When you think about Android security, what comes to mind? Did you think about where your phone is right now? Maybe you thought about how easily you can find it if you lose it or if it falls into the wrong hands due to the security app you have? Did you think about malware protection? Probably not.
Like most Android owners, concern about trojans and viruses has never been given much, if any thought. This lack of concern might not be detrimental to the health of your phone now, but that won’t always be the case. There have already been a few incidents of malware attacks on Android devices.
In December 2009, First Tech Credit Union reported about a rogue app in Android Market that attempted to harvest online banking details from users who downloaded the app:
….It creates a shell of mobile banking apps that tries to gain access to a consumer’s financial information. Droid09 launched this phishing attack from the Android Marketplace and it’s since been removed. It’s called phishing because scammers go fishing for information about you or your financial account that may be used for identity theft.
In March of this year, a HTC Magic from Vodafone was found to be infected with bot client, a password stealer, and a Conficker variant. It was thought at the time the phone had been a poorly-wiped refurbished device.
More recently, at the hacker conference SummerCon, Jon Oberheide of Scio Security gave a demonstration of how easy it would be for someone to infect a large number of Android phones with a bot client. His method included exploiting what he feels is a security lapse in the Android Market; that apps don’t need user permission to fetch new code. Hiding his code in an innocuous application, within 24 hours after upload the app had already seen 200 downloads.
To take over those users’ phones, Oberheide would have also needed to exploit a vulnerability in Android’s Linux-based operating system. But he says that would have been fairly easy to pull off. According to research by the non-profit MITRE Corporation, there were 47 critical vulnerabilities in Linux found last year, up from just 27 in 2008. And Google has been slow to patch those vulnerabilities in Android, Oberheide says, often pushing out fixes to just a segment of users as a test before fully patching phones weeks later. “It’s absolutely trivial to win this race,” he says.
The threat of exploit isn’t limited to market apps either. Justin Shapcott at AndroidandMe has already talked about the the dangers of rooting your phone.
Don’t get me wrong, I’m not suggesting you stop using Android or be suspicious of any new app you might like. The Android community is a wonderful thing and it’s an entity that would not be where it is today if not for our phenomenal developers sharing ROMS, apps, and themes; Â not to mention Google itself. Being open however, is a double-edged sword. Ease of sharing can also make vulnerabilities easier to exploit.
I think all of us would agree restricting Android code and the market would be detrimental, which leaves the responsibility of securing your device up to you. There are a handful of software security apps on the market, including one from Norton Security. Online market AppBrain automatically filters out spam applications. Before you download that next app, take a moment and actually look at what the app is requesting access to. Most of all, if you come across something suspicious, report it immediately.