The Virus in Your Pocket: a Boom in Android Malware

The first of Isaac Asimov’s three laws of robotics was that a robot may not allow a human being to come to harm. But apparently that little Android smartphone in your pocket didn’t get the memo. Mobile devices are becoming a top target for hackers, and the Android platform has been hit hard, with the amount of malware soaring more than 3,000 percent just in the last seven months of 2011, according to a new study by Juniper Networks.

“The amount of malware targeting mobile smartphones and tablets has really accelerated over the last couple of years. And we’re seeing a huge uptick on the Android side,” says Dan Hoffman, the chief mobile security evangelist at Juniper, which makes—you guessed it—anti-malware software, and has a bunch of new products due to hit the market by the middle of this year.

The bad guys are simply going where the money is, Hoffman says. As the smartphone market booms, it’s creating new opportunities. The same hackers who were targeting PCs in the past now have turned their attention to mobile devices. “Hacking has been a business for years in the PC space and now it’s moving into the mobile space,” he says.

Hackers have spent the past few years figuring out how mobile operating systems like Android work, and how to break into them, and “now they’re starting to monetize the research they’ve done. They want to make money on this, and the time is now,” Hoffman says.

Not only are security researchers seeing lots more malware hitting mobile devices, but they’re also noticing that the malware is becoming more complex and sophisticated. Malware programs perform all sorts of nasty tricks ranging from stealing your private banking information to secretly sending out “premium” SMS messages that add a few bucks to your monthly bill.

Contributing to the problem is the fact that it is pretty easy to create a malicious application, load it onto an online store, and trick people into downloading it. “There’s such a low barrier to entry. A kid in a basement can write a malicious app. Some of the hackers are organized criminals, but some are just people doing a one-off to make a little extra cash,” Hoffman says.

Android is a favorite target because the software has become so popular. Android is created by Google but used by dozens of handset makers, including Samsung, HTC and Motorola. In the past year Android has become the most popular smartphone platform, ahead of Apple’s iPhone and Research in Motion’s BlackBerry. Also, because of Google's open approach, it's relatively easy to get an app distributed in its online store.

Earlier this month, Google announced a new security service called Bouncer that scans the Android Market (Google’s store for distributing apps) looking for malware. One good sign, Google says, is that while malware is being created, less of it is actually being downloaded—perhaps because users have become more savvy at spotting suspicious apps. In a blog post, Android engineering VP Hiroshi Lockheimer said malware downloads dropped 40 percent from the first half of 2011 to the second half of the year.

With so many hackers targeting Android, you might imagine you’d be safer if using an Apple iPhone, but Hoffman doesn’t think so. He says because Apple is so secretive, it’s difficult for independent researchers to find out how much malware is being created for Apple’s iOS mobile operating system. Recently Apple has landed in hot water after it was revealed that an oversight in the company’s software was allowing third-party applications to upload private address book information without seeking permission from users.

Hoffman says he uses both Apple and Android phones, but prefers Android since “the threats are the same, but the means to mitigate the threats are sometimes better on Android than on iOS.” He adds, “I would rather know what the threats are and how to protect against them rather than not know and have to rely on someone else. With Apple it’s just blind trust.”

There are three main types of malware to look out for:

• Spyware - This is software that looks like a regular program –a weather widget, or a game—but is secretly combing through your phone and sending information to a third-party Web site.

• Premium SMS Trojans -These programs again look like ordinary apps, but once you download them they are able to send expensive SMS messages that cost a few bucks every time they connect, sort of the SMS version of making a phone call to a 900 number. The damage might be only a few bucks, small enough that you won’t even notice it on your bill if you’re not paying close attention.

• Fake Installers - Hackers will download a legitimate application from Google’s Android Market, make a clone of the app, then sell that clone for a few bucks on a different market. The developer is getting ripped off, and you’re getting defrauded—especially in cases where the legitimate application is free, but the clone costs money.

Whatever Google and independent security companies do, hackers will continue to target mobile devices. Hoffman at Juniper has some advice on how to protect yourself.

For one thing, don’t download apps from independent app markets and third-party Web sites. Stick to the ones run by Apple and Google. They’re not perfect, but they at least make an effort to filter out bad programs.

Also, when you download a new app, look closely at the permissions that the app is asking for. Most of us just click yes without even looking at the list of permissions. It’s also a good idea to go over the apps you’ve already downloaded to see what permissions they’ve been granted.

Watch out for apps that want to send SMS messages or make phone calls. Juniper found 14.7 percent of apps in the Google App Market ask permission to make outbound phone calls without the user’s knowledge. “We’re not saying that’s definitely malicious but if you’re downloading a weather widget and it wants to be able to make outbound phone calls, that’s a little disconcerting. You might want to think twice about that,” Hoffman says.

Another thing to consider is what some researchers call “security through obscurity.” Apple computers and machines running Linux have always been safer than Windows PCs, simply because there were fewer of them, so hackers didn’t bother targeting them.

By this logic you might want to consider a device running the new Windows Phone operating system, which has only a few points of market share. The software itself is really nice. And Nokia, which is Microsoft’s top partner, has recently introduced some really nice handsets.

Of course, eventually the hackers will get to those as well. Ultimately, all you can do is be careful and hope you can stay a step ahead of the bad guys.