Computer Security: When apps lead to mishaps

An open market is a fine thing. Anyone can offer anything for sale. You have a broad variety of products, you can pick and choose. The only drawback is quality. Unfortunately, it is your responsibility to check whether you are getting acceptable quality for the price you pay. While this is more-or-less easy in the supermarket, it gets very complicated when talking about apps for your smartphone from the app market. And the malicious evil-doers are taking advantage of that…

Usually, you just enter “Google Play” or Apple’s “App Store”, make your pick and install the app of your choice. Easy. But how can you be sure that the app does not do more than you expect? A recent analysis of the devices of almost 700 million customers of 31 mobile network operators in 20 countries showed that about 6% of the devices were infected. Given the fact that Android devices account for around 75-85% of all smartphone sales worldwide, they are clearly under targeted attack. More than 98 000 malicious apps were detected, 51% of them available through Google Play, the rest only downloadable through third-party app stores. Thanks to Google’s efforts (“Google Protect” and the “App Defense Alliance”), 18% were removed.

So 32% remain which were not. The remaining 32% which, when installed, are used to abuse your phone. Top of the list is malware to conduct “advertisement fraud”, i.e. downloading hidden ads, automatically generating clicks on advertisements (so-called “Clickbots” like “emoji keyboard” or “Snaptube”), or tricking you into clicking on them without being aware (“Click-Jackers”). Different malware is using different techniques to avoid being spotted by the advertisement companies so that every click generates revenue for the app’s company, leading to a multi-million dollar loss for the advertiser. Other malware is misusing the smartphone’s CPU resources to generate crypto-currency (“Bitcoin mining”), initiating fake calls to expensive phone numbers or sending premium SMSs at your expense (“subscription fraud”). In fact, there is a mafia-like industry selling your smartphone’s resources to the highest (evil) bidder.

Once more, the responsibility is in your hands: always keep your smartphone up-to-date with the most recent version of your operating system (and if this is not possible as the smartphone hardware is too old and not supported anymore, consider replacing it completely). When downloading apps, “STOP – THINK – DON’T CLICK” (“Don’t install”!) is your best protection. A high number of downloads does NOT indicate that the app is clean. Check out the comments for the app you’re interested in. Take special care when installing apps from third-party stores. The security mechanisms put in place by such stores to avoid fraudulent abuse might be mediocre. Better to just refrain from downloading (trivial) apps you don’t really need produced by unknown (small) companies. One recent example discussed here is the problem of apps providing fraudulent VPN tunnels (see our Bulletin article on “Tunnel Madness“). Finally, it is a good idea to check your privacy settings regularly: do only those apps with a justified need have access to your camera, microphone, location, contacts? Some apps might reset these when they are updated.

And what about Android vs. Apple? It is not up to us to judge which smartphone operating system or smartphone model is best: that is your personal choice. From a security point of view, the tight control that Apple imposes on its operating system, the extended support it provides for its latest models and the stringent rules for publishing apps to its App Store are a strength compared to Android (see also “Android is the new Windows“). Nothing against Android, but…

______

/Public Release. The material in this public release comes from the originating organization and may be of a point-in-time nature, edited for clarity, style and length. View in full here.