Android

How to prevent phishing attacks on Android

If you're concerned about phishing attacks on your Android device, Jack Wallen shares a hands-on solution that can keep you safe.

Phishing Detective

Let's face it, the attacks keep coming. No matter what platform you enjoy, you'll find yourself at a crossroads, asking "Is this software safe?" and "Should I tap on this URL?" Although many users have grown accustomed to the idea that software can have malicious intent, many don't quite understand that URLs can do the same thing.

It's called phishing. According to wikipedia, the "official" definition of phishing is:

"...the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication."

Sometimes, it's not easy to know if the URL you are about to tap on is trustworthy or not. Considering that there are over 26,000 active phishing sites, that can be rather daunting. Fortunately, there are apps like Phishing Detective available to help you out.

Phishing Detective is a simple solution that helps you know if a URL is safe to view. What this app does not do (although it says it can) is automatically check after you've tapped it (and prevent its opening should it be a phishing site). Instead, you have to use it as a manual URL checker. Yes, this is a bit of a hassle, but an ounce of prevention...

Right?

Remember this one thing — you are just as responsible for your mobile security as is the software you use to work day in and day out. So, taking control of protecting yourself against phishing attacks is important.

With that said, let me show you how to use Phishing Detective (in the only way that it can actually help you).

Installation

The installation is simple. Just follow these steps:

  1. Open the Google Play Store on your Android device
  2. Search for Phishing Detective
  3. Locate and tap the entry for Phishing Detective Free by DoubleR Software
  4. Tap Install
  5. Read the permissions listing
  6. If the permissions listing is acceptable, tap Accept
  7. Allow the installation to complete

Once the installation is finished, you should find the Phishing Detective launcher on your home screen or in your app drawer (or both). Tap that launcher to fire up the application (you'll have to accept the EULA).

Usage

Now, we get into the heart of what is both wrong and right about this app. First and foremost, the app should check on any link tapped (from within any app) and check against the database of known phishing sites. However, it does not do this (even though it says by unsetting the default browser, the app will check it). So, instead, let's learn how to manually check if a link is a phishing site or not.

From within whatever app you are tapping links (let's say Gmail), long-press the link and select Copy link URL (Figure A).

Figure A

Figure A

Copying a URL from within Gmail.

Once the link is copied (you'll see a notice), open up Phishing Detective. In the main window (Figure B), long-press the search area (where it says "name to search") and tap Paste (when it pops up).

Figure B

Figure B

Pasting a URL into Phishing Detective.

Tap the Search button and the link URL will be compared against the database. If the app comes up with a hit, the results will be reported (Figure C).

Figure C

Figure C

A match is found.

Now, here's another caveat to using this app. If you notice in the previous image, I searched for the URL jacksonsaccounts.com.au, which has two listings in the phishing database (WARNING: DO NOT NAVIGATE TO THE FOLLOWING URLs — THEY ARE PHISHING SITES):

  • http://www.jacksonsaccounts.com.au/udef/s.emsgs/p....
  • http://www.jacksonsaccounts.com/au/udef/s.emsgs/p....

If you enter either of those addresses with the leading http://www., you'll get the message "Error connecting to server." If you remove the http://www., you'll see the listings. What this means is that the app stumbles if it sees http://www. in the address. So, when you copy a link URL, you have to make sure to remove the offending section of the address.

At this point, you're probably wondering "What good is this app?" Believe it or not, even with its faults, the app is useful. With it, you have a database of over 26,000 known phishing sites to compare. And if you're really serious about security, you might be willing to overlook Phishing Detective's flaws. If not, you can always turn to more invasive (and battery draining) tools like ESET's Mobile Security and Antivirus.

I would challenge Phishing Detective to up their game a bit and address the flaws in their application. Should they pull that off, this app will be a stellar addition to anyone's mobile device (whether you prefer a hands-on or hands-off approach).

How do you protect your device from phishing threats? Share your experience in the discussion thread below.

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox