I have an Android in my pocket as I type, with all kinds of cool apps ranging from GPS navigation to acoustic guitar tuner (really cool) – and apparently I’m not alone. Users are scooping up the latest batch of Android smartphones in record numbers, and what better target can malware authors ask for? Well, apparently they’ve noticed, and are ramping up fast to match the new market opportunity. A new report from Lookout Mobile Security trends a recent steep rise in malware reported in their databases, from around 80 in January, to more than 400 in June 2011. They also report that between 500K and 1 million Android users were infected with malware during that same period.
Randy Abrams reported awhile back about a malware proof-of-concept that listened to the touch-tones being typed on the keypad representing credit card information being entered, and reported it back to the malware’s mother ship. He thought we might be seeing more of this style of activity in the real world in the near future. Now CA Technologies reports a variation on that theme in-the-wild: a Trojan that records entire phone conversations, hopefully including banking/identification information, and reports them back home. So it seems our predictions weren’t far off.
During Android’s early run-up, users loaded apps by the droves with scarce a thought for security. Now that we see malware authors writing for this audience, vendors will enter a second phase: education. It will now take years (and possibly more than a few bad experiences for unsuspecting users) to educate folks that you really have a “computer that happens to make phone calls” (to quote Randy Abrams), with all its security nuances, rather than the simple flip-phones of yesteryear. These machines pack respectable CPU and storage, run a full operating system, and are all networked. On top of that, they, almost by definition, are filled with the personal information and contacts advertisers and businesses have been lusting after for decades.
What can you do? Well, the physical security parallel applies here too: stay on the lookout for things that just don’t “seem right.” If you’re installing a simple app, it really shouldn’t be asking for permission to access the deep, dark regions of your Android. Also, download directly from the native Market app on your device, there are user-generated ratings there, which will give some indication of how others view the quality of the application. If other users have had trouble, you might too. Also, you have a browser built in, so you can dig around a little bit there if you want more information. Time for a shameless plug: we’re currently rolling out ESET Mobile Security for Android (available on Android Market or on our beta site), so there’s something you might consider as a more robust, proactive, always-on security option, which can eliminate some of the guesswork. In the end, however, there’s no substitute for education, and being slightly more aware of what you do on your Android pocket computer, that just happens to make phone calls.
Author Cameron Camp, ESET