Most of us do whatever we can to avoid coming into contact with malware. Andrew Brandt spends his workdays attracting the stuff.
As Blue Coat Systems Director of Threat Research, Brandt uses a "honey pot" Internet server intended to catch malware purveyors in the act. While Brandt was demonstrating the honey pot to me, I told him it was as if he were living on the edge of a volcano.
"It's more like watching a bank of video security cameras focused on a high-crime area," he said. Brandt's surveillance server is completely sandboxed, which allows his team of security analysts to keep tabs on the doings of the Internet's bad guys without any risk to real data or systems.
Brandt described a recent encounter he had with a malicious app that found its way onto his Android phone. "I had downloaded an unrelated app a few hours earlier. [Out of nowhere], I get a text message on the phone thanking me for subscribing [to a $4-a-month service]." The malware had managed to sign Brandt up for the subscription from his phone without requiring any permissions.
"If it hadn't been for that message, I would have had no notice of the unauthorized charge until I saw it on my credit card bill," Brandt explained. This highlights two of the things phone users need to do to protect themselves: keep a close watch on their bank and credit card statements, and respond right away to challenge illegitimate charges.
Without a security app, your phone is exposed
The convergence of phone malware and workers connecting their phones to organizations' internal networks is causing IT managers to lose sleep, according to Brandt. "BYOD [Bring Your Own Device] makes it nearly impossible for IT to prevent their networks from being exposed," he explains.
According to security firm RiskIQ's recent study, the number of malicious apps on the Google Play store increased by 388 percent from 2011 to 2013. Meanwhile the percentage of malware apps removed by Google each year went from 60 percent in 2011, to just 23 percent in 2013. The percentage of malware apps on the Google Play store jumped from 3 percent in 2011 to 9 percent in 2012, and to almost 13 percent in 2013, according to RiskIQ's research.
The Norton Mobile Security support page lists the nefarious activities an Android malware app may attempt. It may collect your call and text logs, contacts, account info, and SIM card details. It could place ads in the notification bar and SMS inbox, or change your browser home page. Some malware apps play audio ads when you call a number in your contact list, according to Norton.
In my April 10 post "Protect your device from malicious ads," I described the Android version of the free Lookout Mobile Security app that features a real-time malware scanner. On the Phandroid site, Joe Fedewa covers a half-dozen Android security programs.
Fedewa also explains Google's seven layers of security for the apps developers upload to Google Play, and he points out the importance of avoiding security-app scams by sticking with brand names you know, such as 360 Mobile Security and Avast!, in addition to Lookout.
Phone security starts with you
Installing a security app on your phone is just the first step. Sometimes your own actions can override the protections of the device's antimalware program.
Blue Coat's Brandt repeatedly circled back to the importance of phone users being cautious when downloading apps. Wired UK's Dan Goodin explains how the Android-Trojan.Koler.A malware tricks visitors of a porn site into thinking they're downloading a video player. In fact, they're downloading a program that will lock the person out of their phone until they pay a ransom.
A more pernicious piece of Windows-based ransomware called CryptoLocker now threatens Android phones. CryptoLocker uses social-engineering techniques similar to those relied on by Android-Trojan.Koler.A. Once the malware is installed, it encrypts all the files on the phone, as Dennis Fisher reports on ThreatPost.
Keep a close watch on your monthly statements
One of the tips in my November 2011 post on how to shop safely online, was to sign up for a temporary credit card number before you make any Web purchases. As that post points out, not all credit card issuers provide temporary numbers.
When you discover a fraudulent charge on your account, you have two days to report it under the Electronic Funds Transfer Act to avoid more than $50 in liability -- and perhaps $0, depending on your bank's policies. My May 2011 post about how to avoid sharing personal info online explains that the protections apply only to credit cards, not to ATM/debit cards, which you should avoid using for online purchases.
It makes sense that as we rely increasingly on our devices, they become a bigger target for the bad guys. Keeping Internet crooks at bay requires a multilayer approach to security: the prevention of a security app, trustworthy download sources, and close attention to monthly statements.