Consumer irresponsibility abetting Android malware surge



Android security panic has hit Defcon 1. Security solutions firm NQ Mobile reports malware attacks on Google's (NASDAQ:GOOG) open-source mobile operating system more than doubled in 2012, infecting 32.8 million devices worldwide, and the problem looks like it will get worse before it gets better. Lookout Mobile Security recently identified BadNews, a new malware family discovered in 32 Android applications with combined download totals between 2 million and 9 million: BadNews masquerades as a mobile advertising network, sending consumers fake news messages prompting them to install apps, and then transmits sensitive information like phone number and device ID to its Command and Control server.

Lookout has seen few other malicious distribution services posing as ad networks. "Because it's challenging to get malicious bad code into Google Play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," the firm said. "BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred." Lookout urges Android developers to pay close attention to all third-party libraries they integrate into their apps and warns enterprise security managers that even cutting-edge app vetting processes cannot detect malicious behavior that hasn't yet occurred, necessitating ongoing security monitoring.

The American Civil Liberties Union has had enough. The nonprofit has filed a complaint with the Federal Trade Commission, urging the agency to investigate carrier efforts to offer secure consumer experiences across Android devices. The ACLU petition alleges that Verizon Wireless (NYSE:VZ), AT&T Mobility (NYSE:T), Sprint Nextel (NYSE:S) and T-Mobile US (NYSE:TMUS) have failed to properly safeguard subscribers against threats to the Android ecosystem, citing potential abuses like fraud, information theft, phishing campaigns and location-enabled stalking. 

"The major wireless carriers have sold millions of Android smartphones to consumers," the petition states. "The vast majority of these devices rarely receive software security updates. A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners. Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous."

Everyone in the Android value chain, including Google, operators, manufacturers and application developers, must do more to improve security across the platform. But consumers need to step up their game, too. Caution and common sense are perhaps the most effective weapons for halting malware outbreaks, but Consumer Reports' Annual State of the Net survey suggests that 39 percent of U.S. adult smartphone owners fail to take even minimal security measures. More than 1.6 million Americans have been fooled into installing what appeared to be a popular, brand-name app but was actually a malicious imposter--another 69 percent of smartphone users haven't backed up their data, including photos and contacts, and just 22 percent have installed software that could help locate their device in the event it's lost or stolen.  

Consumer Reports recommends that subscribers move to protect their phones by practicing caution when installing apps, being alert to insecure Wi-Fi connections and devising strong pass codes including both letters and symbols. These may seem like obvious, even condescending suggestions, but don't forget that close to 40 percent of American smartphone owners aren't doing anything at all to protect their devices, so if Consumer Reports gets its message across to even one user, then its efforts are a success. Obvious knockoff apps--Angree Birdz, anyone?--don't install themselves, after all; stopping users from downloading them is a huge step towards stopping malware's spread.--Jason