With the largest installed base of all operating systems, Android has certainly taken the mobile world by storm, and as the active user stats show, Android just keeps on getting bigger.
The platform has evolved to bring new form factors – televisions, smartwatches and cars spring to mind – but also new vulnerabilities and exploits.
HummingBad and Gooligan
David Bisson reported on HummingBad and the nature of drive-by attack vectors last February, citing research from Andrey Polkovnichenko and Oren Koriat of the Check Point Research Team.
HummingBad – the components of which are encrypted – “establishes a persistent rootkit with the objective to generate fraudulent ad revenue” for criminals.
Polkovnichenko and Koriat observed that the infection vector of HummingBad was a drive-by download attack via several adult content sites, with the intention of causing some serious harm:
“As the malware installs a rootkit on the device, it enables the attacker to cause severe damage if [they] decide to change [their] objectives, including installing a key-logger, capturing credentials and even bypassing encrypted email containers.”
Later in 2016, the Check Point team identified an advanced variant of the “Ghost Push” malware found in a version of the SnapPea backup application. Dubbed “Gooligan”, the attack campaign compromised one million Google accounts to “access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more” via authorisation token theft.
Check Point found Gooligan malware code in “dozens” of legitimate-looking apps on third-party Android app stores; a total of 86 apps available in these external marketplaces had the potential to root 74 percent of the entire Android smartphone market.
Google’s Director of Android Security Adrian Ludwig responded to concerns in a brief statement, confirming that Google was aware of the threat.
Top tips for staying safe
1. Steer clear of sideloading
Sideloading – bypassing the Play Store to install apps from external sources – can be risky business. Rather than individually screening app submissions for malicious code, Google have opted for an approach based around continuous monitoring.
As with the mixed bag of Android malware scanners and protection mechanisms, Google’s “Bouncer” can be bypassed. If downloaded outside the Play Store, it’s difficult to know whether a file ending in
.apk is truly safe – which is why “unknown sources” is switched off by default on Android.
Three days after Pokémon GO arrived in Australia and New Zealand, Proofpoint researchers identified a modified version infected with the DroidJack RAT (also known as SandroRAT), spread through third party app stores.
So, in a nutshell: steer clear of sideloaded apps and stick with Google Play, or only use vetted third-party sources like Amazon Appstore, Humble Bundle or your organisation’s internal marketplace.
2. Keep your device up to date
When you consider the state of Android updates across the board, the term “fragmentation” may spring to mind.
The platform’s user base is segmented by varying levels of release adoption – from legacy manufacturers stuck with KitKat to Google’s flagship Pixel running the newest stable build of Nougat.
Billed as “a toxic hellstew of vulnerabilities” by Apple CEO Tim Cook, fragmentation creates deeper issues that extend beyond users’ “fear of missing out” on Android’s latest and greatest features.
Early last August, the Check Point team disclosed details pertaining to “QuadRooter” – a set of four vulnerabilities affecting Android devices with Qualcomm chipsets.
Qualcomm is the world’s leading designer of LTE chipsets with a 65% share of the LTE modem baseband market. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations for the purpose of gaining root access to a device. An attacker can exploit these vulnerabilities using a malicious app. Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.
As part of the official remediation strategy, Check Point remind users to download and install the latest Android updates as soon as they become available – including important security updates that help keep your device protected. Here’s how to do that:
- Visit your device’s Settings menu.
- Scroll to the bottom and select “About phone.”
- Select the “check for updates” or “system updates” option.
It’s good advice, but the bad news is that you may be one of the unlucky Android users who finds that following it results in nothing happening.
The sad truth is that purchasers of some manufacturers’ Android phones are being treated poorly – with no prospect of ever receiving security updates to defend themselves against threats.
3. Check app permissions carefully
Imagine downloading a new flashlight or note-taking app, only to discover it requires permission to access your contacts, send SMS messages, track your location and communicate across the internet.
Multiple permission models exist across the Android platform, meaning that malicious actors may target specific device classes when exfiltrating data to endpoints and shady ad networks. Before installing a new app, check the permissions requested, and be especially wary of those tagged with “this may cost you money” or with unnecessary requirements that may violate your privacy.
The Proofpoint research team allude to this point in its analysis of the infected Pokémon GO app:
Another simple method to check if a device is infected would be to check the installed application’s permissions, which can typically be accessed by first going to Settings → Apps → Pokemon GO and then scrolling down to the Permissions section.
4. Read up on reviews and developer profiles
My next point of advice stems from a familiar safe computing practice: be careful about what you download, and be on the lookout for “too good to be true” applications. You can gain awareness into an app’s background by checking customer reviews and a developer’s ratings for their entire range of apps.
Be careful though – malicious hackers often create fake versions of popular apps, fabricating a stream of overly positive reviews to drown out users’ complaints. Sift through the haphazard array of spam to identify legitimate comments, and be sure to flag suspicious apps or comments to the Google Play store team.
