We are living in the information age like I always like reminding everyone, and being reminded by friends who know my love for all things digital. As such there is a consistent flow of information on the internet on many subjects. One of these subjects more often than not is usually cybersecurity. If you follow what happens in the world of tech, then you are privy to the many cybersecurity threats that exist. It’s just March so for the PC faithful it isn’t long ago that you renewed your antivirus/internet security *insert all other trade names & marketing gimmicks for the same here* for another year so that your beloved home/work/office/business computer is protected for another year. In short, you know the depth of anything that is a threat to your system(s).
With the rise of the smartphone and recently tablets too as the new home of computing and entertainment, it is not a surprise that most cybercriminals now target mobile devices. Android being the most popular of mobile operating systems has had its fair share of malware threats. As a platform this has been scary and thanks to the hype mobile cybersecurity firms and vendors go to great lengths in creating in the name of “warning” consumers, this has created real fear amongst many current Android users and folks itching to get their first ever Android device.
Let’s get some things clear. By virtue of being the most popular mobile OS (Android contributed to about 22.7% of all smartphone activations in Q4 according to Good Technology’s data. There have been over 400 million Android smartphones activated according to data released by Google in last year’s I/O event. That number should be past 500 million by now since over a million Android devices are activated per day, dwarfing iOS and all other players), Android attracts the attention of everyone targeting the masses so the malware threats that have been reported in the past and continue to emerge every now and then are true and the loopholes exploited by the malware creators have to be sealed. That’s undisputable. The other thing: with everyone shifting to mobile for almost everything that traditional machines have been doing over the years, this should not surprise anyone.
The problem is the hype that the cybersecurity solution providers tend to overstate. This not only creates fear but makes many cringe at the thought of acquiring an Android device (for first timers) and switching platforms (for guys on other platforms, particularly iOS and Blackberry). I know this because I handle so many queries about devices on a daily basis either online or at a personal level when I’m out in the streets. I’ll ask a simple question: how many people do you know whose Android devices have “died” or become functionless because of malware?
Knowing Android as it is and knowing platforms and systems as they are, most of the malware you’ll see my fellow bloggers hyping around has to do with recklessness on the part of the user. There are system-wide vulnerabilities that are part of the OS. Those have been addressed progressively as Android has been maturing over the years, peaking at Android 4.2 which addressed a number of key vulnerabilities. We’ve seen some apps being pulled from the Play Store in the past for various exploits that made devices vulnerable to attacks. There are simple don’ts like:
- Don’t install an app that you have no idea what it does. I mean, you’re idle and you pick up a friend’s phone and you spot an app you have no idea what it does. Out of curiosity you want that app, just for trial, and your friend shares it with you. You don’t even know the source, you don’t know what it does, why get it? I know self-discovery is a good thing, it is actually what motivates many of us but will you risk your $200+ Android device for that? Let’s move on.
- Don’t download and install apps from marketplaces and app stores that are not authorized. With Android being an open platform, that openness extends to many other things like the ability to install apps that are not from the Google Play Store. This with its fair share of vulnerabilities. With recent versions of Android, Google has moved in and tightened the process involved in verifying applications before they are allowed into the Play Store for users to install. There are various third party app stores that have apps available for download and installation on Android devices. There are also sites that specialize in cracked apps. Be careful what you get and from where you get it. Most of the “cracked” apps contain malware. They’ve been altered to include code that is malicious and will either subscribe you to premium services and eat your credit or they’ll track you and report back to numerous servers elsewhere and forward confidential information, from your passwords, credit card info, login credentials to any service you subscribe to and also consumer habits that the “thieves” use to make money by passing it on to marketers who’ll target ads your way.
- When installing apps on your Android device, make sure you look carefully at the permissions and make a quick decision as to whether that particular app needs all the permissions it is asking for to be able to perform its tasks. If not then it is a wise decision to go back to the Play Store and find an app that does similar tasks without asking for unnecessary access rights. For example a gaming app that wants access to your contacts list. There are hundreds of thousands of Android apps (at least 700,000 of them!) and you won’t fail to find one that can do the task you desire be it a utility, entertainment or gaming app.
- Cracked apps. I have already addressed this above. Kindly don’t install cracked apps. They’re a big risk.
