Mobile Threat Monday: A Look Back
Mobile Threat Monday is such a SecurityWatch institution that it's hard to realize it only began last spring. At first we called it 'Dangerous Android Apps,' and it appeared on Friday, not Monday. We realized, though, that mobile threats aren't limited to Android, so in June we opened it up to all kinds of mobile threats. Altogether we've posted over 30 Mobile Threat Monday columns covering over 60 distinct threats.
Thanks to Our Contributors This column simply wouldn't exist without the contributions of researchers from around the world. We've posted warnings based on alerts from Symantec, McAfee, Lookout, and Kaspersky, among others. However, three major contributors have powered the vast majority of our posts.
Appthority and Bitdefender are definitely the top two. Between the two of them, they've given us more than half of the threats we've reported. F-Secure is another big contributor. Three quarters of submissions come from these, the top three. Thanks, guys!
Android, Android, Android We did take 'Android' out of the column's title, but Android absolutely dominates the field of mobile malware. BlackBerry showed up precisely once, in a warning about the Tube Map Live app, which fails to secure your personal information. This one affected Android too; no surprise there.
More Than Malware While we've reported on banking Trojans that steal your money and actual malicious programs that can completely take over your device, the vast majority of threats aren't as actively nasty. Mobile app developers just want to make money, and some have few scruples about just how they do it.
One almost-legitimate way to make money involves advertising. Hook your free app to an advertising network and you can expect a modest income. But some programs go too far, scraping personal information and sharing it with over-aggressive ad networks. Around 20 percent of threat's we've reported involve this sort of abuse.
A more direct way to siphon money out of the victim's pocket involved premium SMS numbers. You've probably seen them connected with charity efforts; text to such-a-number and donate $10 to the relief fund. Premium SMS is pretty well-regulated in the U.S.; not so much in other countries, including Russia and China. Trojanized apps that send premium SMS messages are more prevalent in these countries, and we've reported on quite a few.
Then there are the developers that have no bad intentions, just bad coding skills. Their errors can expose personal data including medical history, passwords, and instant messages. An app that fails to properly secure your personal information can be just as damaging as one that actively steals data.
All Together on the Chorus So, what should you do to stay safe? You could switch to iOS, but if you're an Android user that's probably not what you want to hear. Trojanized or ill-designed apps do sometimes show up in official Android app stores, but unofficial sources are much more likely to be compromised. Stick to the safe stores, and make sure your device is set to reject installations from other sources.
Pay attention to the permissions requested when you install an app. Does that free flashlight app really need to know your location? Many Android security products will double-check permissions for you and offer advice; Editor's Choice avast! Mobile Security & Antivirus is one such, and it's free.
In the U.S. you're less likely to get hit with premium SMS charges, but keep an eye on your bill regardless; it could happen. And of course, keep reading Mobile Threat Monday and SecurityWatch to stay abreast of the latest developments.