Threat reports finger Android again

Antivirus vendor McAfee’s latest quarterly threat report singles out Android, yet again, as the established favorite of cybercriminals targeting mobile platforms.

In November 2011, the company issued a quarterly report saying essentially the same thing — mobile malware was increasing, with Android the favorite target. It did so again this past February, and then again in June.

Reactions within the security community have ranged from sardonic to serious. In the view of some security experts, this is not news. It is scare-marketing, designed to sell more antivirus products to panicked mobile users.

There is no need, they say, for a study to tell people what they already know — that the most popular mobile operating system is going to be the most popular target of the bad guys.

In March, a reader going by the alias “fotoflojoe,” posted in response to McAfee and other reports on malware attacks on Android: “In other news, water is wet and the sky is blue.”

Last November, the focus on Android prompted a ferocious response from Chris DiBona, Google’s open-source programs manager, who said the reports exaggerated mobile malware, and said mobile operating systems such as Android, iOS, and BlackBerry, don’t need antivirus software.

“Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM, and, iOS,” DiBona said. “They are charlatans and scammers. If you work for a company selling virus protection for [them], you should be ashamed of yourself.”

[In depth: Which smartphone is the most secure?]

But there are others who say McAfee’s reports are providing a valuable service, because they go well beyond an amorphous, “things-are-bad-and-getting-worse” declaration, into detail about how much worse and in what ways.

They are also valuable because too many users apparently don’t know it — they still haven’t gotten the message that mobile devices need just as much protection as PCs, since they are fully connected to all the benefits, and therefore the dangers, of the Internet.

Network World reported this week that exploits that are no longer effective on PCs are being successfully used to target smartphones, in part because of a low rate of anti-malware protections.

That is not necessarily the fault of an open-source platform like Android. “Carriers rarely provide updates to smartphones that fix vulnerabilities. Over 75% of the Android smartphones are running version 2.3X (released Dec. 6, 2010) or earlier versions,” the report said. “As a result, vulnerabilities that have been repaired have not been released and downloaded to older smartphones by a software management system like those used to update PCs with the latest security patches.

The McAfee report said that not only has mobile malware grown — it detected 1.5 new malware samples during the quarter — but has also expanded into new types of attacks, including drive-by downloads, the use of Twitter for control of mobile botnets, and ransomware. McAfee’s database of dangerous programs grew to more than 90 million, and is expected to top 100 million by next quarter.

Ransomware, which restricts access to a computer’s system or files, is among the worst of the new attacks, “because the damage is instant and commonly a machine is rendered completely unusable,” wrote Anna Salta on Kaspersky Labs’ Threatpost blog. “So not only is the victim’s data destroyed, but some of the victim’s money is also gone if he or she attempts to pay the attacker’s ransom.”

For an enterprise, it can be worse than the loss of pictures and memories — it can mean the loss of encrypted data, while the criminals demand ransom money to release it.

Eric Maiwald, research vice president at Gartner and a mobile security expert, agrees that the latest report simply confirms “the same trend we have been seeing.” But he said  the one difference now is the use of ransomware.

Jeff Wilson, principal analyst for security at Infonetics, said that even if this is just the continuation of a trend, the message is that both consumers and enterprises need to protect their devices. Antivirus products don’t stop all attacks, he said, but they help.

“If you never conduct transactions, store or enter personal information, send or receive sensitive email, browse the Web, or download apps, then you probably don’t need to do much,” Wilson said. “But if you do any or all of those things, then you should start looking at client solutions from the traditional AV vendors or even cloud solutions that take the burden of security off the devices.”

“There’s also making sure email and SMS/MMS messages are clean first, and enforcing safe browsing habits by routing web traffic through a secure cloud is a great first line of defense,” he said.

Blake Turrentine, owner of HotWAN, a trainer for BlackHat and mobile security expert, said, “something is better than nothing. But he said their protection is “limited due to the restrictions involved in sandboxing of mobile apps.”

His advice: “Keep your firmware up to date.”

There is also training, although that has its limits as well. “Unfortunately, as with all other controls, training is not foolproof,” said Eric Maiwald. “The more users are made aware of the mechanisms for malware infection, the less likely they will be to just download something, unless they really think they want it, or click yes to something, unless they are really tired or really think they want to say ‘yes.'”

What about  those whose phones are just for personal use? “The headline news is perhaps the best approach to informing them, by repeating that smartphones are not as secure as they may think,” Turrentine said.

But the message from trainers is as obvious as the trend: Don’t click yes on anything until you’ve checked it out first.