Protect your device from malicious ads

Much attention has been paid this week to the Heartbleed security hole that has affected hundreds of thousands of Web servers. Read staff writer Richard Nieva explain how you can protect yourself from the Hearbleed bug.

In a nutshell, the best protection is to change your Web passwords. All of them. In a post from December 2011, I explained how you can master the art of passwords.

There's not much consumers can do to guard against infected servers, but there's plenty we can do to prevent becoming the next victim of the growing legion of malware purveyors. In a nutshell, don't click that link. This goes double for links in apps on our mobile devices, which generally aren't as well protected as PCs.

According to the Cisco Security Blog's March 2014 Threat Metrics released earlier today, advertising is the most likely source of malware on mobile devices, increasing from 13 percent of mobile malware occurrences in February 2014, to 18 percent last month. Business sites were the source of 13 percent of mobile malware encounters in March, down from 20 percent the previous month; video sites accounted for 11 percent of mobile infections in the most recent month, compared to only 7 percent in the preceding month, according to the report.

Don't be tricked into a malicious click

Security vendor Blue Coat Systems' 2014 Mobile Malware Report points out the increasing danger of ads on mobile devices. According to the report, Web ads supplanted pornography as the most frequent source of mobile malware, accounting for just under 20 percent of all mobile "threat vectors" in February 2014, compared to only 5.7 percent in November 2012; porn-based threats decreased to 16.5 percent of mobile malware encounters from more than 22 percent in the earlier period.

The malicious ads use a tried-and-true infection technique: a legitimate-looking alert warns that the device is infected and prompts you to click to remove the infection. On Android devices, you'll then be prompted to change your settings to allow third-party downloads from sources other than the Google Play store.

That's why one of the recommendations in the report is to download apps only from authorized sources. The company also suggests that you block mobile ads, but doing so takes a concerted effort, and that effort may not be much use.

For example, Eyeo's AdBlock Plus, one of the most popular ad-blocking services for PC browsers (available for Internet Explorer, Firefox, and Google Chrome), isn't available in either Google Play or iTunes. (There is an app called "AdBlock" on iTunes, but it's from a developer I've never heard of, and it appears to be a standalone browser; I describe an alternative ad-blocking browser for Android and iOS below.)

You can download a version of AdBlock Plus for Android devices, but doing so requires that you change the setting to allow downloads from sources outside the Google Play service. Also, you have to configure the app manually by changing your proxy settings.

Even after the ad blocker is configured, you'll still be shown ads in the device's native browser and in other apps. The clunky configuration process and inconsistent ad blocking lead me to the conclusion that there's a better way, or two actually: the free version of the Mercury browser, which includes an ad-blocking option; and the free Lookout Mobile Security app, which offers a real-time malware scanner. Both programs are also available for each platform from the iTunes and Google Play stores.

An ad-blocking browser

The Mercury browser's ad-blocking feature is off by default. To enable ad blocking in the iOS version, press the settings icon in the top-right corner of the window and choose Settings. Tap Extensions, and toggle the Ad Block setting to On. On Android devices, Mercury's settings icon is at the bottom of the Window. After you choose the Settings option on the menu, press Plug-ins and check the box to the right of Ad Block.

The Mercury browser has many other security and usability features, including a private-browsing mode, login passcode, day/night mode, and an auto-brightness setting. I tested only the program's ability to block ads, which worked well in my testing.

The problem is, most popular Web sites encourage mobile users to download their standalone apps, so browsers aren't used as much on phones and tablets as they are on PCs. That's why an app that monitors all activity on the device is more effective at preventing a malware infection. This is where Lookout's Process Monitor feature shines.

The free version of Lookout for Android and iOS devices includes Process Monitor, which scans your apps and alerts you when one is running a malicious process. (I previously wrote about the Android version of Lookout in September 2012.) The iOS version notifies you of updates and warns you when an attempts to jailbreak the device. You also can back up your contacts and photos and locate a missing device by signing into your account on Lookout.com.

The premium version of the program costs $3 a month or $30 a year, and adds the Privacy Advisor and Safe Browsing features. You can try the premium version for 14 days without having to provide a credit card number.

Privacy Advisor lets you know which apps are tracking your location, reading your identity information, and accessing your messages and contacts.

The app's Safe Browsing feature warns you when you're about to click a dangerous link. When you open your browser, an alert appears to let you know Safe Browsing is enabled. In my testing I didn't encounter any links Lookout considered unsafe, so I don't know how the app alerts you or otherwise responds to a dangerous link.

Blocking ads is less effective at deterring infections on mobile devices than the real-time monitoring offered by Lookout. But your best defense is to avoid clicking ads specifically and links in general, particularly when you're unsure of the source -- whether in an email, on a social network, or embedded in an app. In this case, thank you for not sharing.