Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defending Your Cellphone Against Malware

Posted by timothy on from the did-anyone-else-pack-your-cellphone-today dept.

Hugh Pickens writes "Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location." Pickens continues: "One common ruse is a man-in-the middle attack when a target receives a text message that claims to be from his or her cell service provider asking for permission to 'reprovision' or otherwise reconfigure the phone's settings due to a network outage or other problem. Don't click 'O.K.' Call your carrier to see if the message is bogus. For the more paranoid, there are supersecure smartphones like the Sectéra Edge by General Dynamics, commissioned by the Defense Department for use by soldiers and spies which may soon be available to the public in the near future. 'It's like any arms race,' says mobile security consultant Michael Pearce. 'No one wins, but you have to go ahead and fight anyway.'"

16 of 157 comments (clear)

  1. Easy fix by Anonymous Coward · · Score: 5, Funny

    Use a Blackberry. Lack of apps aside, even if the malware authors want to code one, the antiquate API would drive them to whiskey abuse.

    1. Re:Easy fix by WrongSizeGlass · · Score: 4, Funny

      Use a Blackberry. Lack of apps aside, even if the malware authors want to code one, the antiquate API would drive them to whiskey abuse.

      Use a BlackBerry? But how will I get my "totallies freez and safes, I promizz" LOL Catz knockoff? My phone wants catz that wantz cheezeburgerz, and I don't want to spend $1 to do it!

    2. Re:Easy fix by zonky · · Score: 4, Insightful
      Blackberry is perfect for email, but the browser is just terrible :(

      I miss my blackberry everytime i write an email, but i would miss my android more as a useful device.

  2. Re:Or... by TWX · · Score: 5, Interesting

    Avoid malware by using an iPhone. Sorry. Someone would have said it if I didn't.

    And they'd have been just as wrong too.

    The "install an infected app from the app store" route is only one of many ways to infect a device like this. A remote exploit, like how Microsoft's browser brings down hundreds of thousands of PCs a year, is much more likely IMHO to cause real widespread chaos.

    --
    Do not look into laser with remaining eye.
  3. Presumably by deains · · Score: 5, Interesting

    By "cellphone" they actually mean "Android". I've never heard of iOS, BlackBerryOS or WinPho7 having any serious malware issues, granted there have been a couple of minor incidents, but Android seems to be the platform of choice to have your phone join a botnet.

    1. Re:Presumably by an+unsound+mind · · Score: 4, Interesting

      The major problem is that I can't HAVE Google do the work for me, and I certainly can't look into the source of most of these applications. Nevermind that I don't want to have to look into the source of applications to know if they're safe.

      If Google had a way to force vendors to give us Android updates (to close security holes) and having a separate, vetted market for applications Google has the source of and has inspected for malware and proper behavior, Android would be vastly more attractive.

      As it is, iOS and App Store cover those needs. So I bought an iPhone.

    2. Re:Presumably by mlts · · Score: 5, Interesting

      Android has a perfect storm for this to occur:

      1: There is a low barrier for entry. One gets Eclipse, some Java tools, the Android SK, and they can write APK files. $25 later, and one can upload into Google's store. Apple is $99/year, and it requires going into ID theft territory to create another account if Apple drops the axe on an app developer. Android development can happen on Windows, Macs, and Linux. XCode only can happen on one platform, be it a true Mac, or a hackintosh.

      2: Android is used on inexpensive smartphones. This makes it a very popular platform in China, India, and other nations developing an ecosystem, as well as countries that separate the phone from the provider. So, there are a lot of the devices out there. iOS devices are very popular, but not as common and wide ranging as Android models.

      3: Android's permission model is strong, and rooting does not affect security in the slightest. An installed app won't get anything that it does not have access to, unless it manages to pull off some successful root exploit (which is difficult as the app has to escape the Dalvik VM first.)

      Where the problem happens, is that permissions are not fine grained enough. Combine this with the user training to mindlessly click on any button labeled "send/accept/OK/submit/pay/download", and an app can be tossed on a device that shouldn't have anywhere near the permissions it requested. For example, a game does not need access to a contact list.

      What would be nice is if Google went back to the modal dialogs with the permission contents in them, forcing a user to look at it, as opposed to displaying them below the button that allows for a quick double-tap purchase.

      3: The current Google app repository is more of a marketplace than a store. The good thing is that a developer can have an extremely tight and fast feedback cycle, churning out updates hourly in some cases without having to wait for a bean counter to approve them. The bad thing is that apps that are not vetted can be an avenue for malware.

