayer_
Slayer_

I swear every app wants your contact list for example. But I'm using a tablet so they can have my contact list, I don't care. It would be nice if when installing an app, you could disable some of its permissions so when the app tries to get your contact list, or send an sms, it gets blank response or a success on sms (but it actually did nothing) so the app thinks it work, even though it didn't really work.

Mark W. Kaelin
Mark W. Kaelin

Has your organization had to deal with malware appearing on your mobile devices? Have you implemented new policies and procedures to try to prevent such infestation?

aidemzo_adanac
aidemzo_adanac

Have been since day one. There were far more capable smartphones out years before iPhone made an appearance. Due to really stupid public consumers that bought into the absolute BS that Apple marketed them with, SOMEHOW they took off. They did it with iPods too, I don't know how that product ever got off the ground, it paled horribly compared to others that were around at the time, it's STILL crap compared to most entry level players too. But sheeple will be sheeple and, if Apples says so, they believe it. If more people had a brain and really looked at what they were buying, compared to others that DIDNT copy Apple but beat them to the punch by years, Apple wouldn't have stood a chance. As people are generally lazy AND stupid, they just go with whatever the ad says and they take ti as gospel, repeating it at every chance, whether right or wrong. I personally find most people just plain embarrassing, to think THAT'S what we have become, after over 4 BILLION YEARS years of evolution, we should all hang our heads in shame. There are still some who actually don't believe there is more intelligent life in the universe, a Universe with the same origins that created life on Earth, which is just a beacon to mankind's stupidity. Seriously, if we are actually the smartest life form in our universe, the universe is doomed.

Vulpinemac
Vulpinemac

I think WP8's biggest advantages are over Android, not iOS. WP8 offers much better desktop compatibility than Android ever will.

Vulpinemac
Vulpinemac

It's not as if they haven't TRIED to exploit it, after all. Meanwhile, Android is little better than a sieve.

Slayer_
Slayer_

Their stupidity created those vulnerabilities after all :)

Gisabun
Gisabun

Facebook apps have the same issue but at least you could deny them there. They also tend to want your birthday [why?] and other personal information. Sounds like the beginnings of ID theft

PreachJohn
PreachJohn

Some Blogger should make like they're installing various popular Android Apps. Fodder for a blockbuster article perhaps. Click the More button too. You may be astounded at the 'take over your phone completely' trade offs required to install many apps. You may be astounded; I blanche and cringe at the privacy trade offs required to install most/many apps. It's time that the Lid is blown off the endemic 'take over your phone/computer' mentality of entitlement that is so rife as standard practice in the cyber world.

mmurray49
mmurray49

You go from from Apple Marketing --> lazy and stupid people --> intelligent life in the universe --> mankind's stupidity --> a doomed universe? Because of a consumer smart phone? Really? Really dude?

Slayer_
Slayer_

Our galaxy is just a speck among other galaxies, that together make up a single cell in a giant organism.

Slayer_
Slayer_

So you don't need a more sophisticated attack vector.

aidemzo_adanac
aidemzo_adanac

I figured instead of hammering on someone for saying something illogical and horrendously stupid, I'd take a more neutral stance for a change. I freaking HATE my iToy though. It's FOR work and paid for BY work but I still use my own Berry most of the time for work as it is so much more capable for my business needs. I use my company iToy at the track still, for looking up race stats and placing bets from my seat at the bar when too lazy to go to the automated betting machines. Why get up when ther's no need? Beyond that, iPhones are a laugh, to think so many companies use them as "business tools" now, is just sad! It actually shows that, as mentioned in another post, there is a need and a reason why IT staff are not the best for business decisions.

aidemzo_adanac
aidemzo_adanac

Don't mention it! :) Votes, about as important as endorsements on Linked in or friends on Facebook. I know a total shut in, no social skills at all, terminally ill, just in a horrific state of life. Has over 15K facebook 'friends' an never had more than two REAL LIFE friends in her life. I can see that sign on the fridge each morning, "have you checked your votes yet?" Yeah, like I really give a rats arse what other people think! Priceless......oooops, I bet that'll hurt my votes. It's just like when some total knob comes up and says, 'you aren't my friend anymore!" Ouch, it hurts, cuts like a knife! Riiiight.

Slayer_
Slayer_

Check mine, I am 90% trolling now :p

mmurray49
mmurray49

I'm very successful - on multiple fronts... Check your votes (before you add/remove some) then check mine. Yours - now mine - repeat... Just sayin man - some of your rants may actually have a reverse effect on your legitimacy... Stop, consider and accept the fact that MULTITUDES are VERY HAPPY with their iPhones - even in the enterprise. If not, THAT's scary...

aidemzo_adanac
aidemzo_adanac

For techs to think in anything but a limited, linear thought process is a bit of a stretch. For me, it's what leads to success.

