Smartphone Hygiene
In 2010, a developer named “Droid09” published a series of online banking applications to the Android Marketplace, enabling Android-based smartphone users to check bank balances and perform other common tasks at nearly 50 well-known banks, including Chase, Wells Fargo and Bank of America.
Unfortunately, Droid09’s applications were designed to record the bank login credentials entered by its users, enabling Droid09 to log into the victims’ bank accounts and electronically steal their money.
While we’d like to report that this is an isolated incident, the fact is that at least 400 malicious applications have been discovered on Android’s marketplace this year alone. And with smartphone sales topping PC sales for the first time last year, malware authors are looking for ways to break into that booming untapped pool of unsuspecting victims.
While the bulk of the new malware so far has targeted Google’s Android platform, Android isn’t alone in this fight. Just this year, a variant of the ubiquitous Zeus trojan was found spreading on Blackberrys. That particular malware variant allowed the attacker to record SMS messages, block and unblock calls, add a new administrator, and other nefarious acts. Similar variants were found attacking smartphones running the Symbian operating system as well as Windows Mobile. And attacks against Apple are on the rise, including a fake antivirus called MacDefender that is targeting some Apple platforms.
What are the most prevalent risks to smartphones and their users?
Loss/Theft:
35% of Americans had their phones lost or stolen in 2010. This is by far the leading way users have their data compromised.
Malicious Applications:
Malicious applications are another popular way for hackers to access your data. In addition to the examples above, sometimes innocent applications are “repackaged” to include malware. For example: before official versions of the megahit Angry Birds were available through the Android Marketplace, bootleg versions were available for download through 3rd party app stores, and some of those had been repackaged to include the popular “DroidDream” malware.
Apple claims to reject about 20% of the applications attempting to get into their marketplace. Google takes a different approach, allowing nearly anyone to publish applications, but allowing the “community” to report bad applications back to them. Google claims to have removed around 1% of its applications using this mechanism.
Deceptive EULAs:
Ever read the End User License Agreement (EULA) on applications you are installing on your phone or elsewhere? Did you know that you could be unwittingly signing up for additional services that can cost you money?
Just this past June, a new game called “Social Tic Tac Toe” hit the market. If you stopped to read the EULA, you would see that agreeing to it allowed the game’s developed to charge a $9.99 fee against your phone bill every month, and stopping it required a convoluted process that was buried in – you guessed it – the EULA.
Malicious Advertisements (Malvertising):
In many popular applications, particularly free ones, there is a little bit of screen real estate set aside to display ads during their use. In some cases, these applications have (sometimes unwittingly) been used as vehicles to lure victims to installing malware on their devices.
For example, in 2011, a number of popular smartphone games were found to be displaying an advertisement for a battery saver application. When the user clicked on the ad, they were taken to a 3rd party marketplace that looked identical to the official Android marketplace, where they were instructed on how to download and install the malicious application disguised as a battery saving tool.
Spoofing:
Do you know that in most cases someone can access your voicemail without a passcode if they know your phone number? The reason most cell phone users can access their voicemail by simply dialing their own phone number from their phone is because most carriers use that caller-ID to authenticate voicemail access unless the users have specifically enabled a passcode. Caller ID on cell phones can be faked just as easily as on a traditional landline. Of the major carriers, only Verizon is currently forcing their subscribers to use a passcode to enter their voicemail. All other carriers consider the protection optional, and generally have a passcode disabled unless a subscriber turns it on.
Remember the drama surrounding the “News of the World” in London a couple months back? Turned out they were rather routinely accessing the voicemails of celebrities, politicians, and crime victims. How did they do that? By simply spoofing their target’s phone number.
Best practices for defending your phone against attacks
There are a number of steps you can take to protect your phone from hackers:
- Enable an unlock passcode. And if your phone supports it, enable the automatic wipe feature to destroy your personal data on the device if the passcode is entered incorrectly too many times. Some phones support a “remote wipe” which will allow a user to wipe a stolen/lost phone through a web interface, but those features typically cost extra.
- Enable a passcode on your voicemail, if supported by your carrier
- Use only official app stores. While you are not immune to contracting malware from applications on the official Apple and Android marketplaces, your chances go up dramatically when you use unsanctioned stores that have no oversight or control.
- Install a mobile security application. Most of your traditional antivirus developers, like Symantec, McAfee and eSet, also offer solutions for smartphones. There are also solutions from developers that specialize on smartphones, such as LookOut on the Android platform.
- Don’t overshare your phone number to reduce the risk of spoofing. Did you know that a recent change to permissions on Facebook made it possible for anyone to see your phone number if you had entered it into your Facebook profile? You should protect your phone number as if it were a passcode, because as the News of the World discovered, sometimes it is.
