Those of you born after the 80’s probably didn’t get to experience the joy of Web 1.0. Compared to the high-bandwith, streamlined, mega network of today’s Web 2.0 ecosystem, Web 1.0 was a mishmash of un-optomized, disorganized personal and unprofessional websites. Further aggravating the experience was the proliferation of malicious software that ranged from annoying AIM trojans to Sasser—a computer worm that disabled networks of all sorts, from the British Coastguard to Goldman Sachs.
Although those days are long gone thanks to advances in client and server-side network security, an analogous breeding grounds for malicious activity is growing in a space that’s very close to home for about 40% of smartphone users.
That’s right, Android’s rapid growth and expansion goes hand-in-hand with the increase in malicious mobile activity. For an in-depth look at the state of mobile security on the Android platform, saunter on over to our article examining the situation here. We left off promising you guys a guide on how to defend against malicious software attacks, so with no further ado, let’s begin!
Attackers most often seek to exploit a weakness or vulnerability; by knowing where these points of entry are, we can better defend our devices from attacks. Likewise, if we study the strategies used by attackers, we can train ourselves to avoid compromising our device security. As Sun Tzu once wisely said:
Know thy enemy, know thyself. A thousand battles, a thousand victories
This guide will be divided into 3 sections:
- Threat Identification
- Enemy Strategy
- Maximizing Security
Remember, knowledge is power—prepare to get powered up!
There’s more than one way for baddies to wreak havoc on your device or gain access to your private information, so let’s take a look at some of the key threats:
Application usage has skyrocketed on the Android platform and the ability to sideload gives hackers plenty of opportunities to attack your system. Here’s what to watch out for:
- Malware applications that perform malicious or otherwise unwanted/unintended behavior on a device. Malware can execute unauthorized actions such as unsolicited messages to contacts or charges to the user’s phone bill.
- Spyware, like the name suggests, is designed to collect user data without their knowledge. Data that gets spied on can include call history, browser history, text messages, location, contact and pictures.
You’ve likely encountered all three of these threats on your desktop PC, especially if you were active during the Web 1.0 dark ages. Well now that smartphones can emulate the desktop web experience, users can just as easily fall victim to these attacks:
- Phishing is the creation of illegitimate interfaces and contact forms designed to mislead the user into surrendering targeted information. This type of threat has historically been linked to unsolicited emails on the PC platform but can be equally effective on mobile devices.
- Drive-by Downloads are non user-initiated application downloads spawned on web pages.
- Browser Exploits are designed to take advantage of vulnerabilities in browsers and associated software (Flash player, PDF reader, image viewer etc.) so that users unintentionally install malware on their devices
Users will often consume data over WiFi rather than using carrier services because of enhanced speeds or bandwidth limitations, but it is important to remember that these connections, especially ones that are public/open are extremely vulnerable to malicious activity.
- WiFi Sniffing involves intercepting data being sent over WiFi networks. This data can be compromised when security measures are absent or insufficient.
Like our home computers, our mobile devices carry our usernames and passwords. Unlike our home computers, they also store our personal data, contacts, texts, phone records and are much easier to lose or have stolen.
- Lost or stolen devices can be an especially troublesome issue as the device’s intrinsic value in addition to all of its data are lost.
I have to admit although I consider myself reasonably security-savvy, I was surprised by the innovative methods that attackers have developed to deceive users into installing malicious software. Here are some of the schemes that malevolent developers are running to con unsuspecting users:
The most common method of distributing malware, repackaging involves taking legitimate applications and modifying their contents to include the malware. The developer then takes this clone are republishes it on Android Market or a different application store.
You might ask why anyone would ever download a clone of an application that is avaialable on Android Market, but malicious developers create an incentive by reverse engineering paid-apps and subsequently releasing them for free (but packaged with malware) in 3rd party application outlets.
You know that End User License Agreement (EULA) that you see on just about every update or application for any platform? The one you carefully read line-by-line to make sure you know what you are getting yourself into? Yeah, we know that nobody actually combs through every detail and by burying malicious provisions deep within this fine print, malicious developers are giving themselves a free pass to add unrelated functionality that may be unwanted by the user.
This method is probably the most distasteful as it revolves around gaining the users trust only to spit right back in their face. The malicious developers will first create a legitimate application; once there is a sufficient following, they will release an update that tacks on the malicious code. Most users will either upgrade automatically or trust the developer based on the legitimacy of the original application and fall victim to the bait and switch.
AKA “malicious advertisements,” are ads that are placed by malicious developers into legitimate applications. I’m sure you’ve noticed that many awesome free apps are supported by ads; malicious developers will take advantage of this relationship and place ads that link to repackaged apps as well as drive-by downloads.
How To Maximize your Device Security
Now that we know how our devices can be compromised, let’s take a look at what we can do to prevent these vulnerabilities from be exploited.
Theoretically you could reduce this threat to zero by not downloading any apps, but that would mean that the terrorists won—not okay. The key to being safe with applications is discretion. Make sure to do your research before downloading an application: check if there are any reputable 3rd party reviews. If you are sideloading any APKs, be smart: make sure that the source you are using is reputable (aka be careful on forums).
Always be weary of emails requesting usernames and passwords. Almost all services will never ask for this information via email, largely in order to prevent customers from being phished. If you aren’t sure whether or not the request is legitimate, it’s best to play it safe and call the service provider. Always make sure your browser software is up to date; if you are using a 3rd party browser, check if it’s regularly updated and maintained. Drive-by downloads are not a significant issue on the Android platform because all downloads require user approval.
Public networks are fine for streaming videos or reading the news but you should never visit any sites requiring logins as that data can be intercepted by hackers. Defer to carrier based services while traveling and reserve WiFi for trusted networks.
If you are prone to losing your phone, there’s an app for that: McAfee’s WaveSecure. WaveSecure’s ‘Locate and Track’ can remotely locate your lost device and plot its location as well as sound an alarm just in case you lost it in tall grass. If you are worried about having your phone stolen, there isn’t much I can say for the device itself (except that if it’s not in your hand it should be in your pocket), WaveSecure can ‘Lock and Wipe’ your device, allowing you to remotely lock your phone via web or SMS from another device. This feature in combination with the cloud-based ‘Backup and Restore’ feature can have you up and running in no time. There is a 7 day free-trial period, and users can subscribe to the service for $19.99 a year thereafter.
The moral of today’s story, is that like many other things in life, if you carefully think about what you are doing, chances are you will be just fine. Having read this article, I fully expect your guys’ phones to be an impenetrable bastion of invaluable trade secrets. Cheers!