View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Lax Android security means 2012 will be year of mobile malware

To show just how easy it is to infect a phone with malware, Websense gave CBR a demo in the back of a limo...

By Cbr Rolling Blog

2012 will be the year mobile malware becomes a big issue, according to Websense. The company reckons that the increasing sophistication of malicious apps and poor security standards on Android phones will see it become a major problem sooner rather than later.

Despite plenty of headlines over the last 18 months or so about the severity of mobile threats, some security organisations have suggested the problem is minute compared to the continued threats facing PC users.

However, Carl Leonard, Websense security research manager, told CBR that the threat is growing and losses from malicious apps stretch into millions of dollars. Most of that money is stolen via malware that can sign a mobile user up to expensive SMS services without their knowledge. Malware that targets banking and other sensitive information is the other app of choice for crooks.

Despite saying that malicious apps are getting more sophisticated Leonard added that currently, most apps Websense is seeing are not very advanced. To demonstrate just how easy it is to develop and release a malicious app Leonard gave CBR a demonstration, in the back of a limo idling in the backstreets just off London’s Fleet Street.

Using an Eclipse SDK for Android, Leonard took just a few minutes to set the malicious app up. It was disguised as an antivirus app and called Awesome AV Scanner – he said this is a classic technique for tricking unsuspecting users into downloading the app.

The app certainly looked convincing. A star rating system was offered and in the bottom right corner a "processing" symbol whizzed around, suggesting the app was indeed scanning for viruses. The app then prompted the user to register their app; clicking this caused it to crash.

A second app then replaced the first, but this time it didn’t crash so users were left with the impression that registration was successful. In truth, what really happened was that the user had just given their password to the crook. Chances are, Leonard said, this password would open up other online accounts as people generally repeat the same password on many sites and services.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

It wasn’t just a random choice the demonstrate this on an Android device – Leonard and Spencer Parker, group product manager at Websense, both said that the phones are fundamentally less secure than Apple’s iPhone. Android makes up the vast majority of malware targets, Parker said.

"The Apple system is much better at picking up [malware in apps], although Google is trying to migrate to a similar system," Parker told CBR. "There are many different market places for Android, which create a gray market where unsanctioned apps are freely available."

"The in-built Android MDM (mobile device management) is nowhere near as good as Apple’s," Parker continued. "With Apple there is a deliberate sandboxing, so data doesn’t talk to other apps. So if an attack is launched at Safari, it’ll just attack Safari. With Android it’s different, so a browser-based attack can attack other apps."

He added that games are the most common attack vector, with many malicious apps disguised and legitimate games, such as a newer version of Angry Birds.

What does this mean for businesses? Well, a way onto a user’s mobile is a way into the business, whether it is via the same password being used for certain things or access to work emails that may contain sensitive corporate information.

The answer to this conundrum is co-operation between the user and the business. If employees want to use their personal devices for work then they have to abide by company security policies, says Parker. "The end user and the business have to share responsibility [for security]," he said. "The business has to make the user aware of the policies and keep them up to date."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.