Dubai: Android is Google’s mobile operating system, which has attracted the bulk of cybercriminals’ attention when compared to other platforms due to its popularity and open platform.
According to Trend Micro’s latest report, the number of malicious and high-risk Android apps hit 718,000 in the second quarter when compared to 509,000 in the first quarter of this year. In just six months, these apps surged by more than 350,000 – a number that originally took them three years to reach. The number of Android malware at the end of last year stood at 350,000. It is expected to hit one million by end of this year and reach three million by the end of next year.
The UAE recorded the highest malicious android app download volume in the quarter, overtaking Myanmar, which was placed first in the previous quarter.
Smartphones are now facing threats previously seen on computers.
The usage of apps has been growing with the advent of smartphones and at the same time users should be aware that the apps can put your personal information at risk. Privacy issues are also a big concern for users. For instance, apps like Angry Birds can access International Mobile Station Equipment Identity (IMEI) number of the phone and a user’s location.
Here are some of the frequently asked questions.
Question: Who writes the apps?
Answer: Apps are written either by a developer or developers for anyone willing to pay. Apps are written for Google’s Android platform, Apple iOS, BlackBerry and Microsoft’s Windows. They are written for each platform’s preferred language or it can be written for all the platforms using the same language using a third-party tool to generate codes.
Do many of the app stores lack info on privacy policy?
Many free apps lack a privacy policy, which clearly states what an app can access. This is especially common for apps offered by websites not associated with the main apps stores, such as Google Play and the Apple App Store.
A good app will declare what it will access on your smartphone, but often these “permissions” are not changeable, meaning users must make the decision to either continue to use it or abandon it.
Users should be able to tap on each permission to know more. Whenever an app send you a requests for a manual update, that means the app had added a new feature and requires additional permissions.
How do apps stores give green light to apps?
App developers need to fill in a set to details like the name of the app, description, markets to which it should be available, etc. Developers need to upload some files, for example the source code, a certificate from the developer, and the app’s icon.
During the approval process, the app will be verified to check if it breaches any terms of agreement or uses any malicious/unwanted code. This process is strictly followed only by Apple and to a certain extent by Blackberry.
Apple’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers.
Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware.
Despite all the checks, malware can still enter the app stores, as has been shown recently. It may only stay for only a few hours before being detected by the app market, which continually scans for malware. Reports have shown malicious codes entered the app market regardless of the platforms. Downloads should always be from the legitimate app market.
Never download apps from third parties because users may not know what they are getting. There are more than 500-plus unknown stores that are allowing malware to thrive.
Does Android have an approval process?
It generally does not. If the app has some suspicious activities, it may be caught by the app store.
If developers want to update an app, do they need to get the permission of app stores or can they do it themselves?
For Apple, the app must go through the approval process again. For Android, the app will get automatically approved.
Among the platforms, which have more stringent procedures for placing an app?
Apple is the most stringent. BlackBerry is good, but takes a long time. Android has weak vetting procedures. Windows has good security, but a small selection of apps.
How does a user know what permissions he gave for apps?
Users can go to settings/manage apps/app info to know what the app can access on their phone. There is no way to restrict app permissions by default. But if you are confident when working with your smartphone, you can download apps that will prevent apps from accessing certain systems on your phone.
What can the apps do with my permissions?
When downloading an app, it will ask permissions to access content, such as the address book, picture and location. These apps then can do whatever they want, such as send that data to third parties. If an app is asking for more than what it needs to do its job, you should skip it. For example, when downloading a game, the app does not need access to your pictures or documents. Users need to be careful when giving permissions.
How is phishing done through apps?
Phishing is redirecting users to a web page, appearing to be legitimate, to get your personal data and passwords. If any app asks for your user name and password in a way that has nothing to do with the app itself, there is a strong possibility it is a phishing attack. If you find something fishy, immediately report it to the app market authorities.
What are the cybercriminals looking at?
Cybercriminals are trying to steal your information without the knowledge of the user. Many mobile malware also make a profit by tricking users into sending text messages to premium-rate numbers owned by hackers. Some wallpaper apps or battery saver apps have shown to bleed money from victims.
The malicious apps can access your contacts and send them emails and can also see what users do on their devices like typing user name and passwords to financial transactions.
Can users use credit cards on apps?
Yes, if it is a legitimate app and downloaded from the legitimate app stores. But before doing that scan it with security software.
Can users download apps that do not come from legitimate app stores?
Yes, but it’s better not to.
How do you delete malicious apps?
Go to settings/app info/uninstall. The best way is to reset your smartphone which will clear the memory of the device.
Can anti-virus software tell users whether the app is malicious or not?
Yes, it can. It has to be mobile antivirus software. It can tell the user, usually by scanning the apps technical details or looking at the fingerprint of the app or how it (mis)behaves.
It can also tell users about what resources the app is accessing, whether any text messages are being sent, and whether the phone is connecting to an outside host. It can give protection against software that records keystrokes and other spyware. It can also remove unwanted tracking cookies (web files).
Using the latest operating system can be of any benefit?
Yes. Threats could be eliminated by using the latest version of the operating system. Old versions will not get support from the manufacturer and it is easy for cybercriminals to deploy malware on to the phones.
Is antivirus or security software a must?
Yes. Always install a security and malware software. When downloading an app the security software can scan whether it contains a malicious-embedded code and block it.
- With inputs from Bulent Teksoz, Chief Security Strategist, Emerging Markets, Symantec.
