News

Report: Android Malware on the Rise

According to a recently released report from Lookout Mobile Security, the creation of malware targeted towards Android devices has increased by a factor of five in the past 12 months.

The number of malware applications has risen from 80 in January to more than 400 in June. Between a half million to 1 million people were affected by Android malware in the first half of 2011, according to the report.

Case in point: Two days ago, Dinesh Venkatesan of CA Technologies reported a new Android trojan that can steal account passwords and Social Security numbers by recording phone conversations.

"As it is already widely acknowledged that this year is the year of mobile malware, we advise the smart-phone users to be more logical and exercise the basic security principles while surfing and installing any applications," said Venkatesan in his post.

Most threats to Android devices are malware and spyware, said the firm. Of the threats Lookout detected in June 2011, 48 percent were malware and 52 percent spyware. The most prevalent type of malware attack in the first half of 2011 was repackaging, whereby a hacker adds malicious code to a legitimate application and then republishes the doctored application to an application market or download site.

"The repackaging technique is highly effective because it is often difficult for users to tell the difference between a legitimate app and its repackaged doppelganger," said the report.

Repackaging, though, is only one of a variety of ways that hackers are attacking mobile devices, and the variety of ways that they can compromise devices continues to increase. A newer, similar model is the "upgrade attack."

"We've started to see [attackers] publish a clean app, then wait for a while before offering an update that's infected," said Kevin Mahaffey, co-founder and CTO of San Francisco-based Lookout in a ComputerWorld article Aug. 3.

"Because most people automatically update their apps, there's less time that the malware is on the market before it's installed by a lot of people."

Although many government agencies have begun adopting mobile devices, including the State Department, the General Services Administration and the Department of Defense, they may not be prepared to fight these attacks.

A recent report by the General Accounting Office found the DOD unable to keep pace with cyber threats, reported GCN July 26.

Additionally, "because mobile platforms are new, often introducing new APIs and security models, even skilled developers aren’t always aware of best security practices," noted the report.

Yet one of the biggest issues is not limited to mobile devices: that is users transmitting sensitive data without proper encryption, noted the report.