Don't eat the yellow snow
|
|
|
Mobile malware is about to explode, users need education
WE LIVE IN A WORLD that's increasingly full of technology. However, along with technology comes malware and mobile devices are no exception, as the popularity of smartphones and tablets surges.
On the whole, mobile malware seems to be proliferating, and it's happening quickly too. It's been around for the last year or two and already has financial gain at the root of it, something which crept into desktop malware only after more than 10 years.
Mobile malware is pretty much at the stage that desktop malware was in 1986 or 1987 in terms of the number of threats, Tom Parsons, a senior manager at Symantec Security Response told me recently. The number of threats is into the thousands now.
Around half of threats involve premium text messages that the malware automatically sends without the user's knowledge. Typically four are sent costing between £4 and £8 each. In my opinion, there is a big potential for this to get worse with upcoming technologies like near field communication (NFC), which will be used for day-to-day payments instead of a debit card.
Of the main mobile operating systems, it's no surprise that Android is targeted the most. Parsons doesn't think this will change this year and as a user of Android, I agree.
Google has made Android open, which has its benefits, but not when it comes to security. It's not very tricky to get an app on the Android Market, especially when compared to Apple's strict approval regime.
It's partly this process, along with Apple's walled garden ethos that makes IOS a less attractive target for attackers. At the moment Windows Phone has a very small share of the mobile market so unless this picks up there's no point in choosing to target it over Android.
As I highlighted in a recent news story, a problem with Android is that malware is finding its way into legitimate apps. When a user downloads and installs an app they give it various permissions, but this can also let hidden malware contained in an advert module wreak havoc.
In this instance something needs to be done by Google. For starters it could change its permissions so the user can agree to different levels of access for the main app module and other parts including adverts.
Other attacks are far more obvious, such as apps that claim to remove Carrier IQ type monitoring and one that tempts users to unlock supposedly hidden features on the device that the manufacturer has held back.
It's cases like this that highlight how naive some users can be and how easily they are fooled. They should really think twice before clicking on something that sounds and looks too good to be true. Common sense often goes out the window when it comes to clicking, however.
Luckily this seems to be changing. On the subject of mobile malware, Mikko Hypponen, chief research officer at F-Secure told me the firm is getting more and more queries from users concerned about the level of access applications have to their information on their mobile.
Consumers need to be aware of the risks when using devices such as smartphones, rather than assuming that nothing bad will happen to them. Vendors need to put some investment into educating users on the subject, but more than anything they have to take responsibility for their products and fight the criminals that are attacking them.
Hypponen says that users should carefully review the rights they grant to apps and complain to the vendor if they feel the app is looking for rights it can't justify. He told me, "I know this is not an easy advice, but if app developers get no criticism for overreaching rights in their app or in their apps' ad module, they aren't going to change."
I agree, as companies tend to respond to issues if their user base makes enough noise. People upgrading to smartphones or tablets for the first time need to deliberately learn the ins and outs to avoid becoming at risk. It's often these types of users that get sucked into scams because they don't know any better. There are also mobile versions of anti-virus software available and countless blogs that detail the latest threats. It's time to educate users before, not after, malware attacks. µ
Tags: Security
Share this:
Share
[Being deliberately vague]
If you wanted to kill mobile networks right now and zap a pretty big proportion of peoples phones out there, you could do it, right now, today, with extreemly low level of effort. A number of significant vunerabilities, with known, easy to impliment exploits, have been known about (and nothing done about them) for several years now. Mostly they make available easy to impliment massive denial of service attacks, but a bit of thought could probably lead to actual user data acquisition.
I am franky amazed at the lack of exploitation of these vunerabilities to date and can only put it down to the various vunerabilities still being known about by relatively few people, or plain bone idle hackers.
No matter how hard you try or how much money you spend, you can't fix stupid and there are a lot of stupid people in this world. Take a look at the products of "baby machines" filling the ghettos and you will see it's futile.
Many problems would be solved if software would be given an OK certificate from people who know what they are doing.
And the ability to revoke the certificates in case someone finds malware.
This would make it easy for people who don't really know much about it to only accept programs with the right certificate.
I always wonder why google requires that all users can make that decision while it is so easy to setup something to give that decision away to an expert.
It's time to educate the users?
Seriously? I hate to break the news to you Chris, but it's been well beyond time for over 15 years now. And this has been said too many times before for it to mean anything any more.
Clearly something else needs to be done rather just regurgitating the same old tired rhetoric.
Looking to the AV companies for a solution or advice/insight is some massive twisted logic as well. They're not going to help. They like things just the way are (ie. profitable). In fact, they'd probably prefer it if things were actually worse. The only bit of user education that they're really interested in, is educating the users to buy their products!
Oh and 'symantech told me' is a cute one, they are the ones that put backdoors and tracking in their products for the 'security services' world wide, so yeah they should know malware is exploding alright, being the creators of it.
And obviously they want you to massively install their 'protection'.
You were suckered by them.
Most all phones come with malware from the carriers, it's an integral part of the system, there's little left to avoid.
...we live in a world full of technology being used by technically illiterate people.
I've maintained for the longest time that marrying fully blown operating systems, always on mobile phones, apps installed and given permissions without second thought like candy, making payments using these devices and letting Google touch anything is a disaster waiting to happen. It is to my astonishment that there hasn't been some kind of global pandemic already.