Android malware and how to destroy a brilliant concept

This post is a reaction to the latest headlines about Android being "unsafe" or "insecure", and being a target for malware writers. I'll include some traditional "smartphone platform religion" views, the user perspective, the security trend analysis, and of course wrap it up with a nice paranoid reflection.

 

So whats the background story?

No matter whats causing the headlines on current smartphone issues, we all go ahead with the traditional discussion. Whats best – Android or iPhone? The recent stories on Android like http://www.v3.co.uk/v3-uk/news/2033358/android-update-redistributed-suspicious-code or http://isc.sans.edu/diary/Rogue+apps+inside+Android+Marketplace/10480 or http://blogs.iss.net/archive/Examining%20the%20recent.html will probably be enough to get a hint (geek warning on some of the posts..).

 

Religious stuff here..

Android geeks like myself face a hard time now. How would you deal with this at the office, at school or amongst friends? "Of course iPhone is the best choice" you might hear. "Android sucks, it's insecure" would also be a common saying. And yes, I'm bound to agree on the "Android being insecure" part, and I'll get to that later. So, what about iPhone? A nice product developed by Apple, a company for years focusing on usability and brand. Slightly higher product prices, more usability, and a membership in the fashionable Apple user community. I want to give credit to Apple here, being the "odd" one, standing tall on it's own against a brutal competition in the smartphone and computer market.

..But. Apple is Apple. Nothing else. Closed source. Total control. How secure is the iPhone really? I would say that Apple appstore is a success compared to Android market. Apple had their "total control" attitude not only when designing their products, but also when creating the entire concept around iPhone and Appstore. Compared with Apple, Google took their "open source" and their "creative geek" attitude into the Android market concept. Great thinking if you want world domination with new web technology. Not so great when going to the smartphone battle with an army of geeks armed to their teeth with open source attitude and a business focus equal to zero. No, it's nothing wrong with the Android community but Google seem to fail in creating that trustworthy concept that is really needed to win the battle. I believe the battle will be won at the office, not at home.

As it is'nt enough when your CEO fancy the iPhone more than the Android because of it being status symbol and more fashionable, he/she can also finally hug his/her IT-security specialists when they say "…it 's safer than Android".

 

What to do

Damage control is needed, and really fast too. When apps get stolen, modified with malware, and redistributed in the Android market, it's time to revise the entire concept around Android Market. And when even the security updates are infected, it's near ridiculous.

  • How about a more strict quality evaluation before letting "contributors" into the Android Market?
  • How about Google certified apps? I'm mean, for real!?
  • How about security and quality evaulation, signed Apps, and a user friendy certificate control in the Android Market? Using certificates is nothing new. If you can have a green SSL bar in Firefox when browsing HTTPS sites, and having Microsoft signed components automatically installed in your Windows machine..why not use the same technique in the Market?
  • And how about steering the community in the right direction? Geeks are very much needed, but Google should stay in control. Not the developers. Android is now a playground for open source followers, adapting to the low level of control. It's also becoming a playground for malware writers. Why? Because it's easy! Not only to write malicious apps, but they even get the help from Google to spread them!!
  • Community, again. This goes for both iPhone and Android users. You no longer impress us with rooted phones. Stop reading the blog posts on how to root your phone, and start reading the stuff about what to look out for when downloading apps and using your mobile computer. (Yes, thats what it is. I even have hard working servers with half the power of my Android phone.)

 

Future

Security specialists like myself have battled Windows malware for years, and the probably easiest and most cost efficient change to the better is user awareness. We see it all over again now, with naive users pushed forwards by companies trying to gain world domination. Didn't Microsoft encourage you to start surfing the net and download and install software?

We also know that now when the story repeats itself in the smartphone area, the route to the corporate network goes via the smartphone. Not good. Regardless if you are a iPhone or Android user, you all want to be smart and use smartphones. Too many of you are not being smart, and get "SmartPh0wned" instead.

 

Some advice

Using Android can be safe. Far more safe than Microsoft, Apple, or any other platform. Read this please:

  • Dont store extremely sensitive information on your phone.
  • Use built in security features, like lock screen.
  • Dont trust any wireless network you see.
  • Install apps coming from well known sources.
  • Before installing an app, read up on who's the author just like you would check out software for your computer.
  • Before hitting the install button, look at the apps capabilities. If the capabilities goes way beyond what the app is intended for – back out! A simple notepad app dont need to access your phonebook, GPS, send SMS or browse the Internet..
  • Read the manual. (Yes, you can still be a man. If in doubt, hide the manual in the bathroom or something to ensure privacy and keep up the geeky manly image)
  • Keep the papers you got from your operator. Can come in handy if you loose your phone.
  • Read blogs or magazines to find a good Security app. They scan for viruses, and warn you if security settings are not optimized.

 

Now, the paranoid stuff..

The path to the corporate network goes via the smartphone. The hacker wants your company to use a less secure smartphone platform. The hacker has a clear advantage if the company choose smartphone platform by image and style rather than security. The hacker has a clear advantage if the smartphone platform is closed source, as it is just as vulnerable as open source but vulnerabilities are'nt disclosed immediatley. The hacker wants the less secure platform to win the corporate race. The hacker wants to attack the more secure platform to make sure it never reaches "corporate standard"..

Are we witnessing the hacker community laying their favourite path to the corporate network here?

 

Comments are welcome. Be safe, be smart, dont get smartph0wned…

1 thought on “Android malware and how to destroy a brilliant concept”

Leave a Comment