Your mobile apps could be spying on you and telling secrets!

I am sharing this article, written by Shelly Tzoumas – Thanks, Shelly!

How close are relentless cyber criminals to hacking your mobile device—really? Security reports indicate 1 in 5 Android apps contain malware. What do you need to know? To find out, Shelly sat down with Alex Hinchliffe, Mobile Malware Research Manager at McAfee, who explained the risk and provided five valuable mobile safety tips.

“Your everyday tasks may be the most revealing,” explains Hinchliffe. “Despite a recent rise in ransomware malware, today’s biggest mobile threat is data leakage from app ad libraries and other privacy-invasive apps.”

Tip 1:  Skip the ‘free’ version of apps and don’t download apps that share too much

We all, by nature, want to get something for free. Usually, when you download the “free” version of an app, you accept in-app advertisements. The ads are a little annoying, but the worrisome part is happening behind the scenes. The app has permissions to collect data from your mobile device that it doesn’t need.

“Typically, ad libraries are tracking your tasks, what network you are using, and collecting your account information,” says Hinchliffe. The data enables retailers to target you with coupons and promotions. “You can avoid over-sharing by reading the app reviews and permissions information,” advises Hinchliffe. “We are finding only a handful of ad libraries associated with malware, so the risk here is primarily to your privacy.”

Tip 2:  Install a good security software to guide you through confusing app permissions

If you are using an Android device today, you have little control over apps once you install them.  This means you don’t know how the app is using any permissions you may have granted.  Some mobile security apps, like McAfee Mobile Security help by alerting you to permissions when you download an app. They can also inform you if the app is able to do something you don’t expect.

Tip 3:  Avoid third party app stores and direct download sites; get your apps directly from the Play Store, Apple Store or Microsoft

The reports of mobile malware are staggering and we asked Hinchliffe to help us better understand the landscape. McAfee Labs reports a staggering 6 million mobile malware samples in their zoo (see chart), most of which are designed for Android. Few mobile breaches, however, have been reported. “When you look at data breaches as a whole, like the Verizon Data Breach Investigation Report does, stats in the mobility vector are low,” says Hinchliffe. “This can be deceiving because mobile malware is evolving from spyware to more dangerous capabilities that give the attacker remote control over the device, or to encrypt your cherished photos and other data then hold them to ransom.”

Just as attackers learn how to gain control of devices, more and more users are switching to mobile payments. In fact, overall dependence on mobile devices is growing with reported usage of more than 30 hours a month.

“The primary method of installing malware on mobile remains consistently via apps delivered through third-party app stores or direct download sites,” says Hinchliffe.

Tip 4:  Don’t click hyperlinks sent in SMS messages – even links in messages sent from trusted contacts

The scariest scenario involves SMishing (SMS phishing). “Mobile attackers are sending SMS (text) messages, prompting users to click a hyperlink to a direct download site,” describes Hinchliffe. “Unsuspectingly, they download malicious apps and, if installed, lose control of their data or even their device.”

Tip 5:  Avoid connecting to your web accounts with mobile apps, or only connect to websites offering two-step verification

Bad apps are universal, as evident by recent reports showing thousands of apps in Apple’s App Store could be used to spy on your communications. Further, McAfee found 18 of the 25 most downloaded apps from all primary app stores remain vulnerable to man-in-the-middle (MITM) attacks four months after the vulnerabilities had been reported.

“This means that all communications between the mobile apps and their websites, including usernames and passwords, are potentially viewable by cybercriminals,” says Hinchliffe.Your Tasks

One comment on “Your mobile apps could be spying on you and telling secrets!

  • Great read. The Android community needs a lot more education on topics like these…

    Regarding items 1 & 2: Prior to version 4.4.2 Google used to provide a Play store app named "AppOps." App Ops was an optional download form the Play store that would allow an Android user to granularly indicate on a per-app basis what services were available. Don't think that game should have access to your contacts, camera, microphone? Disable that access in App Ops. While it was somewhat esoteric, it provided savvy Android users the only way outside of rooting a device to control this type off access.

    For some reason Google decided to kill App Ops functionality in v 4.4.2 and all subsequent version os the platform…possible because developers or ad companies felt marginalized. Who knows. The good news is that this is supposed to return – in a more integrated form – in Android Marshmallow.

    Reply

Leave a Comment

five × 3 =