Looking to another case which surfaced in August 2016: fake builds of the Prisma photography app placed up to 1.5 million users at risk of unwanted advertisements and data theft, as David Bisson reports.
Similar to the Pokémon GO DroidJack infection, David remarks that “malicious developers couldn’t resist” creating fake Prisma applications, with research from ESET indicating the emergence of several Trojan-laced versions.
Okay, don’t shoot us. We said we weren’t going to mention anti-virus software in this list of advice, and we know its inclusion will be controversial with some readers.
Some people swear by running some type of anti-virus product on their Android device, while others shudder at the idea – claiming that it will be too hungry on system resources, and isn’t worth it.
We think you should decide for yourself.
There are plenty of well-known security firms out there who have produced Android versions of their products – with some of them free for use by consumers. See how you get on and whether you can live with it.
Chances are, especially in an ecosystem where it can be hard to rely upon Android security patches from your phone’s manufacturer, that some form of anti-virus might provide an additional layer of protection.
But you should try it for yourself, trying out different security products, and see if you can live with one of them.
Stay up to date on the latest developments by keeping a close eye on our latest coverage on Android-related security issues.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Top tips (not including anti-virus) for protecting your Android from malware”
On point # 1 ) there are several good app stores that you left out, namely https://f-droid.org
Which is free & open source apk.s that meet strict security screenings. Many of these apps are here because google considers blocking "harmful to your device" which is the standard warning when installing ,Disconnect Me, Adgaurd, Block This, and others, that made into playstore for a heartbeat before booted. And we all know why, right? Also, Android Police's other website http://www.androidpolice.com/2016/04/25/meet-new-apk-mirror/ is another useful, safe site. And let's not forget https://www.xda-developers.com where I think the name speaks for itself! People in other countries may not have access to playstore and Amazon, so I get a little annoyed sometimes when writers forget the other hundreds of millions who don't yet enjoy the safeguards we in the west do. And lastly, there are legit individual developers who produce fantastic products, and you need to research before you leap on installing ANY app, even Google Playstore!
On point #2) if you have the right hardware, you can learn to root and flash a new ROM, that's a completely new operating system. Usually with all the latest security updates incorporated. But I just learned, the BIGGEST player in producing alternative Android ROMs imploded last month. Cyanogen Mod is done. DNS shut down. However, there is hope that the grassroots, which was what brought CM to its pinochle of greatness, will regroup with the thousands of developers to carry on, under a new name. But, if you do find the downloads to the multitude's of ROMs, make sure they are from a safe, and secure source. GitHub may be one place, but the blog, and comments give some helpful information. https://plus.google.com/+CyanogenMod/posts/RYBfQ9rTjEH
And as always XDA Developers has many resources, and has been around longer than the 8 years of CM.
On point # 3 ) Yes, review app permissions carefully always! And here is a great app to help do just that. https://play.google.com/store/apps/details?id=com.denper.addonsdetector
It will scan the permissions and any add-ons,such as advertising SDKs, developer tools, analytics, app notifications and more. You can review all these before ever opening the app. The biggest red flag, is an app that is asking for device administration. This should almost never be granted, except in cases like Android Device Manager, which Google made to assist in locating, locking, and wiping a lost phone remotely. I won't even grant Nova Launcher that permission over lock screen. And I love Nova Launcher as probably the best alternative launcher ever developed. In there own words:
Accept no substitutes! Nova Launcher is the original and most polished customizable launcher for modern Android
And the native app settings app manager should be reviewed too, because there are actions you can take by turning off some permissions, with newer operating systems, like Marshmallow & up. But, in some cases you might find another app that functions just as well with less permissions, which is my default actions when looking for a particular app. I have only a few apps with ads, which you can guess the developer, a hint G. That's over 80 apps ad free (-:
On point # 4 ) By all means, do read the reviews,t and then do an online search too. Find more comments on sites that have reviewed the app perhaps. And use those links at the bottom of Playstore app page, to visit the app developer's website, and email them with any doubts or questions. And if they don't respond in a few days, that's a bad sign. And another bad sign, is when the developer NEVER responds to ANY review comments. I'm not saying you should not necessarily try the app, but attention to potential, and real users is a very good sign. But a word of caution, no, or very few app permissions, does NOT mean the app will not have access to other permissions not listed.
Finally point # 5 ) Anti-malware is a better name, but do use a free one. Avast is a good choice, but they do have safe ads inside. Not delivered by a third party, and tastefully done. But, Malwarebytes is my current choice, and clean as a whistle. These programs have had vulnerabilities just like any other software, which I find disturbing to say the least. Google's project zero, has one of Grahams favorite researchers, Tavis Ormandy (-; who makes it a point to embarrass just about every vendor, with what Tavis considers atrocious, and simple vulns, that any third grader should have caught. Right Graham? So, like the author says, try some out, because it's a matter of taste. Just don't pay for services that Google already gives you for free in many cases.
Gosh, I hope I've not exceeded the word limit? Verbose I am tonight.