The increasing pervasiveness of mobile devices means that they are being actively targeted by cyber criminals and malware writers. Security companies are seeing lots of activity in this area, and Android is firmly fixed as the largest target of malware peddlers. The result is that Android phones are vulnerable to attack, but nevertheless, there are things you can do to protect yourself. Most Android vulnerabilities can be managed and attacks avoided.
Here is a list of three ways your Android phone is vulnerable and what you can do about it.
Text messages are ubiquitous and have a high read rate among users. They also have a high trust factor, with users willing to follow links provided in the text. As a result, hackers can trick mobile users into clicking a link, which in turn installs malware onto the Android phone.
At a recent conference, a security company called Crowdstrike demonstrated a weakness in WebKit (the HTML rendering engine used on Android) that allows attackers to take full control of Android 2.2 phones. As part of the demonstration, a text message was sent to users inviting them to follow a link (with an appropriate bait). Once clicked, the phone was infected with malware.
Action: Don’t follow links in text messages, unless you are sure about their authenticity. This also applies to emails and QR codes.
The majority of users download apps for their Android phones from an “app store.” The most popular are Google Play and the Amazon Appstore, however there are many alternatives. The problem with app stores is that the submission process can be very lackadaisical, meaning that rogue apps that carry malware can easily get in and masquerade as valid apps.
These malicious apps do a variety of different things, but one of the most popular malware types are those that secretly send text messages to premium numbers, running up big bills for the user and raking in piles of cash for the cyber criminal. Google is starting to fix this problem with the introduction of Bouncer, a system that rejects apps from Google Play if found to be carrying malware.
Action: Use a reputable app store, read apps reviews, and take careful note of the permissions an app requires.
All software has bugs. It is a fact of life. Normally, these coding errors don’t affect us too much – the occasional reboot, an app freezes once in a while. Nothing too drastic. However, when apps have bugs which expose our phones to attack or reveal private information, things get a bit more serious. Apps like Google Wallet, Adobe Flash, and Skype have all fallen foul to software bugs which expose personal data or provide a door for hackers to install malware.
Action: Only install the apps you actually need. Having three apps which all do the same thing just increases your exposure. Don’t install every new social networking app that is published. It is also important to keep the apps up to date and install new versions as soon as they become available.
Your mobile phone is an important device, guard it well. Be wary of what links you follow, use trustworthy sources to download apps, and keep those apps up to date.
What other measures do you employ to keep your precious Android phone safe?
Like this post? Share it!
Discover the latest apps and games. FREE and enjoy instantly on your Android phone or tablet.
lookout security is also a great app to download to protect your phone. downloaded it when I first got my Electrify and haven’t looked back since
The Crowdstrike demo doesn’t really belong in ‘Text Messaging’ since that was really just a transport for the URL. It should probably really be classified as “Using any app (including a browser) that downloads information from the Internet”.
Note that that is rather more expansive than “browsing unsafe sites”, since apps like K9 mail use Webkit to render email messages, and browsers may visit unsafe sites even if one is highly aware of security risks; I’m thinking here of nation states that routinely use DNS poisoning and Man-in-the-Middle attacks to redirect users within their borders to government-controlled sites, and also even mere advertising banner providers deliberately or innocently presenting exploits as banner ads to be incorporated by wholly legitimate web sites.