      4: In some countries, pirated apps are the norm, so finding a bunch of Angry Birds APK files that have the LVL code yanked is the norm rather than the exception.

      All and all, this isn't really Google's fault -- Android went from being on the sidelines to a mainstream OS in remarkable time, especially with the fact that iOS was well entrenched with an App Store. Android matured from doing the basics to an OS that is not just consumer-friendly, but can support the needs of businesses with Exchange support.

      This is anecotal, but in the US, I'm sure the chance of a malicious app is low, even an inexperienced user just clicks on download, then accepts without looking. A clued user can look at reviews, discount the vague ones that are shills, and look for the scathing reviews. For example, a game that popped up also brought along with it some adware, and it was obvious with the 1-2 stars it was rated that something was afoot. A couple reviews of "one star, spams contact list" will sink an app before Google comes by with the ban-hammer.

      I stated this in another post, but I still think that the current Google Marketplace structure is well done. However, a significant improvement would be a tier of service of Google actively vetting apps, where an app developer who pays for the higher level of assurance (since black box reviewing of apps does take time and money) can release an app as normal. Then, Google can sign that version when they get done reviewing, and this can be on their own schedule. A subsequent update would be allowed on the store, but it would be unsigned until Google reviewed and approved it.

      This way, phones can ship by default only allowing Google-vetted apps. If a user wants to get other apps, they can answer a warning dialog about doing so at their own risk [1].

      IMHO (and I've stated this before): If Android devices shipped with a store/marketplace/repository that hand-approved apps (with facilities for allowing full

  4. Re:Or... by Mitsoid · · Score: 5, Informative

    My iPhone doesn't tell me when an app wants permission to connect to the internet or share/sell my personal information with 3rd parties :-(

  5. Re:Step 1 by darkfeline · · Score: 5, Funny

    iOS?

  6. Two choices about it... by mlts · · Score: 4, Interesting

    With iOS, there is not much one can do about malware, if it gets past Apple's gatekeepers. JB-ing the device and slapping on Firewall iP is probably the best thing one can do. However, the barrier for entry for malware writers is very high. It is pretty difficult (and more expensive) for a blackhat organization create a new account with Apple , paying them a C-note a year), and cook up some personal info (like bank accounts and such to register under) to even be able to see iTunes Connect, much less have the app approved. This has done a good job in keeping iPhone users safe, although in theory, if an app decided to have some type of module that would allow code execution, users would never know about an app that would be slurping contact info, E-mails, and other items then shipping that off to a blackhat server, especially if the app was smart enough to do it only on Wi-Fi, or a small trickle over 3G.

    Because of this, the only permission iOS asks for is for using the GPS. Since the App Store does all the work essentially, there isn't that much of a need to have anything more than that.

    Even with Firewall IP, there is no protection against apps deciding to spam with SMS, other than Apple's gatekeepers.

    So, Apple's security model may have some (in theory) bad flaws, but it has proven to be decently tight, with exploits being used for jailbreaking as opposed to turning the device into a mobile money machine for criminal organizations.

    Android's model is more robust in some ways. If Android phones were shipped with a marketplace that vetted/approved apps [1][2], this would virtually eliminate compromised phones [3].

    The nice thing about Android is that even with full root and a custom ROM, app security is just as tight as it is on a vendor ROM. Unlike jailbreaking on iOS which completely creams the security model, apps on Android still function exactly the same on a rooted phone, other than being able to prompt the user for su access.

    Since Android isn't reliant on a store's gatekeepers, its permission model has to be robust. It has been OK so far, provided users read and disallow apps like a game demanding full access, but it would be nice to have a better model -- something along the lines of minimum permissions needed to run the app, optimal permissions, and maximum permissions (a notepad app that just stores notes in its directory generally does not need full access or access to root unless it has some special features.)

    What can help Android immensely would be an app that runs as root and can allow/disallow access to SD cards, contacts, SMS, phone, and networking. There is an app called LBE Privacy Guard which runs as root and offers features that should really be part of Android (perhaps some features behind an Advanced menu.) CyanogenMod also has similar features for restricting access.

    Another app that is a must have for rooted devices is DroidWall, which is essentially a shell for performing iptables commands. This is an immense help because it can not just block network access for apps, but limit the bandwidth hogs to Wi-Fi (or security sensitive apps to 3G).

    Pretty much for the tl;dr in all of us, Android would be best off with two tiers of stores, and having the user go through a dialog of "these apps are untested, but the reviews will be a good guide. Use at your own risk" before a user gets access to the free-for-all market. Couple that with the functionality of DroidWall and LBE Privacy Guard which can be set to prompt/allow/deny access to critical things (contacts, network, phone, SMS) integrated into the OS, and Android would be a lot more secure.

