Android Security Becoming an Issue


The numbers out of Lookout Mobile Security have to terrify Android smartphone users:

  • Android users are two and a half times as likely to encounter malware today than 6 months ago.
  • An estimated half million to one million people were affected by Android malware in the first half of 2011
  • Android apps infected with malware went from 80 apps in January to over 400 apps cumulative in June 2011.

That's straight from the San Francisco company's latest Mobile Threat Report -- but, listen up, this is not an invitation to junk your Android. The risks are real but, said Lookout CTO Kevin Mahaffey, "this definitely is not a 'stop using the phone' moment. It's a know what's out there and what you need to do about it moment."

"There really is no secure platform. That's the fact," said Roman Yudkin, CTO of Confident Technologies, a Solana Beach, CA computer security company.

Fueling the spread of Android threats has been fast-paced growth in the platform's smartphone market share. The latest research, reported in late August by Port Washington, NY based NPD Group, pegs Android at 52 percent of the smartphone market in Q2. iPhone (iOS) share hit 29 percent. BlackBerry fell to 11 percent. Windows Mobile and webOS logged shares below five percent.

That muscular Android growth has attracted cyber criminals. But so far the damages inflicted have honestly been few. "Android threats have mainly been nuisances but the threats have become more numerous," elaborated John Engels, an executive in Symantec's Mobility Group.

That is a bottom line: chatter about Android vulnerability has reached loud volumes but, for the most part, the threats that have been found are more bothersome than devastating. But step one in securing any Android has to be knowing the enemies and Lookout research has identified the prime Android threats.

Leading the criminal parade is what Mahaffey delicately calls "repackaging," a threat that takes advantage of Android's open apps distribution policies where basically any site can set itself up as a distribution hub. This has created a thriving malware industry where criminals are taking popular, typically paid Android apps, then inserting malware, and, finally, making the app free (since it is stolen this involves no costs).

"We are seeing much more of this lately," said Mahaffey who added that Lookout researchers have found cases where criminals have created storefronts that look indistinguishable from the official Android Market. "This can get very tricky," he said and the clear meaning is that even experienced users need to stay alert to deviant apps distribution centers and prices that simply are too good to be true.

The second big threat to Android users, said Mahaffey, is a fast spread of malware apps (often disguised as something harmless like a media player) that send SMS to premium priced numbers that quickly can rack up sizable charges. These are clever apps, said Mahaffey, because "often they hide the SMS they send from the user."

Still in its infancy but with enough cases to show up on Lookout's radar is a mobile botnet network built by malware which creates communications channels into infected phones. Exactly what the end game is not certain, but what is certain is that probably this will cost users and their companies money.

"We are seeing a lot more experimentation in malware revenue models," said Mahaffey.

A fourth thread, according to Lookout, is a rapid rise in phishing attacks. Although these are cross platform, and not restricted to Android. Early signs are that many users are less cautious, quicker to respond to phishing emails via their phones than they would be were they sitting at a computer.

Bad as all this sounds, Mahaffey actually says there's good news here, too because "People are starting to realize they need to take precautions when they use an Android phone."

One precaution: People have to understand that apps should be downloaded only from an approved short-list of sites, suggested Engels. On that list will be Android Market, possibly Amazon's Appstore, an enterprise's own Android downloads page if it has one and not much more.

The second precaution: Insist that users install and keep updated an antivirus app, suggested Mahaffey (whose company of course is a leader in that niche but there are many other player getting into that space). Android, unlike Apple's iOS, allows antivirus apps to run on the phones and so it is wise policy to require their use.

"Android users, when they hear about the many threats, are looking for ways to protect themselves. The tools exist. It's just a matter of educating users about their choices."

As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications -- from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.