New mobile threat families and variants rose by 49% from last quarter, from 100 to 149. 136, or 91.3% of these were Android and 13, or 8.7% Symbian. Q1 2013 numbers are more than double that of a year ago in Q1 2012.
While the “walled-gardens” of the iOS and Windows Phone, where apps require approval before sale, have prevented malware threats to develop for the iPhone or Nokia models running those systems, Android threats are increasing and becoming more likely to affect average users.
“I’ll put it this way: Until now, I haven’t worried about my mother with her Android because she’s not into apps,” F-Secure Security Advisor Sean Sullivan said. “Now I have reason to worry because with cases like Stels, Android malware is also being distributed via spam, and my mother checks her email from her phone.”
You can get the entire report here and as you read through it, listen to our Chief Research Officer Mikko Hypponen and Sean Sullivan walk through the report in this exclusive preview. (Sorry, there is a odd echo for the first few minutes of the recording.)
Here’s a look at profit-motivated threats. Is anyone surprised that mobile malware authors are mostly motivated by money?
As far as the types of threats our Labs is seeing, Trojans continue to dominate:
There hasn't been app that has exploded this quickly in a long time -- possibly ever. An "augmented reality" game that combines geocaching with a kids' favorite from the 90s- 00s, Pokémon Go is already nearing 10 million downloads. And you can hardly go on social media without finding someone either bragging about snaring a rare Bulbasaur or begging for an explanation of the phenomenon. On Monday several stories broke about privacy concerns about the game so we ran them by our Security Advisor Sean Sullivan who had some good news for us: The stories are mostly overblown. Let's go through them. You heard about the robbery of Pokémon players drawn by robbers to PokéStops? "The robbery stuff is hyped nonsense, allegedly happens once, and the press can't resist telling the story," Sean told us. If you're really worried, practice the same tactics you use when trick-or-treating -- including sticking to well-traveled areas and playing with friends. How about Niantic, the app's maker collecting "your email address, IP address, the web page you were using before logging into Pokémon Go, your username, and your location." Sounds bad right? Maybe. But it's "typical of most apps," Sean says. Still, as always, you should check you privacy settings. What about the news that the app gives Nitantic full access to your entire Google account, which you have to use to create an account for the game!? Turns out that the maker was never able to read your Gmail and the permissiveness has more to do with Google's settings than Nitantic's. However, to play, you may still want to create a separate Google account that isn't connected to your Gmail as F-Secure Labs explains below. https://twitter.com/FSLabs/status/752766796227284993 Yes, criminals are taking advantage of the app's popularity and Android's laxer security standards -- at least compared to the iOS App Store -- to spread infected fake "backdoored" versions of the app. But that's true of many, many popular Android apps, which is you should always stick to the official app stores and check reviews before downloading. Sean is a known fan of Nintendo, which owns the Pokémon brand, so he may be a bit biased. But all he has is good news for you, for now. Given the success of the app, you're bound to hear many stories that stoke suspicion both of the app and the players. You're also likely to see many imitators who will take advantage of how the app has exposed adult's urges to play games on their phone that actually bring them into public. And, of course, there will be efforts to monetize this sensation. Players can already buy virtual items to speed their progress, but augmented reality presents unique advertising opportunities. "The game’s real-world nature also gives Niantic another intriguing moneymaking possibility, by charging fast-food restaurants, coffee shops and other retail establishments to become sponsored locations where people are motivated to go to pick up virtual loot," the New York Times reports. These partnerships may spark new concerns about sharing players' location data with ad partners. But for now, people seem very willing to go out into the world and make themselves known as Pokémon Go players. While the success of Pokémon Go may be extraordinary, the privacy and security concerns are typical of any well-known app. [Image by Noah Cloud | Flickr]
Reports that as many as 40 million iCloud accounts have been compromised by Russian attackers have not been confirmed by Apple. But they haven't been denied either. "For now, let's assume there hasn't been a massive iCloud data breach," writes Steve Ragan at CISO. So... what do the reported attacks look like? "It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim's device into lost mode," Ragan writes. "At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it." Then they demand the ransom -- usually $30 to $50 or all the data will be deleted. What can you do to avoid such an attack? Get your security basics right. "So make sure that you have a unique, hard-to-crack, hard-to-guess password protecting your Apple ID account," Graham Culey writes. "And, if you haven't already done so, I strongly recommend enabling two-step verification on your Apple ID account to make it harder for hackers to break in." It's about a four-minute process. So do it. Now. You start by logging into your Apple ID. And while you're thinking about it, why don't you activate two-factor authentication on any account you can -- especially Google, which calls it "two-step verification" even though it's really "two-factor" since it involves your phone, and Facebook, which calls it "Login Approvals." [Image Gonzalo Baeza | Flickr]
In Finland, there is this thing called juhannus. A few years ago, our former colleague Hetta described it like this: Well, Midsummer – or juhannus – as it is called in Finnish, is one of the most important public holidays in our calendar. It is celebrated, as you probably guessed, close to the dates of the Summer Solstice, when day is at its longest in the northern hemisphere. Finland being so far up north, the sun doesn’t set on juhannus at all. Considering that in the winter we get the never ending night, it’s no surprise we celebrate the sun not setting. So what do Finns do to celebrate juhannus? I already told you we flock to our summer cottages, but what then? We decorate the cottage with birch branches to celebrate the summer, we stock up on new potatoes which are just now in season and strawberries as well. We fire up the barbecue and eat grilled sausages to our hearts content. We burn bonfires that rival with the unsetting sun. And we get drunk. If that isn't vivid enough, this video may help: [protected-iframe id="f18649f0b62adf8eb1ec638fa5066050-10874323-9129869" info="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2Fsuomifinland100%2Fvideos%2F1278272918868972%2F&show_text=0&width=560" width="560" height="315" frameborder="0" style="border: none; overflow: hidden;" scrolling="no"] And because the celebration is just so... celebratory, it's easy to lose your phone. So here are a few ways to prepare yourself for a party that lasts all night. 1. Don't use 5683 as your passcode. That spells love and it's also one of the first passcodes anyone trying to crack into your phone will try. So use something much more creative -- and use a 6-digit code if you can on your iPhone. You can also encrypt your Android. 2. Write down your IMEI number. If you lose your phone, you're going to need this so make sure you have it written down somewhere safe. 3. Back your content up. This makes your life a lot easier if your party goes too well and it's pretty simple on any iOS device. Just make sure you're using a strong, unique password for your iCloud account. Unfortunately on an Android phone, you'll have to use a third-party app. 4. Maybe just leave it home. Enjoy being with your friends and assume that they'll get the pictures you need to refresh your memory. And while you're out you can give your phone a quick internal "clean" with our free Boost app. [Image by Janne Hellsten | Flickr]