There is a new generation of Android malware, and authors are increasingly becoming sophisticated with their social engineering capabilities. According to security companies, there is a trend among malware makers that involves using hacked versions of real apps to deliver a malicious payload.
There are about 20,000 malicious Android apps in circulation, says Trend Micro. And about 13 million phones worldwide have been infected, says Chinese security firm NetQin. A big part of these involve remotely controlling smartphones into sending premium text messages, as well as spamming the phones’ inboxes with junk messages.
Real apps with real payloads
The inherent problem here, of course, is Android’s openness, which comes with both benefits and disadvantages. Because Google Play — and other app repositories — are not as strict in app approval as other platforms like, say, Apple , malicious applications can get through. Google will kill apps that are found to contain malicious payloads, but the damage may have already been done by then.
End-users may be lulled into a false sense of security in downloading only legitimate apps. However, downloading the same legitimate apps from dubious sources might come with some problems. Case in point: OpFake, which was found to have been embedded in a legitimate copy of Opera Mini.
The malware author will not just mimic the mobile browser, but will actually install the real deal — but not before sending an SMS to a premium number. Do keep in mind that the Opera Mini app available from Google Play is just the installer, and it downloads the actual app from Opera after install. This makes it easy for hackers to spoof the installer app, but download the real thing.
Android malware will usually come with payloads that do any of the following: call a premium number, send premium SMS, flood the phone with spam, or offer remote control access to hackers, thereby turning the phone into a bot for sending spam.
How to protect yourself against malware
Your Android smartphone and tablet already offers some defense against malware, but only if you’re vigilant enough to use it. This basically involves the user permissions that you approve when installing an app.
For instance, the OpFake malware bundled into a real Opera Mini copy seeks permissions different from the legitimate Opera Mini, which should already raise suspicions from anyone familiar with what permissions a browser should require.
The legitimate Opera Mini would only require the following:
- Network communication
- Your personal information
However, the OpFake version would also require the following:
- Your messages
- Services that cost you money
In a Fast Company article, Neil Ungerleider says the fact that an app seeks permissions for “phone calls,” “messages” and “services that cost you money” should already raise suspicions of a potential threat. Does a mobile web browser really need to initiate SMS messages and access services that result in carrier charges?
Going beyond malware, even poorly-coded applications can severely affect a smartphone’s functionality. A study conducted by Stanford university researchers has determined that poorly-designed mobile websites and mobile apps drain smartphone and tablet batteries at an accelerated rate. Even free applications that display ads are more likely to drain your Android device’s battery than a paid one without ads, as determined by Purdue research.
Even the best of us get hit by malicious software at least once in our computing lives. I must admit that even with vigilance, my notebook computer got hit by a hard-to-remove rootkit a couple of years back. That particular attack caused two weeks in lost productivity as I hunted for a way to remove it without reformatting.
Android smartphones should be easier to fix, with a quick factory reset and a re-sync of user data from Google account backups. But the headache and heartache over extraneous expenses from premium SMS and calls sent should be bad enough for any Android user.
The key here is vigilance. A quick glance at the app permissions before tapping “accept & download” may spell the difference between a safe system and an infected one.