- Bluetooth. On the prevalent feature phones in Kenya, this is a thorny issue. On smartphones it is not big globally (I’ve hardly heard of any wide exploits as a result of this) but for the many who still like receiving content like music and videos, be careful who is sharing files with you. Some have malware that executes as soon as you play that Harlem Shake video your work colleague sent you.
- Root. I’m a big advocate of rooting but if you have no idea what rooting is or you don’t know why you need it, kindly keep off. There’s a reason why devices come in a lock-down state, without advanced user privileges auto-enabled. With root access, your device runs in high privileged mode hence any apps that require superuser rights have unfettered access to your core system. Woe unto you if these are malicious apps!
- Mass storage. If your device supports mounting on a computer as either a mass storage device or MTP, you should be careful which computer you connect it to. Unlike rival platforms whose devices can only transfer limited file types especially just photos and videos and only through some messy and cumbersome (bloated too) software, on Android you can transfer almost anything. From videos of almost all formats (you’re only limited by the codecs supported by your device) to compressed files and torrents, there isn’t anything you can’t transfer to and from your Android device. And that’s where the risk comes in.
In light of all the malware talk on Android what is Google doing about it?
There are several changes to the Google Play developer policies. I’ll quote some of the interesting bits of the policy
- …Developers must not divert users or provide links to any other site that mimics or passes itself off as another application or service. Apps must not have names or icons that appear confusingly similar to existing products, or to apps supplied with the device (such as Camera, Gallery or Messaging).
- …We don’t allow unauthorized publishing or disclosure of people’s private and confidential information, such as credit card numbers, Social Security numbers, driver’s and other license numbers, or any other information that is not publicly accessible.
- …Don’t transmit viruses, worms, defects, Trojan horses, malware, or any other items that may introduce security vulnerabilities to or harm user devices, applications, or personal data. We don’t allow content that harms, interferes with the operation of, or accesses in an unauthorized manner, networks, servers, or other infrastructure. Apps that collect information (such as the user’s location or behavior) without the user’s knowledge (spyware), malicious scripts and password phishing scams are also prohibited on Google Play, as are applications that cause users to unknowingly download or install applications from sources outside of Google Play
Unknown to many people too is the fact that Google takes the malware threats serious and has its own malware tester called Bounce.
Android 4.2 introduced the app verification process. Under your system settings, you’ll have to grant the system the permission to check any apps you’re installing against data in Google’s database of apps in Google servers so that the apps are verified. Though the app verification is auto-enabled by default, any sending of data to Google is an opt-in process. This aims to fight the malware issue.
There you have it! Those terms as I have articulated above touch on the core of most malware operations. It’s covered in the developer policies and as such you should easily report any applications that go to the contrary since rules and terms will always be breached in the dark alleys of cybersecurity.
Whether or not you need a mobile security solution for your device is another matter altogether that more often than not will end up being personal. I for instance would not recommend an antivirus application for your Android device. By just being a little careful, you can keep most malware at bay. Android is an open source platform and when in the know (and there’s no shortage of how to materials online), you should take charge of your device the way you know best. You can even install apps like Android Terminal and run commands like you do in Linux when you need to grant privilege status to certain apps if you’re a root user instead of having apps granting themselves superuser permissions since you’re rooted.
For the not so tech savvy Android device owners, a decent mobile security application with added features like remote wipe, remote tracking on top of its security features should be a good deal. However go for such an app when you’re sure you want one but not as a result of news articles and blogposts from gloried naysayers out to bash Android or press releases from major security software firms out to make a kill by instilling fear in you the Android device owner.
Also know that the security software only protects you from known threats. If you happen to bump into potentially harmful malware for the first time, your security software won’t help you instantly. It will take time (from 24 hours to a week) for it to be identified and listed by the security software maker and then the app you have can have binaries to reference to and identify the threat. The best way to keep off all trouble is to be alert. You never know when you’ll be the unlucky one.
By the way don’t get me wrong. Some of these security software firms do a great job in identifying malware on Android and alerting Google on time about it. For example the Android.Dropdialer malware that was embedded in two gaming apps for close to a month where those apps amassed close to 100,000 installations on Android devices was identified by Symantec and taken down quickly by Google. I’m just pointing out that every time a new report on malware on Android devices comes out with eyebrow-raising numbers, don’t be alarmed. Over my short 3 year stint using Android devices, I’ve not had even one of my Droids malfunction due to malware. And no, my devices don’t have protection; I reserve that for other activities 🙂