    [1]: Amazon is good at vetting apps, and it would be nice for Google to offer two tiers of their Marketplace, where one tier would be the current free-for-all, while having another tier (which would cost app developers more because of the time taken) just for apps that would have a "blessed" flag attached.

    [2]: It goes without saying to have a way to add more stores, or if Google w

  7. Dumbphone user here... by bmo · · Score: 4, Insightful

    And the more I read about this, the better off I think I am.

    Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.

    >free app clones of pay ones are a problem

    No, closed source "free" apps are the problem.

    --
    BMO

  8. Simple really by Osgeld · · Score: 4, Insightful

    Don't download every dumb shit dancing santa talking cat bullshit app your mom's co-workers recommend

    option B is to not use a smartphone and get over your facebook/twitter addiction

  9. Re:Or... by Anonymous Coward · · Score: 4, Insightful

    So we are once again stuck onthe myth perpetuated by the Apple marketing machine that iOS is secure.

    Lets disregard that it's been hacked repeatedly and easily, and lets also forget the tens of thousands of people who've had there iTunes accounts hacked and been charged for apps they have never downloaded (I know of 3 personally, none of whom ever got their money back)

    But yes, the 50 (out of 400,000) malware infected apps are scary.

  10. I defend ANDROID smartphones w/ HOSTS files by Anonymous Coward · · Score: 4, Interesting

    DO THE FOLLOWING (after obtaining a good reputable solid HOSTS file, like mvps' -> http://www.mvps.org/winhelp2002/hosts.htm

    ---

    1.) Get ahold of the "Android Debugging Bridge" (ADB) & install it

    2.) Mount your system mountpoint as READ + WRITE (as powerful of priveleges as you need is this)

    3.) Using the PULL command, copy the file over from your PC (or even on your ANDROID if its there already) using PULL & overwrite the etc. folder's copy of HOSTS

    ---

    * DONE!

    (Yes, it's THAT simple vs. hosts-domain based threats which ARE THE MAJORITY OF THEM OUT THERE (because hosts-domain names are recyclable unlike IP addresses)... &, it works - you CAN'T be burned if you can't go into the malware kitchen!)

    APK

    P.S.=> Of course, your HOSTS file will need to have the domain/hosts name of the C&C servers, & that you have to obtain for this to work vs. threats like bogus servers &/or maliciously scripted sites. Here's some good sources for that above & beyond mvps.org (I noted them above):

    http://hosts-file.net/?s=Download
    http://www.malwaredomainlist.com/hostslist/hosts.txt
    http://mirror1.malwaredomains.com/files/ (justdomains here)
    http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext
    http://sysctl.org/cameleon/hosts
    http://someonewhocares.org/hosts/
    http://hostsfile.org/hosts.html
    http://hostsfile.mine.nu/downloads/
    https://zeustracker.abuse.ch/monitor.php?filter=lastupdated
    https://spyeyetracker.abuse.ch/monitor.php?filter=lastupdated
    http://www.malwareurl.com/
    http://www.safer-networking.org/en/download/ (updater for Spybot "Search & Destroy" & it fortifies HOSTS files)

    Those are some of my regular sources that are reputable & reliable for custom HOSTS file data populations vs. known threats online - I consolidate them here via programs I wrote that normalize/deduplicate repeated entries, sort/alphabetize the results, & change from larger + slower 127.0.0.1 (longer & loopback ops happen here) to the faster & smaller 0.0.0.0 (or even 0 on Windows 2000/XP/Server 2003): Enjoy!

    ... apk

    1. Re:I defend ANDROID smartphones w/ HOSTS files by SoupIsGoodFood_42 · · Score: 4, Insightful

      Yes, it's THAT simple

      Only on Slashdot could you say that with some vague sense of truth to it.

  11. Re:Or buy an iPhone by bmo · · Score: 4, Insightful

    It's not realistic to think that everyone would compile applications if they could, or be able to do a source audit to see they are truly safe.

    No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*

    That's the advantage.

    Nefarious code does not live long in open sauce. Basically because not everyone is Ken Thompson to quote Tom Christiansen.

    Tom Christiansen has a pretty good rant about why the source-code world is superior. I have saved this as a text file since I read it the first time here, because it is that good.

    http://news.slashdot.org/comments.pl?sid=2540&cid=1522840

    --
    BMO