Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
August 2, 2011
6 Min Read
Android Trojan App Seeks Full Access
(click image for larger view)
Android Trojan App Seeks Full Access
A new Trojan horse app has emerged to target Android devices, and this one's particularly creepy. The app records a user's phone calls and then uploads them to a remote server. The app was revealed Tuesday by security researcher Dinesh Venkatesan on the Security Advisor Research Blog, published by CA Technologies, now known as Total Defense. While this particular Trojan doesn't appear to be a threat in the wild--at least not for North American users--it's a good reminder of the growing threat of mobile malware.
New smartphone malware emerges on a weekly--sometimes daily--basis of late, though most users have yet to take the threat as seriously as PC-based malware. But according to Robert Vamosi, senior analyst at device security company Mocana and author of When Gadgets Betray Us, we should be increasingly concerned about the threat of mobile malware.
"There are more mobile devices today than there were PCs connected to the Internet in 1996," Vamosi said in an interview. "Cybercriminals are realizing that, unlike PCs, mobile devices aren't very well secured."
In addition to outright malware, there are other ways that mobile devices can put your secure information at risk. "Smartphone users should indeed have a certain level of concern, or at least a security conscious mindset, when it comes to mobile malware," according to Jeffrey Wilhelm, senior analyst at Symantec Security Response. "That said, there are still other threats facing mobile device users that are a bigger concern than mobile malware, namely the loss or theft of a device."
Just like a malware-infected phone, an unsecured device can be a serious liability if it's lost or stolen. A thief or ill-intentioned finder can access personal contacts, email, and--quite often--social networking accounts and even online banking resources.
Fortunately, there are some simple steps anyone can take to protect their phones and tablets from the growing threat of malware and the persistent threat of unsecured devices. Here are five easy steps you should take to secure your own devices, and share with the mobile users you know.
1. Lock Your Phone
This should seem like a pretty obvious tip, but clearly most people need a good reminder, since the majority of smartphone users don't lock their phones at all. Putting a simple passcode on your phone is the first step--and could be the only step required--in protecting a device when it goes missing. But if a ne'er-do-well gets his hands on a phone with no passcode, as Symantec's Wilhelm pointed out, that's as good as an invitation to identity theft.
2. Use Only Well-Known App Markets
The most significant security factor that should give Android users pause, said Vamosi of Mocana, is that "Android users can download apps from third-party sites not Google whereas iPhone users can only download from the App Store." So it's especially important to download apps from sources that are known for good security.
Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones (click image for larger view and for slideshow)
Wilhelm concurs. "Only use app marketplaces hosted by well-known, legitimate vendors for downloading and installing apps," Wilhelm said.
Google's own Android Market certainly qualifies as well known source of apps, of course, but it's by no means a guarantee of any given app's safety. Amazon's Appstore for Android purports to vet apps for security. Wilhem suggests adjusting your Android device's settings to block app downloads from sources other than the Android Market.
3. Scrutinize Every App Download
Regardless of whether an app is free or paid, any given download is a potential threat to your phone's security. Take the time to scrutinize each app's market listing carefully before downloading it to your device.
"Pay attention to the name of the app creator," said Wilhelm. "An app that purports to be the legitimate version, but has a different author listed should be a definite red flag." An example of this appeared in the Android Market last year, when an author unaffiliated with any bank released apps for Wells Fargo and Bank of America. Those apps are no longer available in the Android Market, but showed up in searches for several months before Google took them down.
Vamosi and Wilhelm both recommend checking an app's ratings for good measure. "A bad guy can still game this," Vamosi said, "but if the app has been available for six months and has recent, positive comments, then it's probably safe.
Additionally, take a good look at the permissions the app asks for, and cancel the download if the app wants access to phone resources that seem disproportionate to its function.
4. Beware Strange Texts and Emails
As smartphones become increasingly PC-like, the range of potential threats grows beyond basic malware dangers. Smartphone users should be just as cautious of phishing scams as PC users, and resist opening any links from unknown or dubious sources.
"Just like emails, attackers can use text messages to spread malware, phishing scams and other threats among mobile device users," said Wilhelm. "So, the same caution users have become accustomed to applying to suspicious emails should be applied to opening unsolicited text messages, too."
5. Use Mobile Security Software
As the threat from mobile malware has grown, so has the number of good security offerings in the marketplace. Use one. There are several comprehensive device security apps in the Android Market that can help detect and protect against mobile malware, and it's increasingly wise to use one, according to Vamosi.
Because they involve a large number of mobile devices and users, businesses should be particularly vigilant on this front, according to Jeffrey Wilhem. "Enterprises should consider implementing a mobile management solution to ensure all devices that connect to their networks are policy compliant and free of malware."
Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.
You May Also Like
Protecting Your Hybrid and Hyperscale Data Centers
5 key areas for improved automation in InfoSec compliance
IT Service Management Vendor Rankings & Quadrant
Cloud Crisis Management: Tech Insights Report
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Accelerationâ€‹