Here you are, thinking you’re so smart with your Android phone. You’ve rooted it, and now you side-load apps like it’s cool. Maybe you should be aware of what you’re installing, because there are threats to that shiny little device.
Since Android is gaining popularity at an amazing rate, it’s also gaining metaphorical size as a target for malware teams. One of the benefits of the OS is that there’s not a whole lot of oversight in the market, but this is also a weakness. The apps aren’t thoroughly checked for function, and when you’re asked to install and give access to apps, chances are you’re just gonna “Next” your way through as quickly as possible.
Cyber security group Damballa Labs has released its “Threat Report – First Half 2011” which includes the only detailed look into smartphone-based C&C (Command and Control) botnets in the industry. Georgia Weidman demonstrated this at ShmooCon last winter. A simple code inserts itself into the modem of the phone, using SMS (which saves battery, and has an automated system for re-sending if the network is unavailable) and communicates with the boss. The strengths of this aren’t limited to saving battery, however. If your phone is connected to your workplace WiFi, then chances are the IP address for the botnet is blocked. With SMS, WiFi security measures are worthless.
Like QR code attacks, these malware programs can put your locally-stored data at risk, including phone book, email accounts, keys and even Credit Card info. Users must always be wary of any access granted to applications, such as phone book, as well as read reviews and research apps that request high-level access.
One way of detecting botnet applications, such as Weidman’s, is to check SMS usage on your phone bill. If there’s an unexpected increase in volume or a phone number you don’t recognize, I’d recommend taking a look at what apps you have installed. On top of detection, users must protect themselves at all times, regardless of attack or not. As Information Week points out:
— Store as little data as possible locally — it’s impossible not to have your contact list and cached email and browser sessions on a smartphone, but avoid storing copies of sensitive business documents.
— Encrypt data in storage and transit; use file encryption (or an encrypted file system as in iOS) for local storage and VPNs for network connections on unsecured links, namely public Wi-Fi hotspots.
— Finally, use a mobile device management service, either an enterprise product such as AirWatch, MobileIron, or Zenprise, or a consumer-oriented service like Apple’s Find My iPhone or Lookout for Android, that can track and remotely wipe a lost or stolen device.
Hat tip to Jon Ballard.