Smartphones? There's malware for that, too.
Troy Gill, security analyst, AppRiver
Malware is finding a new place to wreak havoc: the smartphone.
In fact, a recent study conducted by McAfee shows a 46 percent surge in malicious software targeting mobile devices, compared to one year ago.Cybercrooks are infecting popular mobile platforms through malicious applications and, unfortunately, no mobile platform is immune from the destruction this can cause. According to McAfee's report, Symbian remains the most targeted mobile platform, though vulnerabilities in both the Android and Apple iOS should not be overlooked.
Android's open source software is something that gives the platform great appeal, but it's also the basis of its vulnerability.
Users may enjoy the freedom to acquire apps both inside and outside the Android Market, but it doesn't come without risk. The Android Market allows developers to upload apps without first running through an established screening process, like one that you might find at Apple's App Store or when using RIM's App World for BlackBerry.
As a result, Google recently detected more than 50 malicious apps within the Market, which were downloaded to approximately 260,000 Android devices. (Google later remedied the infections remotely via an auto-installed software update.)
While Google's remote “kill switch” might have been effective at removing many of the rogue apps, it was reactionary in nature and not a permanent solution to the underlying security problem.
What's more, human nature is typically the weakest link in security. Many dangers surrounding malicious apps could be avoided with more scrutiny on apps from the start, including paying special attention to what permissions a downloaded app is requesting. In a recent Android Apps infection, many apps were not so cleverly disguised, using titles such as “Hilton Sex Sound” or “Hot Sexy Videos.” Those erring on the side of caution would most likely have been kept safe from falling prey to these malicious downloads.Malware screening for app markets may not be perfect — evidenced by the increasing number of infections— but there are a few things smartphone users can do to increase mobile security.
- Awareness training: Educate users about mobile threats and communicate ways to best avoid them.
- Anti-virus software: Utilize security software on your mobile device just as you would on a desktop or laptop.
- Safe browsing habits: Remember, the same dangers that exist on the web (i.e. black hat search engine optimization poisoning, social media, malicious email links, etc.) can also exploit your mobile device. Remain vigilant about all web surfing habits.
- High-risk apps: There is an alarming number of apps available for various smartphone platforms that pose significant security threats. Such apps can potentially allow other programs access to your valuable personal information. Although the distribution platforms attempt to inspect the apps for security holes, the process, as of now, is feeble at best.
- SMS or voicemail phishing: SMS and voicemail are common vectors of attack for phishing scams. Always call the institution directly and verify the information whenever responding to a questionable voicemail or text.
- Password protection: Lost or stolen phones likely contain personal information, such as stored logins to banking or social media sites, and could provide someone with access to sensitive company email. This threat can be minimized by password protecting your mobile device.
- VPN access: When accessing corporate network resources via a smartphone, utilize an SSL VPN connection to secure the session.
- Wi-Fi hotspots: Nearly all smartphones are now equipped with Wi-Fi functionality, making them highly vulnerable to attacks. There are various tools available that allow even the least talented hacker to exploit Wi-Fi hotspots and intercept web traffic. Avoid accessing any password-protected site (i.e. Facebook, Paypal) when connected to an unsecured Wi-Fi hotspot, such as those in a coffee shop or at the airport.
- Remote wipe and encryption: Utilize encryption software on your smartphone to protect data in the event the device is lost or stolen. Consider using a remote wipe to brick the device remotely.