Slayer_
Slayer_

Actually I just can't remember names.

aidemzo_adanac
aidemzo_adanac

or are you just kidding. Rob Halford, Judas Priest, Two, Fight, Halford....yeah you are yanking my chain. \m/ \m/

aidemzo_adanac
aidemzo_adanac

Great album, Resurrection, he killed himself on that tour though.

Slayer_
Slayer_

It either that, or resurrection.

aidemzo_adanac
aidemzo_adanac

A single atom, in a single molecule, in a single cell, on a fingerprint of a massive being (massive to us anyway). Now reverse it, perhaps what WE see as atoms are actually tiny little solar systems all over our bodies, each filled with billions of little people all wondering if God exists, while carrying on with their mundane lives. How do we know ?

Slayer_
Slayer_

But if we are a single cell in a giant organism, what could it be? A giant blob? Maybe it's recursive, we make up ourselves, and the big life form is a human, that also exists in a universe that is just a cell in a giant organism, that is also a human, recursively, forever.

aidemzo_adanac
aidemzo_adanac

I've thought of that one too. REALLY hard core drugs back then but hey, that's what gets you thinking. I have always seen the solar system as a nucleus surrounded by electrons. Even today it makes sense though, the sun being the nucleus that harnesses the power in an atom. To think out entire universe could be a single cell on some giant boob, or a cell in some fat guy's sweaty ballsack hair. Yeah, not quite as dreamy as heaven but more realistic anyway.

Slayer_
Slayer_

My brain isn't working anymore, sorry.

aidemzo_adanac
aidemzo_adanac

Was it like a school slaughter or something? Where was it, I didn't catch it on the news. Was it raining blood from a lacerated sky? You are a strong man, I'd probably take a few days off if my friends died recently. (I know, I'm such a knob!)

Slayer_
Slayer_

He's actually a fairly typical iPhone customer, just accepts the defaults. It's odd too because he thinks of himself as an IT guy. His regret really set in when he saw me playing emulated games.

mmurray49
mmurray49

Vulpinemac - these guys are so vocal because they KNOW their gear SUCKS in comparison. Pretty obvious..

Vulpinemac
Vulpinemac

Because over the course now of three different iPhone models, I've never run into any of those issues. I use Safari, Messages (once known as iChat), the default mail app, along with a lot of other apps (most not intended to 'replace' the default apps.) I haven't had a bit of trouble with any of them. The more you tinker, the more you create your own problems. As a repair tech friend of mine once put it, "If it ain't broke, don't fix it!"

Slayer_
Slayer_

We have a lot of iPhones dying here at work. My friends died recently. He had it plugged into his computer. When he plugged in an external hard drive, the phone started rebooting over and over endlessly. Had to be replaced. So what killed it? He was starting to hate it anyways, SMS wasn't working properly, email wasn't working properly, web browser kept crashing. But he still foolishly bought an iPhone 5 to replace it. He's like an addict, he even knows it was a mistake and regrets it, he knew it was a mistake before he bought it. My folks and I are still using our old black berry pearls. It's time to replace them but they had a good run. Especially my mothers which has been dunked in the river, and twice through the washing machine. All that's broken is the scroll wheel doesn't want to scroll down anymore, you have to really spin it to get it to move. Mine is still perfect, but it's never gone for a swim. Both are still on the original battery, battery life has gone from 1 week when it was new, to about 4 days.

Vulpinemac
Vulpinemac

Sorry, Apple users are far more intelligent than that. They're the ones who simply want their devices to work without having to constantly fiddle with them. Until the Galaxy S series, you couldn't really say that for Android devices and quite honestly I wouldn't go out of my way to buy even a Galaxy S device; Apple's products have proven their reliability to me while so far no other brand has come close among all the people I know who have used Android and Blackberry.

PreachJohn
PreachJohn

I devoured the 5 urls and Replies. Sometimes I find the Reply content to be as informative as the original article, occasionally a treasure secured. Only at the end of the 124 replies to http://www.techrepublic.com/blog/security/androids-permission-system-does-it-really-work/6322 did I find point blank discussion of the specific project/article for someone I'm suggesting. Someone needs to publish/expose the permissions required by a number commonly, popularly downloaded apps. It's astounding. Why do they conceivably need some of them? It's a scandal! On my rooted Google Nexus 4, Avast has Privacy Advisor that lists Apps and what they can access. This feature does the indexing for you.

Editor's Picks