Fortunately, protecting yourself against mobile security risks doesn’t require getting paranoid about your phone. Rather, it’s about maintaining good habits, watching for red flags and deciding whether you need mobile security tools or services.
At a recent mobile security conference in San Francisco, staffers from digital security provider Norton outlined some common current mobile threats:
This is an app contaminated with malicious code that makes your phone do things it shouldn’t — such as steal your personal data. While no Smartphone platform is immune from malware, so far Android apps appear to present the greatest malware risk. This is because of the openness of this platform and Google’s Android market.
This week, The Register reported on the latest rash of Android malware and noted that Google has admitted that “more than 90 percent of Android users are running older versions of the mobile operating system that contain serious kernel vulnerabilities. That gives attackers an easy way to bypass Android’s security sandbox, which is supposed to limit the data and resources each app is allowed to access.”
At the Norton conference, a presenter demonstrated how quick and easy it is to “trojanize” an Android app. He downloaded an existing legitimate app from the Android Market, viewed the source code, copied in some malicious code, renamed the app and uploaded the now-malware to the market — all in about three minutes.
Mobile security tools such as Lookout or Norton Mobile Security (in beta) can help guard against Android malware by scanning apps and other programs and data on your phone.
However, the best way to protect yourself against malware is to read the list of permissions that an Android app requests before you install it. Does that list make sense? For instance, does a game really need to be able to send premium text messages or access your contact list?
It helps to understand what each of the available Android permissions mean and to check the apps already on your phone to spot excessive permission requests.
Also, if your Android phone is rooted (meaning you’ve modified the operating system to gain complete control over everything on the device), apps such as Permissions Denied might help you selectively deny these permissions. Just know this could interfere with how some apps function.
Remember that malware creators are constantly innovating to outwit security tools. Also, the security measures of closed-app ecosystems such as Apple’s App Store or BlackBerry AppWorld are not perfect. So stay alert for odd behavior from any kind of phone or app.
Premium SMS billing
Some text-messaging services can cost you money every time you interact with them. While there are many legitimate premium SMS services that people voluntarily use, sometimes mobile users unwittingly subscribe to them, not realizing the extra charges involved until their phone bill arrives.
This kind of mistake can happen on any type of phone, even simple feature phones. But smartphone users face an extra risk because malware can cause your phone to surreptitiously send texts to premium SMS services. This recently happened in China, and it could happen in the U.S. and elsewhere.
Cell phone carriers allow subscribers to block premium SMS messaging. If you’re certain you will never want to use premium SMS, it’s a good idea to block it.
Typically you have to log on to your account via your carrier’s Web site or app to implement this block although you might be able to set it up by calling your carrier or visiting their local office or store.
E-mail and SMS phishing
This is when you click a link that you received via e-mail or SMS, ostensibly from a legitimate source, and the resulting website tricks you into entering sensitive information such as your online banking password.
Here, the best mobile safety tool is skepticism. If you click a link you received via e-mail or SMS, and it takes you to a site that asks you to log in to your banking or any other account, don’t do it.
Instead, take a moment to manually enter the URL to access that site directly, like you would normally do. This way, you’ll be certain you’re accessing the genuine site. Then check whether there are any issues with your account that need attention.
Mobile security provider Lookout recently debuted its safe browsing service aimed at alerting mobile users when they’re about to access a likely or known phishing site. (So far this works only with the stock Android web browser.)
People who want to snoop on a spouse, child, employee, rival, intended stalking/crime victim or crime suspect can purchase software that can turn a smartphone into a spy. (It may not be legal to use spyware in these ways, but you can purchase it legally.)
Packages such as FlexiSPY and MobileSpy, which are available for most smartphone platforms, have two parts: a mobile app and a Web interface. To make it work, the snooper obtains the target’s phone, installs the spyware app, activates it and returns the phone.
Spyware apps hide or disguise themselves, so they don’t obviously show up in lists of installed or running apps.
Once the spyware app is running, the snooper can log in to the spyware service’s Web interface to see, in real time, what the target is up to. This can get really creepy — these programs can use your phone’s GPS to track your precise location in real time, activate your phone’s camera or microphone, record phone calls, save and display your chats and text messages (even ones you erase) and more.
If you’re concerned about spyware, one way to avoid it is to never leave your phone unlocked. Always protect it with a passcode or pattern. If would-be snoopers cannot activate your phone, they can’t install anything on it.
Like apps, websites can be contaminated with malicious code that exploits browser vulnerabilities. This threat mostly affects computer-based Web browsers.
At the Norton conference, experts did not seem to think that malicious websites pose much of a risk to mobile users yet. However, many of the most popular smartphone browsers (including mobile Safari on the iPhone) are based on WebKit, a popular open source Web browser engine that has security vulnerabilities.
So far, cybercriminals and hackers apparently haven’t found WebKit to be a very appealing target, but as people increasingly rely on phones for sensitive information and activities (such as making purchases), attacks mounted against mobile browsers might provide access to mobile platforms that are otherwise more closed.