A quick guide to mobile malware (part 3)

Phone

This is the third and final article in this series on mobile malware.

How (Can I Protect Myself)?

Permissions request list from Trojan:Android/AdSMS
Permissions request list from Trojan:Android/AdSMS

In  my previous articles, I’ve covered what kind of mobile threats have emerged in the first half of 2011 and why these malicious programs may cause concern for smartphone users.

Now, let’s assume you’re a cautious smartphone user who wants to make sure you don’t get hit by a malware infection on your smartphone. What can you do?

Well, you can’t do much better than getting advice from an expert. Zimry, an Analyst from our Response Lab, wrote an excellent piece on mobile security in our Labs Weblog a while ago. The post includes some practical actions a user can take to protect themselves from mobile malware, so rather than repeat that here, I’ll just say – check out Zimry’s post!

Trust issues

For this post, let me focus instead on the central issue that any mobile security tips deal with, either directly or indirectly – evaluating trustworthiness. I won’t be offering a step-by-step how-to guide, but rather a change in the way an average user might be looking at mobile security, which would hopefully lead to better security practices.

Of course, there are mobile antivirus programs that can provide an independent evaluation for apps and websites. Still,  just as with the PC, mobile security isn’t just ‘install a program and forget about it‘; secure browsing habits and an alert user play a big part in security too.

Now, to even begin to appraise a site or an app, you first have to have some kind of benchmark or a mental framework that can help you accurately evaluate the potential security concerns. Unfortunately, since the whole ‘mobile environment’ (as opposed to the ‘online’ or ‘PC’ environments) is still rapidly evolving, there simply aren’t that many ‘landmarks’ or ‘signposts’ (right now) that can help a user gauge the risks they may be facing.

So to help you start getting a ‘feel’ for evaluating mobile security risks yourself, here are a few things you might want to consider when you’re navigating the mobile environment  (if you have any other suggestions, feel free to comment!).

‘Levels’ of trustworthiness for app sources

Only download apps from trusted sources”  – this is by far the most common advice you’ll probably hear for mobile security. It also brings up the obvious question: how do you know a source can be trusted? This does require a bit of a judgement call, but you could very roughly grade sources into three levels of trustworthiness based on two factors:

  • How much security checking the source provides on the apps it promotes
  • And how much independent feedback is available for you, as the user, to make an informed judgement

Top Level Trusted Sources would comprise the official download site maintained by each operating system vendor – Google’s Android Market, Apple’s Appstore, Blackberry’s App World and so on. The apps posted on these sites are usually vetted by the respective agencies (to varying degrees). This is also the easiest ‘standard’ source for most users; Android devices require the user to change a setting in order to install apps from non-Market sources, while iPhone users need to jailbreak their device before using apps from outside the Appstore.

Second Level Trusted Sources would comprise of the popular but unofficial sites or forums that also host apps, usually for a particular operating system. There are quite a few of these sites around around, ranging from dependable community-run portals for developer/enthusiasts to outright warez sites for users wanting cracked versions of paid apps. Most of these sites do post reviews form other users, which can serves as a rudimentary safety check for a browsing user, but still, the caution ‘Buyer Beware’ applies.

Third Level Trusted Sources are basically anything that aren’t ‘official’ sources or major community sites with a large pool of active users – the ones you’ve personally tried and are comfortable with using. In this category, we could put files shared between online friends and really any other kind of informal app sharing.  The risks involved here are really up to the user.

Evaluating an app’s trustworthiness

“But wait!” I hear you cry, “Wasn’t there a malware outbreak on Android Market itself? And a couple trojans on the iPhone as well? How do I know if I can trust even the apps on a ‘trusted source’?”

Very good point. Despite any security checks an official site may have,  malicious-minded folks can and do manage to slip through the cracks from time to time. This means that even on trusted sources, users shouldn’t relax their vigilance entirely.

Before downloading an app, it’s worth your while to scrutinize it closely; a little research before installing can save hours of regretful clean-up later. So, what should you be looking at?

  • Check the application permissions
    Read through, understand and make sure you’re comfortable with the controls the applications request. Also, make sure they make sense. A media player probably shouldn’t be asking to send SMS messages. Don’t forget to check all the permissions – some apps have a long list of permission requests, and the more objectionable ones could be conveniently off-screen, or even require the user to click additional buttons before being displayed.If there are any permissions requested that seem inexplicable, or make you uncomfortable, you could also try contacting the developer directly. Most reputable developers provide a channel – whether it’s a website, Facebook page or direct replies to user reviews – to receive and respond to feedback.
  • Check the reviews
    All the official download sites show a user reviews section, which can give illuminating feedback about the app. Most unofficial forums will also post reviews from other users. You may also want to check through the reviews to see if anyone else using the same device model as yours has contributed any useful feedback. If a malware is using a particular vulnerability on a specific operating system version to run, its possible the malware won’t work on any other version.

Verifying a site’s trustworthiness – on a mobile browser

A phishing site viewed on a mobile browser
A phishing site viewed on a mobile browser

Phishing was one of the malicious activities we predicted would be a issue on mobile devices, particularly as the small screen real estate makes it difficult to conveniently check a webpage’s URL. This is one area where user vigilance has a direct impact on security.

Manually typing in the correct URL for a site you want to visit – particularly if it’s a banking or social networking site, or any site where you have to enter in log-in credentials – is the surest bet. In this case, unless the site itself has been thoroughly compromised, there’s simply very few ways for an attacker to divert you to a site of their choosing.

If you’re directed to a website by any other method, you would need to consider evaluating a) the site that sent you; and b) the site you’re being sent to. Were you directed to the new location by a reputable site you frequent? A search engine? A bookmark? An ad? The sender’s trustworthiness would depend entirely on your familiarity with and confidence in it.

Once you’re on the new site, even if it looks perfectly legit, taking a quick glance at the full URL is a good way to evaluate the site’s trustworthiness. It’s particularly important to double-check the URL on any site that asks you to enter information. If there’s anything ‘phishy’ about the site – try searching for the site in a search engine and compare the URL with the one you’re on.

You can also look for and use a mobile security program that performs real-time URL checking and displays a warning if it leads to a known malicious site. Depending on the program, there may be an impact on the speed of browsing, so you’ll have to evaluate for yourself whether the risk outweighs the inconvenience. Of course, we have a Mobile Security app, but look around as well and find something that suits your needs.

Summary

Though mobile security is a relatively new field, and we expect to find unique threats targeting mobile users in the months to come, there’s one thing that doesn’t change whether you’re on a smartphone or a PC – the need to stay alert, cautious and informed.

With just a little bit of knowledge and care, you can enjoy all the benefits of having a spankin’, shiny smartphone – without any nasty trojans or worms to worry about.

Surf safe!

Tags

Rate this article

0 votes

1 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like