Android’s openness is also its weakness when it comes to malware. But some simple user education can reduce the risk, says KPMG security expert Malcolm Marshall.
The massive adoption of smartphones and tablets in 2011 was accentuated by the Christmas period sales figures. According to mobile analytics firm Flurry, close to seven million new smartphones were activated globally on Christmas Day.
In the final week of 2011, the number of downloaded apps passed the billion mark for the first time. In 2012 that level is expected to be commonplace.
Such a large market is immensely attractive to those looking to profit illegally from the boom. Using apps to deliver malicious payloads is not new but there has been a marked increase in the number of bad apps detected over the past two years.
The targeting of Android-based devices during 2011 experienced an exponential growth. Some forecasts for 2012 predict an increase in bad applications of a staggering 6,000 per cent. These include a mix of malicious applications as well as apps that breach users’ privacy.
In December a number of media outlets reported that several fake versions of popular applications were removed from Android Market. A similar attack was detected in the first week of January, again affecting Android Market.
In both cases the apps impersonated popular games to trick users into sending text messages to premium rate numbers. This approach is an evolution of premium rate scams that have existed for a long time.
These attacks will evolve into other areas including the targeting of private information, such as identity theft and the stealing of credentials. It would not be surprising to see attacks targeted at enterprises via mobile platforms.
Most malicious applications have been identified on Android platforms. That fact is an unfortunate consequence of the operating system’s great feature: openness. It is straightforward for publishers to launch a new application, and this convenience is heavily exploited to target mobile users.
Identification of malicious applications relies primarily on…
…the user community reporting their findings. In contrast, the vetting process on the Apple App Store before publishing an application can take up to several weeks.
While this added diligence provides some level of assurance, it is not foolproof. Various incidents have shown that applications can get through that contain malicious or undesired functionality.
When I discussed this topic with Stephen Murdoch from the Security Group at the University of Cambridge, he said Apple iOS’s closed model has the added benefit of ensuring adequate patch and upgrade distribution across all users. However, old versions of the Android platforms may lose support from vendors and end up essentially abandoned with no patch release support.
The possible consequence is that orphaned Android platforms could remain exposed to known vulnerabilities with no possibility of a fix being deployed. At the same time, the App Store could be seen as more trustworthy in a corporate environment.
But stores and end users are both key to ensuring mobile security. So far, most attacks we have seen are based on using social engineering to trick users into downloading something they wouldn’t normally want.
Murdoch gives some advice on steps that we can all take to avoid falling victims to the bad app:
- If it looks too good to be true, it probably is
If a well-known application that is normally sold appears for free or with a much lower price, be suspicious.
- Check the publisher’s information
Are applications with same name being advertised by different publishers? One of them is probably a fake.
- Reputation is everything
Is the app supposed to be very popular? If so, there should be plenty of user feedback and ratings.
I would add that using appropriate mobile antivirus software, as on any PC, is an increasingly important measure.
As app stores improve their QA procedures, attacks are likely to exploit existing vulnerabilities. Unless the right steps are taken by everyone involved, 2012 will see not only an increase in the number but also in the impact of attacks by the bad apps.
Malcolm Marshall is head of information protection and business resilience at services firm KPMG.