Skip to main content

As Android gets popular, so does Android malware

Most mobile users are more trusting of downloading and installing software on their phones in comparison to their computers.
Most mobile users are more trusting of downloading and installing software on their phones in comparison to their computers.
  • Attackers are using new techniques to distribute malware to phones
  • Android is a bigger mobile security concern because it's an open platform
  • It pays to stay alert to unusual activity on your phone
  • Scrutinize permissions for Android apps before you download them

Editor's note: Amy Gahran writes about mobile tech for She is a San Francisco Bay Area writer and media consultant whose blog,, explores how people communicate in the online age.

(CNN) -- As Android devices get more popular (today comScore reports Android phones comprise 40% of the U.S. smartphone market), they're becoming a more attractive target for cybercriminals. If you use an Android smartphone, you are now 2.5 times more likely to encounter malware (malicious software) than you were six months ago.

This isn't just about apps. This year, 30% of Android users are likely to encounter a Web-based threat such as phishing scams, "drive by downloads" and browser exploits.

This is according to a new threat report from Lookout Mobile Security. Obviously, Lookout is selling mobile-security tools. However, individual and collective mobile security risks are real.

Whether you opt to pay for mobile security, use a free service or manage it yourself, you should be aware of the risks and use basic mobile safety skills.

Cybercriminals aren't simply targeting Android devices more often, they're also getting sneakier about it.

Specifically, Lookout notes that attackers are using new techniques to distribute malware to phones. These include "malvertising" (ads served up through legitimate apps that lead you to a fake Android market and trick you into downloading malware, like GGtracker) and "upgrade attacks" (where the initially downloaded app is clean, but later upgrades deploy malware).

How can mobile malware harm you? First of all, cybercriminals can rack up charges to your phone bill through "carrier billing," a payment option that wireless carriers are increasingly pushing -- and which Google is starting to make possible for Android market app purchases. Malware also can sign you up for "premium SMS" text messaging services.

Furthermore, mobile malware and spyware can pull sensitive data from your phone -- such as your credit card numbers, online banking or e-mail account login credentials or your contacts list.

Infected phones also can become part of a "botnet," which means your phone could be used without your knowledge as part of a larger attack scheme. This can also drive up your data traffic, which can push you toward your data plan's cap faster.

Why is Android a bigger mobile security concern? It's an open platform, which presents significant pros and cons.

On the bright side, Android's openness has made it easier for vendors to offer cheaper smartphones (especially without costly two-year contracts) to a much broader consumer market. On the downside, Android's openness also makes it especially susceptible to malware.

Users of Apple and BlackBerry mobile devices are not immune to mobile security threats. But the closed nature of those platforms does make it harder for cybercriminals to infiltrate those devices with malware.

However, threats such as e-mail phishing attempts and PDF exploits can put any mobile user at risk -- even on the iPhone. (Apple recently patched its latest PDF vulnerability, but future iOS risks are always a possibility.)

Learn more about mobile security risks

John Hering, co-founder and CEO of Lookout, explains that a credulous user mindset has been a key factor in mobile security risks.

"We've observed that most mobile users are far more trusting about how they download and install software on their phone, compared to their computer," he said. "But fortunately that's starting to change. Android users especially are starting to get more discerning."

However, the way people tend to use smartphones can also put them at risk. Hering noted that mobile users tend to be in distracting environments, so they generally provide only short bursts of divided attention to their phones.

Kevin Mahaffey, Lookout's CTO and co-founder, explained that spotting malware on mobile devices is a bigger technical challenge than on computers.

"Personal computers have lots of power -- both energy and processing capacity -- so it's easy to run security analyses in that environment. If it were even possible to run the same types of analytics on a mobile phone, that would destroy battery and take two decades to build," Mahaffey said.

"So we had to consider, what if we could change the way malware detection is done? Instead of doing it on individual devices operating out in the world, what if we put it all on a big server and treat it as a data mining problem?"

This concept formed the genesis of Lookout's Mobile Threat Network, which provides mobile device security through an online platform that aggregates and constantly scans anonymized data gathered from over 700,000 mobile apps.

One advantage of this approach is speed. Also, users don't have to remember to update Lookout security software; the system constantly updates itself.

Mahaffey notes that if your phone is running an older version of the Android operating system, you face greater mobile security risks.

On Android phones, OS updates get deployed via a variety of manufacturers and wireless carriers. Because of this complexity, on many phones system updates lag behind -- sometimes far behind -- the latest "flavor" of Android (currently 2.3 "Gingerbread" for phones).

Unless you've rooted your Android phone to gain complete control over it, it's up to the carrier and manufacturer, not you, when your phone will get a system update.

In contrast, iPhone system updates get deployed by a single source: Apple. So at any given time most iPhones in use probably have a fairly up-to-date version of iOS (unless it's a much older device, such as the iPhone 3G).

Complicating this picture, to keep costs down some Android phone manufacturers skimp on processing power and other device capabilities. So some cheaper phones simply are not able to run the latest version of Android well, or at all.

This is why some brand new but cheaper models come with vastly outdated flavors of Android -- like the Huawei Ascend, currently sold by MetroPCS for $99 on a $50/month no-contract plan, which comes with Android 2.1 ("Eclair," released back in January 2010).

What red flags should mobile users watch for? According to Hering and Mahaffey, strange text messages coming from unknown sources are a common clue that you may have been subscribed unwittingly to a premium SMS service. You should contact your carrier immediately to report these.

Also, check your phone bill online periodically -- probably more often than once a month.

Malware can cause a lot of surreptitious activity on your phone, so battery performance might be a clue. "If your battery suddenly starts draining really fast, consider that it might be malware," Mahaffey said.

Hering also recommends healthy skepticism.

"Scrutinize permissions for Android apps before you download them. Does that game or utility really need permission to send premium SMS messages? Probably not," he said.

The opinions expressed in this post are solely those of Amy Gahran.


Most popular Tech stories right now