New mobile threat families and variants rose by 49% from last quarter, from 100 to 149. 136, or 91.3% of these were Android and 13, or 8.7% Symbian. Q1 2013 numbers are more than double that of a year ago in Q1 2012.
While the “walled-gardens” of the iOS and Windows Phone, where apps require approval before sale, have prevented malware threats to develop for the iPhone or Nokia models running those systems, Android threats are increasing and becoming more likely to affect average users.
“I’ll put it this way: Until now, I haven’t worried about my mother with her Android because she’s not into apps,” F-Secure Security Advisor Sean Sullivan said. “Now I have reason to worry because with cases like Stels, Android malware is also being distributed via spam, and my mother checks her email from her phone.”
You can get the entire report here and as you read through it, listen to our Chief Research Officer Mikko Hypponen and Sean Sullivan walk through the report in this exclusive preview. (Sorry, there is a odd echo for the first few minutes of the recording.)
Here’s a look at profit-motivated threats. Is anyone surprised that mobile malware authors are mostly motivated by money?
As far as the types of threats our Labs is seeing, Trojans continue to dominate:
On Tuesday Apple announced its latest iPhone models and a new piece of wearable technology some have been anxiously waiting for -- Apple Watch. TechRadar describes the latest innovation from Cupertino as "An iOS 8-friendly watch that plays nice with your iPhone." And if it works like your iPhone, you can expect that it will free of all mobile malware threats, unless you decide to "jailbreak" it. The latest F-Secure Labs Threat Report clears up one big misconception about iOS malware: It does exist, barely. In the first half of 2014, 295 new families and variants or mobile malware were discovered – 294 on Android and one on iOS. iPhone users can face phishing scams and Wi-Fi hijacking, which is why we created our Freedome VPN, but the threat of getting a bad app on your iOS device is almost non-existent. "Unlike Android, malware on iOS have so far only been effective against jailbroken devices, making the jailbreak tools created by various hacker outfits (and which usually work by exploiting undocumented bugs in the platform) of interest to security researchers," the report explains. The iOS threat that was found earlier this year, Unflod Baby Panda, was designed to listen to outgoing SSL connections in order to steal the device’s Apple ID and password details. Apple ID and passwords have been in the news recently as they may have played a role in a series of hacks of celebrity iCloud accounts that led to the posting of dozens of private photos. Our Mikko Hypponen explained in our latest Threat Report Webinar that many users have been using these accounts for years, mostly to purchase items in the iTunes store, without realizing how much data they were actually protecting. But Unflod Baby Panda is very unlikely to have played any role in the celebrity hacks, as "jailbreaking" a device is still very rare. Few users know about the hack that gives up the protection of the "closed garden" approach of the iOS app store, which has been incredibly successful in keeping malware off the platform, especially compared to the more open Android landscape. The official Play store has seen some infiltration by bad apps, adware and spamware -- as has the iOS app store to a far lesser degree -- but the majority of Android threats come from third-party marketplaces, which is why F-Secure Labs recommends you avoid them. The vast majority of iPhone owners have never had to worry about malware -- and if the Apple Watch employs the some tight restrictions on apps, the device will likely be free of security concerns. However, having a watch with the power of a smartphone attached to your body nearly twenty-four hours a day promises to introduce privacy questions few have ever considered.
Our Freedome VPN service hit a new milestone this summer. We added our newest location in Paris, France and now have 11 nodes in 10 different countries: Canada (Toronto) Finland (Espo) France (Paris) Germany (Sachsen) Hong Kong Italy (Milan) Netherlands (Amsterdam) Singapore Spain (Madrid) Sweden (Stockholm) United Kingdom (London) United States (East Coast) United States (West Coast) That means regardless where you are in world, you can pick any of these locations to mask your whereabouts and use any of the services you love. Freedome also acts a VPN to encrypt your data so a free Wi-Fi network is safe for private transactions along, and it includes anti-virus, anti-tracking, and anti-phishing. It's been localized into 10 different locations and will soon be available for iOS devices. If you travel -- our just want your phone to think you're traveling -- this is the kind of protection you need. Get it now from the Google Play or iTunes store. Cheers, Sandra, UPDATED: Hong Kong and Singapore were added on September 15, 2014. [Image by jvieras via Flickr]
1.2 billion passwords reportedly stolen by Russian hackers. Time to change all your passwords yet again, say security experts. It seems every few months we're told the same thing. But how many people are actually doing it? My guess is, not many. Going in and changing all your passwords is time consuming and cumbersome, after all. But what these security experts aren't telling you, is that they're not even doing it themselves. I've got this on good authority from one of our own experts, Sean Sullivan, the Security Advisor in our Labs. “The dirty little secret of security experts is that when there’s a data breach and they recommend to ‘change all your passwords,’ even they don’t follow their own advice, because they don’t need to,” Sean tells me. What? They don't need to? Don't we all need to? Not according to Sean. Not if you're managing your accounts and passwords right to start with. “Unless I find out about a breach with a specific account, I don’t worry about my passwords," he says. "That’s because I use a tool to remember my passwords for me, and a few simple techniques that help to manage my accounts so as to minimize the risk.” Sean says that changing or not changing the password isn't the real problem anyway. The real problem is the way people's accounts are linked together, and the way the passwords offer access to those accounts. If you get your accounts managed properly, you won't have to worry every time you hear about a big data breach. If you know how your accounts are linked up, and you segregate your accounts, you'll be in much better shape to protect yourself in the long run. Then next time you hear about a breach, you'll be more in control - and you'll only need to change those passwords you know are really affected. So what are Sean's techniques? Read on: Diversify to reduce your risk. Segregate your accounts by creating separate email addresses for different functions. For example personal, professional, financial. That way if one email is broken into, it won’t compromise all your other information too. “Why not have a separate email address for your financial accounts? Then don’t give that address to anyone but those financial institutions,” Sean says. A bonus: if you get banking-related email in your personal account, you’ll know immediately that it’s not legit. When possible, use a different username than your email. Some services let you pick a unique username other than your email. When possible, it’s good to take this option as it’s that much more info a hacker needs to know. And use two-factor authentication when available. Use a unique password for each online account. Using the same password to access different accounts is rolling out a red carpet for hackers. If a password for your Facebook account is stolen, criminals can hop over to your email and other accounts and try the same password there. (And don't use duh-passwords like "123456" or "password." A bad password is no password at all.) Don’t give online accounts any more data than is absolutely necessary. The less that is there to be compromised, the better. If you are notified about a breach to a specific account, change that password. This goes without saying. Changing your account password habits may take a little effort, but in the long run it’s easier and less stressful than having to change all passwords after news of every breach. And it’s worth it to keep your personal data and online identity safe. Start small, taking care of one account at a time and building up until all your passwords are handled. But how does one remember so many unique passwords and log-ins, and manage them effectively? That's where F-Secure’s password manager, F-Secure KEY, comes in. KEY makes proper password management as easy and painless as possible. With KEY, there’s just one master password to remember, so it’s easy to have a unique password for each account. Need help generating strong passwords? KEY does that too. Check it out. It's free to use on any one device. Data breaches are the new reality, and it’s no longer a question of if it happens to you, but when. “There are two types of people in the world," Sean says. "Those that manage their accounts well, and those who are going to be in a world of trouble. Which group do you want to be in?” Image courtesy of Amnesty International UK, flickr.com