Beware of malware on your phone's apps

The monthly e-zine from Delta Comtech

Beware of malware in your phone's apps

No area of technology is safe. Malware has found its way into just about every major device or gadget launched and now it’s the turn of smart phone applications.

Cyber crime is on the rise and now phones are falling victim to malware attacks. So it's never been easier to be mugged in the privacy and comfort of your own home. Read our article on smart phone malware and make special note of the tips at the foot of this page.

Certain rogue apps are known to be surreptitiously collecting data from Android phones only to send it to overseas servers. Indeed a number of smart phone security issues have provided considerable cause for concern in recent months.

One app, known as “One-Piece Wallpapers” by “Jackeey Wallpaper”, has been withdrawn from the Android App Store, but it can still be accessed through various app libraries. Superficially, it provides a range of pre-made desktop wallpapers to liven up your phone but in the background this app collects data including phone numbers, your telephone account details and voicemail password, which it then forwards to www.imnet.us. This site appears to be located in Shenzhen, China and it remains unclear why it is gathering user information.

For some time now there have also been warnings of viruses making their way onto phones. There have been some “proof of concept” examples studied in anti-virus company labs, but practically nothing found “in the wild” as yet. Legitimate software sometimes has flaws that (typically) fail to handle unexpected circumstances, and malware writers try to “exploit” these flaws to get their own programs to run. Such flaws are progressively fixed by manufacturer’s security updates, but these updates are not released until after the flaw has been detected. A few antivirus manufacturers have produced phone security packages, but so far there has been little for them to find or correct.

This vulnerability was uncovered by Lookout, a US-based security company (http://blog.mylookout.com/). Lookout is working on something they call the App Genome Project, which is an attempt to uncover apps with malicious code embedded.

Until recently the iPhone store carried an app called Handy Light which blanked the screen with a chosen colour to turn the phone into a low-powered flashlight. However, inside the app was code that turned the phone into a 3G modem for a connected computer. This was not a malware attack, but an attempt to circumvent a $20 surcharge from the phone company for using the iPhone as a modem. Apple has since withdrawn the application, but this does demonstrate it is possible to get past their vetting system.

Android vs. iPhone: Which is most vulnerable?

This example is an Android app, and analysts have warned that these are not subject to the same screening Apple applies to its iPhone app store. Anyone can publish an Android app with relative ease, but Apple controls who can publish apps through on its system. On the face of it, this would appear to make the iPhone more secure. However Lookout disagrees pointing out that 14% of free iPhone applications have the ability to access user contact data compared to only 8% on Android.

At the moment there are around 3 times as many iPhones as Android-based devices, and malware writers do like to target as big a market as possible. Andy Rubin, who co-founded Android, acknowledges that there are around 160,000 new Android devices a day, and that this potential problem will steadily get worse.

Whiling away a quiet moment by randomly downloading interesting-sounding free apps to our phones appears harmless enough but users need to think about the consequences. Unlike the iPhone, as an app is installed, Android warns the user (in red) which phone data and services the app will access, giving them the option to cancel the installation. These warnings can be a bit cryptic, but give them a read (or call us if in doubt. With a bit of practice they do begin to make sense. And if your wallpaper wants access to your GPS position and your phone system – maybe you should ask yourself why?

Technical solutions to these problems will continue to evolve and, as they do, so will the malware. As with other security issues the attacker will generally target the weakest link in the security chain, and typically that’s the user’s behaviour.

So enjoy your phone apps but always bear our three tips in mind:

● Don’t just click yes when your phone (or computer) asks if you are sure. Make sure you are.

● An app may appear to be free, but if doesn’t actually do something you need, remember it is
costing you to download, running your battery down and may also be stealing your data.

● If you tire of an app and no longer use it, play it safe and remove it from your phone.

Visit our website

Back to main e-zine

Delta Comtech Ltd
Artillery House, Heapy Street
Macclesfield, Cheshire, SK11 7JB

Tel: 0844 412 8102
info@delta-comtech.co.uk