Google Play has suffered a 400 percent
increase in malware in the last 12 months and experts have warned that Google’s
open approach to checking 3rd party apps is putting user’s data at risk.
During this time the number of apps
available on Google Play leapt from 50,000 to more than 200,000 and it’s fast
overtaking the Apple App Store.
Is
that app you’re using safe?
Innocent looking apps can harbor malicious
spyware, and leading security experts have criticized Google’s policy of not
checking apps before they’re available to be downloaded by unwitting consumers.
“Because apps are not pre-screened,
cybercriminals can post and make malicious apps available for immediate
download on Google Play,” explained Chad Bacher, vice president of Mobile
Solutions for Webroot. “Google’s response to malicious apps has been very
reactive – removing the apps from the Market once aware of an issue.
“But unfortunately this generally happens
after thousands of users have already downloaded and installed the apps,
leaving them already at risk.”
So what kind of risks are there for users
who download an application infected with spyware? “Very often we see malicious
applications disguised as legitimate games, music and ringtones which, if
downloaded, can gain root access to your device,” Bacher said.
“They can then take control of your apps,
transmit personal information from your device, control search results, or send
SMS messages to premium numbers.”.
Browse safety and securely
NoScript is a free plug-in for Mozilla
Firefox. It enables you to quickly control which scripts can run in your
browser on a domain-by-domain basis. If a trusted site has been hacked to
include a link to a second site serving malicious scripts, NoScript will keep
you safe.
NoScript
Anywhere is an excellent free second line of defence against malicious web
scripts
If you use Firefox Mobile on an Android or
Maemo phone, it’s a good idea to install the mobile version of NoScript
(NoScript Anywhere, or NSA) to provide extra protection. Go to www.noscript.net/nsa, scroll down and
click ‘Download NSA’.
Once NSA is installed, surf to a site.
Wherever content on the page is blocked, you’ll see the NoScript logo. You can
tap each element and confirm that you want the related script to run. Tap the
NoScript logo in the URL bar to see a list of domains that are trying to supply
scripts. Tap the main domain in the URL and then tap ‘Apply’. This is usually
all you need to do to make the page load.
Dangerous apps
Apple’s iTunes store is often touted as a
model of security that other OS developers should learn from, but recent events
have shown the need for vigilance.
InstaStock
was on iTunes for two months before its author came clean about is true purpose
In November 2011, online researcher Charlie
Miller managed to sneak a rogue app past Apple’s strict security procedures and
approval process. The app, called InstaStock, looks and behaves just like a
real stock ticket, but behind the scenes it is anything but. The app was on the
Apple site and being downloaded for over two months before Miller came clean.
The app connected to a server that Miller
had set up in his home in St Louis, Missouri. It received commands to perform
tasks such as making the phone vibrate, and downloading contacts and pictures.
Miller, who works for security company Accuvant, said that he had contacted
Apple three weeks before announcing his proof of concept attack that allowed
his malicious code to run without Apple’s knowledge or consent. This notion of
consent reveals a mechanism that other app store creators can use to prevent
apps running if they turn out to be malicious. Companies such as Apple and
Google have remote kill switches that can render malicious apps useless. Last
March, Google disabled 58 programs in its Android store that proved to be
malicious, and which had been downloaded on to 260,000 handsets. The company
also deleted the accounts of the developers of the malicious apps and contacted
law enforcement agencies.
As for Miller, as a ‘white hat’ researcher
with a history of finding exploitable bugs in Apple products, he was shocked to
be suspended from Apple’s app developer programme for a year.
