Android Trojan Points Out Mobile Security's Trust Problem

Malware that records your phone calls sounds bad, but there's a bigger problem.
InformationWeek Now--What's Hot Right Now
An Android Trojan that security researchers brought to light this week--a piece of malware with the potential to record your phone calls--made some waves on the creepiness scale, though it hasn't been spotted in the wild. This story brings up an unpleasant truth about today's mobile device security: It's sometimes still too hard for smartphone owners to know who to trust.

This Trojan would travel with an app from an untrustworthy source and ask for some unusually generous permissions from you. If you don't download the app and give the permissions, your phone does not get the malware. But how do you know whose apps to trust? Could you be fooled, as hackers get craftier? Apps marketplaces don't yet have foolproof controls to keep malware creators out.'s Robert Strohmeyer has 5 good pieces of advice on how to fight mobile malware.

You might want to send this article to anyone in your family for whom you are the unofficial IT person. (You do realize you're on the hook for smartphone support now, right? It's enough to make you nostalgic for the days of "Is the printer unplugged by any chance?") Family members confused by security pop-up messages on PCs will be confused by smartphone app marketplaces with unsavory apps that look genuine. Mark my words.

So will some users of company-owned smartphones. It's no mistake that mobile security and mobile device management continue to dominate IT worries about of the consumerization of IT. MobileIron today unveiled Connected Cloud, a new hosted version of their mobile device management tools for enterprises, as's Fritz Nelson reports. Tools like this give IT teams remote control power, access control and a unified view of company devices-not new concepts, of course, but could using a hosted version save you IT staff resources and/or money? Check out what Nelson has to say on one missing element in MobileIron's service.

Federal government agencies have just as urgent a need to secure mobile devices. NIST, the agency that creates standards for the federal government's use of technology, is now testing iPhones and iPads to identify the best ways to secure them for government workers and military personnel, reports's Liz Montalbano. Next time you want to put your enterprise mobile worries in perspective, consider this: The Defense Information Systems Agency (DISA) recently put out a request for information seeking advice on how to centrally manage up to 1 million devices, Montalbano reports.

Mobile device makers of several kinds would be wise to learn some security lessons from the Google Chromebook, especially related to hardening the operating system code, notes's Kurt Marko. Even if the gadget itself isn't a popular smash, it's worth studying for this reason, Marko says.

And on a related security note, stay tuned to and Dark Reading for more information on the "Shady Rat" attacks, a five-year cyber-espionage campaign that has hit national governments, global companies, nonprofits, and others, according to McAfee. We'll also keep you up to date on the most interesting news from BlackHat, as the security confab convenes Wednesday in Las Vegas.

Laurianne McLaughlin is editor-in-chief for Follow her on Twitter at @lmclaughlin.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing