Sign up to our newsletter
The latest security news direct to your inbox
This holiday season was a boom time for Android devices – with activations of Android smartphones and tablets on Christmas day hitting new heights, and narrowing the gap against rival Apple, according to analyst Flurry.
If you’re one of the lucky ones who unwrapped a Google Nexus tablet or one of Samsung’s army of different-sized Androids, congratulations – but there are a few sensible steps to take before taking that device into the ‘real world’, especially if you intend to use it for work.
There have been many scare stories about Android this year, often relating to malware targeting the OS – some rather overstated, but many, sadly close to the truth.
ESET’s Annual Threat Trends Predictions report for 2014 found that detections of Android malware have increased 63% from 2012 to 2013 – with new strains of malware posing serious threats, such as Trojans targeting online banking apps. Previous generations of phone malware often merely ran up bills using premium SMS numbers, or assaulted users with unwanted adverts.
If you’re a user ‘switching sides’ from an Apple iDevice, you might be alarmed – and it’s easy to feel at risk when you’re getting used to a new system. But it’s not quite as bad as it seems.
Thankfully, Android itself now offers some great built-in protection against theft and malware – including a great anti-theft system quietly rolled out by Google to many Android users.
Downloading free AV software such as ESET’s Mobile Security and Antivirus is a great way to ensure your device – and your data – are safe, but our tips should help even novices get the most out of their new Androids, and ensure that even if the worst happens, and a cellphone is stolen, the data on it will remain safe.
Once it’s started up, lock it down
Various Android devices from different manufacturers offer their own different security systems built in, but the really bulletproof ones are Google’s, and common to all up-to-date Android devices – the most basic one is getting a screen lock in place, and it’s common to every model. Do this before you take your device anywhere. Head to Settings > Security > Screen Lock. On new devices, you’ll usually get a choice of pattern, PIN, or password. A pattern’s less secure than a PIN, and a password is your best choice. If you’re using your tablet or smartphone for business, be extra careful. Talk to your IT department, and read our guide to encrypting data on Android here.
While you’re at it, double-lock the important stuff
If someone does crack your code (sometimes possible simply by turning a handset sideways and looking for greasy finger marks – which is why choosing a pattern code can be risky), you can add another line of defense by locking individual apps – a very sensible step, and the reason that the excellent, free App Lock is, its makers claim, the most-downloaded app on Google’s Play Store. App lock lets you create a PIN which locks important apps – your email, Dropbox, or anything else which could hand data to cybercriminals. Better still, App Lock is pretty good at defending itself – it has mechanisms to ensure it can’t be uninstalled unless you have the PIN.
If you share ANY devices, be careful with Google Now
Google’s Now service can be accessed on Android via either a swipe up from the bottom of the screen, or via a Google Search box on screen, depending on which make of Android you choose – offering “predictive search” – ie guessing information you might need, based on your habits. Used carefully, it’s great – offering reminders of flights you have to catch (culled from Gmail), and traffic conditions on your commute (based on GPS data harvested by the handset). But while the ‘predictive’ search experience adds a lot to Android, it can also give a lot away. Any device signed in to the same Google account – ie a tablet you share at home – will ‘know’ whatever information you opt to share with Now, including potential privacy minefields such as your web search history. Thankfully, you can tailor how it works for you from Now, or from Google’s dashboard page – do so carefully.
Taking your phone to work? Talk to IT first
The trend for workers “bringing their own devices” to work is increasing year-on-year – but your boss, and your IT department will thank you if you ask first. Around 30-40% of devices in workplaces fly “under the radar”, according to former vice-president of security body ISACA Rolf von Roessing, who warned that workplaces faced a “tidal wave” of threats unless users were educated about risks, as reported by We Live Security here. If you’re taking your own phone to work, ask your IT department for advice – and remember that even an email ‘Sent’ box can contain information invaluable to a criminal looking to penetrate a company network. Your boss will thank you if you’re open about using your own smartphone in the workplace – or even for working from home. Our in-depth guide to bringing devices to work – and not bringing disasters with them – can be found here.
Lost it already? Don’t panic!
Despite frequent malware attacks – and an official app store that is still home to thousands of malicious and spammy apps – Google offers a pretty decent selection of security features built in – including a location tracker, which can help find a lost device, even if it’s just down the back of the sofa. Visit Google’s Android Device Manager page to activate it, while logged into your Google account, and you’ll be able to force a device on silent mode to ring, remote-lock a device, and view its location on a map. If you own several Androids, you’ll be able to see them all. More advanced protection is offered by AV programs such as ESET’s Mobile Security and Antivirus, but Google’s own, rolled out quietly to any users of Android 2.2 and above last autumn, is a good first stop.
Keeping sensitive info on your smartphone? Don’t store it on a removable SD card
If you are keeping sensitive information on your phone – you really shouldn’t, if at all possible – don’t keep it on a removable SD card. This makes it easier for attackers to access data. If, for instance, your photos include an image of your credit card or passport, don’t store them in external memory. Ensure anything you want to keep safe is stored in your device’s internal memory, and protect this using a strong password. Google’s Android Device Manager page offers useful options to wipe data remotely if a phone is stolen – and AV apps such as ESET’s Mobile Security and Antivirus offer more options for users who have lost a handset, including playing sounds and remotely locking devices (with built-in password protection so criminals can’t disable the anti-theft functions.
Encrypting your phone WILL slow it down – but keep your data safe
Encrypting your device – so that all data on board is PIN-protected – isn’t for everyone – it will slow your device down, which can be painful if you’ve just unwrapped a top-of-the-range smartphone. But if you are carrying work information on it, it’s a good way to ensure sensitive data is safe, even if the device falls into the wrong hands. Thankfully, it’s easy to encrypt your device in Android’s own settings menu – Settings/Security/Encryption – in an option available since Android Gingerbread 2.3.4. Choose Encrypt Device and Encrypt External SD Card, then wait while the device crunches your data (this takes a while). After that point, your data is PIN-protected. This will slow your device, though. A more detailed We Live Security guide to encryption – on mobile and PC – can be found here, with explanations of when and why you might want to encrypt data.
Google’s Play store isn’t perfect – but it’s FAR safer than most ‘unofficial’ stores
For ‘defectors’ moving from iOS to Android, the fact that malicious and spammy apps sneak into Google’s official Play store may be a shock – unlike Apple’s App Store, there is not an approval process, so ‘bad’ apps can sneak onto Play. Play, though, remains a far safer place to shop than unofficial stores – or bogus ‘review’ sites offering free apps. Google removes ‘bad’ apps once users complain – but some lurk around for quite a while. Watch out for close-but-not-quite clones of popular apps and games – a classic trick – and in general, think like you are shopping on eBay (ie does the developer sound legitimate? What do the reviews say?). Most apps on Play, though, ARE safe – if you follow our detailed guide to being a happy app-y shopper here. But the most crucial oogle Play, Amazon’s App Store and GetJar, you will be much safer – although “bad” apps can still sneak into those.
Don’t feel you HAVE to root your Android
For many tech-savvy phone users, the chance to ‘root’ an Android device – gain root access to the phone’s OS, which allows users to, among other things, uninstall all the unwanted apps with which Samsung and other phone makers routinely bloat their devices. There are dozens of tutorials on how to root devices online, and many Android forums make it seem like a “first step” for users, allowing Android fans to run apps which require root access, such as firewalls – normally blocked by the OS. But rooting a phone opens users up to new risks – and cuts off many of the protections built into Android itself. It will also severely annoy your employer, if the handset happens to be a work one. Malicious apps with root access can cause far more damage than normal ones – and the unofficial app markets where apps for rooted devices are traded are filled with malware, sometimes disguised as popular apps. “Free” versions of the predictive text app Swiftkey appeared on pirate sites – infecting users foolish enough to download with a keylogger which took note of every keystroke in Swiftkey, with the goal of stealing data.
Read the “permissions” screen EVERY time you install an app
Most computer users are pretty impatient while shopping – and used to skipping straight past huge legal documents without reading a word – but while Android’s App Permissions page looks boring, it’s THE single most important defense built into the system. “Bad” apps will request access to and control over huge amounts of your Android’s functions – such as reading all network communications, or sending SMS messages – if an app has a huge list of Permissions, it’s an “alarm bells” moment. Why WOULD a screensaver need to send SMS? Our detailed guide to safe Android app shopping can be found here.
Don’t EVER install a banking app from a link
Governments around the world have warned of the risk to consumers from ‘fake’ banking apps – either delivered on their own, or as part of an attack against a PC, where the malware attempts to fool users into downloading the fake app by delivering messages through bogus bank sites. An increasing number of PC Trojans target Android devices with fake banking apps – with several families of banking malware such as Qadars, reported by We Live Security here attempting to fool users into installing malicious apps via their PC’s browser – aiming to bypass two-factor authentication systems used by banking sites. Banking Trojan Hesperbot, discovered by ESET and reported here uses a malicious webpage to instruct users to enter their cellphone number and make, and attempts to install a malicious app that bypasses security systems. Your bank will NEVER distribute apps in this way – instead, download your bank’s app from Google’s Play, and ensure yours is up to date. . “ESET products like ESET Smart Security and ESET Mobile Security protect against this malware,” says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat.
Paying for something with your phone? Be VERY careful
Up-to-date Androids such as Samsung’s Galaxy S4 and HTC’s One ship with an NFC (Near Field Communication) chip – a new technology designed to transmit data over short distances, and used in some countries, such as Chile, as a tap-to-pay system in stores. But point-of-sale terminals have become an increasing target for cybercriminals – as witness these We Live Security reports - and ESET researchers warn that NFC payment systems could become a target for cybercriminals this year. In this year’s Annual Threat Trends Predictions 2014 report, ESET researchers wrote, “Any technology used for bank transfers is a potential target of computer attacks. As this means of payment becomes more popularly used, malicious code may appear to steal information relating to these transactions.” Be cautious about any means of storing money on your phone – such as Bitcoin wallets – or paying direct via NFC.
Author Rob Waugh, We Live Security