Android Malware – Take the Security of Your Device Seriously

Guest writer Megan Berry has some timely advice on how you can avoid avoid malware on Android smartphones and tablets.

imageRule #1 of Android security: don’t download apps from websites other than Google Play for fear that you unwittingly infect your smartphone or tablet with malware. Well, not surprisingly, cybercriminals found a way to invalidate rule #1.

A security researcher at Symantec recently discovered two apps infected with malware in the app store that were quickly removed. But not before tens of thousands of users downloaded them.

This scenario is particularly troubling for companies with BYOD programs that permit Android devices to connect to their network. How do companies protect corporate assets without taking away employees’ ability to use their favorite mobile devices on the job? Especially since it seems that cybercriminals are always one step ahead of security experts.

Whether you use an Android device at home, on the job, or both, the growing threat of Android malware means it is more important than ever to take the security of your device seriously.

How to avoid malware on Android smartphones and tablets

Nothing you can do will guarantee you will never be infected with malware, but there are things you can do to minimize the risk.

· Before downloading an app, do a quick web search to check up on the developer and the app itself. Look for red flags in the search results, such as negative user reviews or complaints, that indicate you need to dig deeper before tapping that “Accept & download” button. Hint: You can visit the developer’s webpage from the app listing.

· Some malicious apps try to hide behind a legitimate brand name. Make sure the name of the developer jives with the title of the app.

· Read the app’s user reviews. Red flags will show up here, too.

· Examine the permissions of the app: are they in line with the app’s intended use? For example, does a news app really need to access your contacts or send text messages?

· IT managers should insist that employees install an Android anti-virus app. Or, better yet, insist that users turn their devices over to IT before they’re allowed to connect to the network for the first time. This way IT can install anti-virus software it has evaluated, configure it properly and enforce its use.

Android anti-virus apps: worth it or not?

The effectiveness of Android anti-virus apps is debatable, though. In a recent study, only a handful of Android anti-virus apps were found to detect most types of threats. The March 2012 study by AV-Test.org rated 23 out of 41 apps effective, or 56%. Of those 23, only 10 detected greater than 90% of known malware types.

Still, the authors of the study say any of the anti-virus apps that were found to detect greater than 65% of known malware types provide adequate protection.

Unpatched system software: Your device’s Achilles’ heel

Even though you’re careful about what apps you install and you run an anti-virus program, your device may still be vulnerable because of unpatched system software.

According to security vendor Duo Security, the speed at which wireless carriers supply updates to their users varies. Therefore, it’s possible for devices to go unprotected for long periods of time. The fragmentation of the Android platform complicates the task of rolling out updates, not to mention the fact that companies have little incentive to fix existing flaws when new devices with the latest system software are already on the shelves.

This is of particular concern for companies that allow their employees to connect their personal Android devices to the company network. It should also be of concern to employees, who may be liable if their device infects their employer’s network – many corporate bring-your-own-device (BYOD) policies place the responsibility for keeping devices malware-free squarely on the shoulders of the user.

Duo Security’s new app, X-ray, scans Android devices to discover unpatched flaws in system software. If the app finds a problem, the user can go to Settings>About Phone>System Updates to download the latest version. If an official update isn’t available via System Updates, Duo Security encourages users to contact their carrier for more information, or at the very least, exercise extreme caution when downloading apps.

Individual users can download and install the app from the X-Ray for Android website. Organizations can get an enterprise-level version by emailing the company.

Lesson learned

The lesson here is that unfortunately, it’s no longer safe to assume that just because an app is available from a reputable source, it’s malware-free. And, educating yourself and your users, combined with tried-and-true anti-virus software, is still the best protection against the quickly evolving threat that Android malware presents.

About the Author: Senior writer for IT Manager Daily, Megan covers the latest technology news and trends impacting business.

8 Comments

Filed under Android, Anti-Malware Tools, Guest Writers, Malware Protection

8 responses to “Android Malware – Take the Security of Your Device Seriously

  1. Pingback: Android Malware – Take the Security of Your Device Seriously | Bill … | Top Internet Security

  2. Pingback: Absolutely FREE – Quality, Innovative Online Computer Skills Training « What's On My PC

  3. Others thought that Android is Linux based so no malware or what so ever. They didn’t know that the more the user using this platform, the more malware will created by some opportunist.

    The problem is the patching of security holes in Android. Like in my country. They didn’t receive any updates coming from the carrier unless it comes through Kies.

    I don’t know who to blame but like I experience when I buy my Galaxy W. I decided to buy this because I see the features and hardware is really good. I buy this when it first came in my country. But for only one and half months, ICS came in and Samsung told that they only release updates for Gingerbread but not ICS to mid-range phone that’s I think very capable in ICS.

    Imagine, only for one and half months? No support in the new Android? I’m totally jealous when Sony announce that all their Xperia product line will get an ICS updates, take note: “all Xperia product line”.

    I tip that I can give is more involve in community that talk about the phone and the manufacturers. It will help you decided of what brand and phone will you buy.

    For securing your phone, number one more alert of the apps that you install in your phone, read a review and information about that app before you install, second install permission manager like PDroid. And maybe antivirus protection to your Android.

    Thank you Sir Bill for this helpful article.

    • Hey Vhick11,

      That’s a terrible experience. You have every right to feel as if you have been abandoned by the manufacturer.

      Your advice to get involved “in community that talk about the phone and the manufacturers” is worth noting.

      Best,

      Bill

  4. Luckily google is rolling out strict new regulations to prevent malware infected apps from being submitted to google play. But these tips are still very helpful because Google still hasn’t gotten the problem completely under control.

  5. John Bent

    Hi Bill,

    Not wishing to nitpick but there is conflicting advice here. I have set my phone not to download applications other than from Google Play, in accordance with “Rule No.1 of Android Security”.

    Further down the article readers are invited to download X-Ray for Android, which is not available via Google Play. Following the link leads to a download page on which instructions are given on how to enable your phone to download non-market applications.

    X-Ray for Android may well be virus-free, but I think that this advice could be seen as muddying the waters in a very important area.

    Kind regards
    John

    • Hi John,

      It’s not nitpicking – not at all. In fact (although you may not have noticed it), I’ve been juxtapositioning Tech headlines that make a mockery of each other. Especially on items covering Windows 8 and, the Cloud.

      Truthfully, I’m beyond tired of listening to “tech experts” spouting off on issues that they have no fundamental knowledge of. Sorry about the “of” – but, as one of my British friends pointed out recently, there are exceptions. :)

      Best,

      Bill