A new report, says Camp, from Lookout Mobile Security charts a recent steep rise in malware reported in their databases, from around 80 in January, to more than 400 in June. Lookout, he adds, also reports that between 500,000 and a million Android users were infected with malware during that same period.
“Randy Abrams [Eset's director of technical education] reported a while back about a malware proof-of-concept that listened to the touch-tones being typed on the keypad representing credit card information being entered, and reported it back to the malware’s mother ship”, he says in his latest security posting.
“He thought we might be seeing more of this style of activity in the real world in the near future. Now CA Technologies reports a variation on that theme in-the-wild: a trojan that records entire phone conversations, hopefully including banking/identification information, and reports them back home. So it seems our predictions weren’t far off”, he adds.
According to Camp, during its early days, Android users loaded their apps with scarcely a thought for security.
Now that we see malware authors writing for this audience, he predicts that vendors will enter a second phase: education, although he observes it will now take a long time to educate users that you have a computer that can make make phone calls, and all the security issues that this engenders.
These machines, says the Eset researcher, pack respectable processing power and data storage, run a full operating system, and are all networked. On top of that, he adds - almost by definition – they are filled with the personal information and contacts advertisers and businesses have been lusting after for decades.
So what is the solution?
Camp argues that users need to be on the lookout for anything that does not look right with Android apps, and if users are installing a simple app, it shouldn’t be asking for permission to access the deep, dark regions of your Android.
Also, he says, users should only download directly from the native Market app on your device, as there are user-generated ratings there, which will give some indication of how others view the quality of the application.
“If other users have had trouble, you might too. Also, you have a browser built in, so you can dig around a little bit there if you want more information”, he says, adding that Eset has released its own mobile security application for the Android platform.
“In the end, however, there’s no substitute for education, and being slightly more aware of what you do on your Android pocket computer, that just happens to make phone calls”, he concludes.