Exactly seven years ago to the day (September 23rd), Google, after much speculation, finally lifted the lid on its secret project, one which would go onto change the mobile world. Despite the rumors, it wasn’t a brand new smartphone – it was so much more. What it brought to the table was a completely new operating system, which would, in just a few years, become the most dominant force in the mobile and smartphone market. Its name? Android.
However, it has to be said that all that success didn’t happen without some notable security glitches and slips along the way, and a few of the most notable ones have been quite recent, in fact. To begin then, let’s go back to the summer of 2013 when a gaping security hole, know as the Android Master Key exploit, was revealed.
Practically making all devices running the operating system vulnerable, Android Master Key allowed attackers to modify installation packages (Android Application Package – APK), meaning that device systems were unable to detect the changes. The risk? Legitimate apps could potentially be turned into malicious trojans.
Another giant slip came to light just a few months ago, in July 2015. Known as Stagefright, this bug could threaten as much as 95 percent of all Android devices on the planet – meaning almost a billion devices in real numbers. Only one MMS sent by a cybercriminal could result in you losing control over your device – even if you didn’t read or open it.
As an open-source based system – and one of the most popular – Android also made headlines thanks to the rise of many malware threats. Recently, a lock-screen-type ransomware was reported to be making its rounds across the US. Detected as Android/Lockerpin.A, the fraudsters behind this attack have been demanding $500 for unlocking a victim’s device.
Another example is extremely recent ,with ESET researchers reporting a new threat just yesterday (September 22nd). Dubbed Android/Mapin, this stealth attack, which is directed towards Android users, uses fake versions of popular arcade games such as Plants vs Zombies, Candy Crush or Super Hero Adventure to deliver a backdoor trojan directly onto a user’s smartphone or tablet.
"The trojan was using a timer, allowing it to delay the execution of a malicious payload."
With help of this malicious code, an attacker can take control of the device and make it part of a botnet. In the example discovered by ESET, it was observed that the trojan was also using a timer, allowing it to delay the execution of a malicious payload. This meant it was able to stay under the radar and, consequently, any odd behavior that the device was demonstrating was put down to the game.
What is alarming about Android/Mapin is the fact that all of this was found to be possible using downloadable apps from the official Google Play store. According to ESET telemetry, most of the infections were detected in India, currently constituting over 73 percent of all detections.
As Android’s short but remarkable existence clearly documents, the most widely used OS still has its weaknesses and remains a clear target for cybercriminals. That’s the problem with popular operating systems and devices – they attract the attention of attackers, just as as much as they do intrepid developers and users. So, if you want to celebrate seven years of the platform, follow these eight simple rules which will help you stay safe:
- Always update your device’s operating system and apps to the latest available version
- Back up all (or at least the most valuable) data on your device
- Use up-to-date security solutions by a reputable vendor
- Stick to the official Google Play store, where the likelihood of malware infection is the lowest (even though as Android/Mapin proves, apps are still checked by Google itself and sometimes analyzed by security vendors)
- If however you are required to use third party apps, only do so if the source is trustworthy (e.g. your employer)
- Use screen lock and remember ‘pattern is less secure than a PIN’ and a password is your best choice
- Encrypt the contents of your device
- Try to avoid rooting the device, no matter how tempting this option might be