Android security flaw uncovered

The security of devices used in the office should be a top priority for business owners and managers. It is easy to think that a fully functioning device like a mobile phone is secure, and most of the time it is. The thing to be aware of however, is that there are always hackers looking for security flaws in these products. The latest flaw highlighted happens to be on the Android system.

In early July, mobile security company Bluebox announced that they had discovered a large security flaw in the Android system. The threat centers around a trojan application that can gain access to application data including email addresses, SMS messages, etc, and can get service and account passwords. In other words, it can take over your whole phone.

The way this so-called trojan infects mobile devices is through an app. Hackers have figured out how to tinker with the application’s code, and implement the malware without changing the cryptographic features that are used by Google Play and other online stores to validate and identify apps.

What this means is that the changed app looks legitimate to Google, developers, our phones and us, but it really has malicious code embedded in it, code that could give a hacker full access to your phone. The good news about this is that it can be easily fixed with an update. The bad news about this is that it is up to device manufacturers to actually release the fix. This is because most Android device manufacturers basically own their own version of Android and need to push the update to owners – Google can’t do this. Beyond that, it is up to the device owner to actually update their phone when the fix is released.

If this sounds a little worrying, it should be, especially since this affects every device except for the recently released Samsung S4 Touchwiz. There are things you can do however to minimize the chances of your device being infected by this bug.

1. Don’t allow your device to install apps from unknown sources – Think of Android apps as coming from two systems: Google Play and not Google Play. Any app that comes from not Google Play (e.g., Amazon app store or various stores not owned by Google) can technically be installed onto your device, as long as you have allowed apps from unknown sources. If you haven’t enabled this on your device, you should be safe. If you have, you should disable this immediately by going to your device’s Settings followed by Security and ensuring Unknown sources is NOT ticked.
2. Only download apps from the Google Play store – Unlike other mobile platforms, you can download and install apps from almost any location on Android phones. While this may seem like a good idea, many of these external marketplaces don’t validate apps, so this is where you will find most of the apps with malware. Google Play does validate apps and will remove malicious ones if found, so play it safe and only download apps from the store.
3. Always verify the publisher – Malware does still make it onto Google Play, so you should also look at the publisher of the app. When looking at an individual app, scroll down to the Developer section. There you will usually see a webpage, email address and security/privacy policy. Pay close attention to the name, email address and do a Google search for the developer. If you notice that they use a different email address on the site, or a spelling mistake, you should probably avoid the app.
4. Look at the app download statistics – Finally, if you are still unsure, you should look for the app on your browser. Just navigate to the Google Play website and search for the app. When you find it, click on it and look at the right-side of the window. You should see ABOUT THIS APP with lots of information below. Pay close attention to the Installs graph. If it is an app from a big-name developer e.g., Google, there should be a high number of installs. If it is say a Google App and the number of installs is low (under 1,000) it would be a good idea to avoid it.
5. Keep your device updated – If you get a notification to update your device, you should do so immediately, this will ensure that you have the latest bug fixes and could also introduce new, useful features.

If you are careful about what apps you install and take steps to ensure that you only install apps from the Play store, your device should be relatively safe. Google has announced that they have patched their cryptographic features on Google Play, so any new apps going onto Play should be safe from this particular exploit. There is a good chance that they will also correct this issue in a future update to the Android OS (likely 4.3), but older devices may be left out of the loop. So, as we have already told you a few times: Don’t install apps from outside of Google Play, and be sure to follow the tips we talked about above.

Should you require more information about Android in the workplace, please contact us today.