Last month a form of malware called BadNews was downloaded several million times from the Google Play store. This malware impersonated an ad network and leaked personal information from affected phones to a designated offshore server. It also prompted users to install a Trojan application (AlphaSMS) which produces expensive text charges. All in all, it wasn't pretty.
According to an article on arstechnica.com, Google examines all apps uploaded to Play (they use a cloud service called Bouncer to verify new apps against known malware signatures and test them for malware-like behavior). In this instance the BadNews-related apps were clean upon upload. The designers introduced the malware components to these programs several weeks later. I'm sure these tactics will evolve, as they always do, but fortunately there are a few principles you can rely on to avoid malware infections from Google Play (or elsewhere).
A changing perspective
Reports of malware on cell phones are nothing new; I first heard rumors about the topic as far back as 2005 (which impacted Symbian phones via Bluetooth connections). I didn't take the threat seriously then, since it seemed an abstract concept not likely to impact any of the users I supported. Furthermore, I had to wonder if the subject wasn't being "ginned up" by overzealous security software companies looking to augment their income.
Several years later, it's long past time to recognize cell phone malware as a valid and substantial threat, especially given the improved features on these devices such as web browsers and Wi-Fi capability. Those same features can lead to greater vulnerabilities. Statistics indicate there were more than 65,000 Android malware variants found last year and that almost 33 million of these devices were impacted, over twice the amount plagued in 2011. Compounding the issue is the fact that antivirus software, which has so long been a staple on Windows desktops, is rarely found or even considered on Android devices.
What can we do about it?
The Google Play help file doesn't mention malware, but the issue is really broader than just being wary about apps from Google Play. Security is a concept that transcends any one site, device, or operating system. Some tried and true techniques come into play here (no pun intended), but it's important to reiterate that the game is always changing so the rules will evolve as well.
For instance, years ago I advised my users to only open email attachments from people they knew. This was sound advice at the time, but then virus designers began spoofing the email addresses of these "trusted senders" (usually after these so-called trustworthy people got a virus which then emailed itself out using their address book) to add legitimacy to their malware-laden emails. My formerly-useful advice then became detrimental to security.
In similar fashion, one common security tip is to "only download applications from trusted sources." Normally, that's a good idea, but in this case Google Play WAS a trusted source. You don't want to get caught up in the notion that one site is 100% safe so you can trust anything they have to offer. The "safe site" concept does still apply to some degree - obviously, you can trust Google Play more than some weird foreign site extolling you to install their free money-making app - but there are no absolutes.
With that in mind, present day Android security tips include the following concepts:
- Install the latest updates for your Android. These will include better security options and patch as many vulnerabilities as possible.
- For Android 4.1.2 and above versions, go to the Settings menu, examine the Security section and make sure that "Unknown sources" ("Allow installation of apps from unknown sources") is unchecked. This will prevent the piggybacking of apps which can surreptitiously install as you're browsing the web.
- Avoid suspicious apps - a no brainer, but it should be noted that the easy installation/removal of Android programs makes it more likely for some users to try a broader variety of programs than they may on a desktop PC or laptop, where installations and removals can be more cumbersome.
- Before installing anything, Google search the app/read reviews to see if it's on the level.
- If you're a system administrator, provide list of recommended apps for users. This can be useful in a business with remote or traveling workers who have specific mobile device needs you can help address with known good programs. This list could be kept on a company website with links users could access directly. It will also be easier to support these users if they're all running standard apps (c'mon, we all know that the BYOD movement didn't free the IT department from supporting user mobile apps!)
- Review all permissions requested by an app upon installation to determine whether it requires too much access (e.g. requesting to work with your contacts).
- Be careful of links you click in email or the web browser, and always scrutinize any "I agree" screens or boxes to see if there are hidden details. No, you may not find a "Ha Ha, this is malware!" admission in tiny font, but poor grammar or incoherent terminology could be a sign of something sneaky.
- Keep your device locked with a password so only you can control it.
- Don't save passwords in Android. I know it's convenient to do so, but a malicious program can capitalize upon that with grave results.
- Be on the alert for anything strange your phone might be doing, even if it is just consuming excess battery power. You can review data usage as well (steps vary depending on your Android version) to see if you've been using more bandwidth than usual.
- Install an anti-malware product for Android. There are several versions on the market, such as:
- For extra protection, make sure your security app can also warn you when navigating to unsafe websites.
- In a corporate environment it might be worth checking out a product which can offer centralized Android device management. Products by MaaS360, Boxtone and Citrix are available.
- Keep up to date on the latest Android threats, through security and device newsletters. Where applicable, educate your users with the same details. If you're interested in Android OS security, here is a good article which discusses the matter.
- Be wary if you've rooted your phone; your admin access levels may be different than that of the standard OS and thus you may be more susceptible to malware as a result (though you would still have to approve access for it to run).
- Always be prepared to wipe and reinstall your Android. If you've implemented a good backup solution this should be simple. Never keep critical data on your device which isn't also synchronized elsewhere for safekeeping.
I hope you find these tips useful and that they help keep your enterprise secure. Just remember, however, that malware designers live by the maxim that when a door closes a window opens somewhere else. When it comes to protecting your environment make sure you don't just watch the doors but also keep an eye on the windows, skylights, ventilator shafts, emergency exits, and laundry carts as well!
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.