This is the third and final article in this series on mobile malware.
Now, let’s assume you’re a cautious smartphone user who wants to make sure you don’t get hit by a malware infection on your smartphone. What can you do?
Well, you can’t do much better than getting advice from an expert. Zimry, an Analyst from our Response Lab, wrote an excellent piece on mobile security in our Labs Weblog a while ago. The post includes some practical actions a user can take to protect themselves from mobile malware, so rather than repeat that here, I’ll just say – check out Zimry’s post!
For this post, let me focus instead on the central issue that any mobile security tips deal with, either directly or indirectly – evaluating trustworthiness. I won’t be offering a step-by-step how-to guide, but rather a change in the way an average user might be looking at mobile security, which would hopefully lead to better security practices.
Of course, there are mobile antivirus programs that can provide an independent evaluation for apps and websites. Still, just as with the PC, mobile security isn’t just ‘install a program and forget about it‘; secure browsing habits and an alert user play a big part in security too.
Now, to even begin to appraise a site or an app, you first have to have some kind of benchmark or a mental framework that can help you accurately evaluate the potential security concerns. Unfortunately, since the whole ‘mobile environment’ (as opposed to the ‘online’ or ‘PC’ environments) is still rapidly evolving, there simply aren’t that many ‘landmarks’ or ‘signposts’ (right now) that can help a user gauge the risks they may be facing.
So to help you start getting a ‘feel’ for evaluating mobile security risks yourself, here are a few things you might want to consider when you’re navigating the mobile environment (if you have any other suggestions, feel free to comment!).
“Only download apps from trusted sources” – this is by far the most common advice you’ll probably hear for mobile security. It also brings up the obvious question: how do you know a source can be trusted? This does require a bit of a judgement call, but you could very roughly grade sources into three levels of trustworthiness based on two factors:
Top Level Trusted Sources would comprise the official download site maintained by each operating system vendor – Google’s Android Market, Apple’s Appstore, Blackberry’s App World and so on. The apps posted on these sites are usually vetted by the respective agencies (to varying degrees). This is also the easiest ‘standard’ source for most users; Android devices require the user to change a setting in order to install apps from non-Market sources, while iPhone users need to jailbreak their device before using apps from outside the Appstore.
Second Level Trusted Sources would comprise of the popular but unofficial sites or forums that also host apps, usually for a particular operating system. There are quite a few of these sites around around, ranging from dependable community-run portals for developer/enthusiasts to outright warez sites for users wanting cracked versions of paid apps. Most of these sites do post reviews form other users, which can serves as a rudimentary safety check for a browsing user, but still, the caution ‘Buyer Beware’ applies.
Third Level Trusted Sources are basically anything that aren’t ‘official’ sources or major community sites with a large pool of active users – the ones you’ve personally tried and are comfortable with using. In this category, we could put files shared between online friends and really any other kind of informal app sharing. The risks involved here are really up to the user.
“But wait!” I hear you cry, “Wasn’t there a malware outbreak on Android Market itself? And a couple trojans on the iPhone as well? How do I know if I can trust even the apps on a ‘trusted source’?”
Very good point. Despite any security checks an official site may have, malicious-minded folks can and do manage to slip through the cracks from time to time. This means that even on trusted sources, users shouldn’t relax their vigilance entirely.
Before downloading an app, it’s worth your while to scrutinize it closely; a little research before installing can save hours of regretful clean-up later. So, what should you be looking at?
Phishing was one of the malicious activities we predicted would be a issue on mobile devices, particularly as the small screen real estate makes it difficult to conveniently check a webpage’s URL. This is one area where user vigilance has a direct impact on security.
Manually typing in the correct URL for a site you want to visit – particularly if it’s a banking or social networking site, or any site where you have to enter in log-in credentials – is the surest bet. In this case, unless the site itself has been thoroughly compromised, there’s simply very few ways for an attacker to divert you to a site of their choosing.
If you’re directed to a website by any other method, you would need to consider evaluating a) the site that sent you; and b) the site you’re being sent to. Were you directed to the new location by a reputable site you frequent? A search engine? A bookmark? An ad? The sender’s trustworthiness would depend entirely on your familiarity with and confidence in it.
Once you’re on the new site, even if it looks perfectly legit, taking a quick glance at the full URL is a good way to evaluate the site’s trustworthiness. It’s particularly important to double-check the URL on any site that asks you to enter information. If there’s anything ‘phishy’ about the site – try searching for the site in a search engine and compare the URL with the one you’re on.
You can also look for and use a mobile security program that performs real-time URL checking and displays a warning if it leads to a known malicious site. Depending on the program, there may be an impact on the speed of browsing, so you’ll have to evaluate for yourself whether the risk outweighs the inconvenience. Of course, we have a Mobile Security app, but look around as well and find something that suits your needs.
Though mobile security is a relatively new field, and we expect to find unique threats targeting mobile users in the months to come, there’s one thing that doesn’t change whether you’re on a smartphone or a PC – the need to stay alert, cautious and informed.
With just a little bit of knowledge and care, you can enjoy all the benefits of having a spankin’, shiny smartphone – without any nasty trojans or worms to worry about.
In less than two months, the world has seen the two biggest ransomware outbreaks ever…
July 7, 2017
UPDATE: For the latest on Petya, check this F-Secure Labs post. Are we still calling…
June 28, 2017