Can Smartphones Get Virus/Viruses and Malware? iPhone / Android Phone Only as Smart as Their Users in Malware Detection
As smartphones become more and more popular, and their connectivity and processing power increase, they are attracting more attention from malware writers around the world.
"A big tree attracts the woodsman's axe."
-- English proverb
Computer security experts have predicted since 2009 that viruses (actually "malware", which describes all types of malicious software) will hit smartphones. It appears that 2011 will be the year of smartphone viruses. This hub will go into some detail on how do you get smartphone viruses, what sort of damages can a smartphone virus do, and what you can do to protect yourself.
What Can Happen With a Smartphone Virus / Malware / Trojan
First of all, the proper term is "malware" which describes all sorts of malicious software, not just a virus, or trojan, or logic bomb. Malware describes everything malicious.
Any way, malware can do the following (all are actual cases):
- Send messages to "premium service" SMS numbers that cost extra money, similar to calling 1-900 or 976 numbers
- Send your personal information to unknown parties
- Turn your phone into a part of a botnet so others can execute commands remotely for nefarious purposes, such as spam, DDOS attack, and more.
- Give others ability to monitor your phone calls and text messages
- Open you to blackmail, if something embarrassing can be found and sent elsewhere
- Trick you into entering financial information, such as account number, birth date, and more
- Even stuff on your PC... if you connect your PC to your smartphone
- and more...
This is a threat you need to take seriously. And here are some examples.
Android Hacked App Turns Your Phone into a Botnet Zombie
Symantec, a world leader in malware detection and computer security, reports that Android malware is on the rise, and they have just detected a hacked version of the popular "Steamy Window" (February 2011) available through Chinese websites that turns your phone into a botnet zombie. Once your phone had been zombified, hackers can remotely control your phone to:
- send premium text messages
- block text messages,
- add bookmarks,
- force your browser to visit certain websites
- and more
iPhone Worm Hacks Jailbroken iPhones into Botnet Zombie
You think only Android phones can be zombified? Sorry, Apple iPhone was first targeted. Symantec reported on this worm in June 2010. If you jailbroke your iPhone, but did not change your default SSH password (easily found on Google) this worm, known as the Ikee Worm, will allow someone to remotely control your phone from afar.
HTC Phone In Europe Was Loaded With Botnet Virus
In March 2010, Panda Research, maker of Panda Anti-virus, found that some HTC phones sold in Spain by Vodafone, was infected with a variant of the Mariposa Botnet. As soon as you connect the phone to a PC, the payload attempts to drop the botnet software onto your PC.
If you do not have an anti-virus on your PC, you may be infected just like that.
iPhones are Vulnerable to Scareware
Intego, the Mac Security Blog, found a Dutch Hacker sending ransomware to iPhones back in November 2009! Technically it's not ransomware, as your phone will work fine. However, this Dutch hacker can remotely scan your phone, reveal your vulnerability, and will send you instructions on how to fix it if you send him $5 Euros. So it's technically scareware, but it's a real threat.
If he can see your phone by remote, what ELSE can he see, one wonders?
Phishing Bank App Steals Account Information
Sophos Internet Security, in January 2010, found that some malware writers were releasing fake bank apps targeting smaller credit unions into Android Marketplace. The clear intent is to steal account information from those customers. Fortunately for the customer she called the credit union for assistance, and the credit union quickly realized they have a phishing scam on their hands, as they do NOT have an Android app!
Stolen Apps Steals Info, Roots Your Phone
Android Police got a tip-off from a reader... There are trojan apps in Android Market that was taken, repackaged with malware droppers, then released into Android Market under a slightly different name. Dozens of such apps were released by this "developer".
The trojan will steal your phone's unique ID and other information, and even execute system-level code through a root-exploit.
This super-trojan has been dubbed "DroidDream", and Google has already pulled all the apps by the developer. Android Police reported that XDA has a special patch that should disable the vulnerability.
iPhone Password Can be Hacked in Six Minutes
Let's say you lost your smartphone. That would be a disaster, as it has all your contact information. If you bank with your phone, even worse! It may have personal information in there!
Okay, you locked it with a password. It's safe, right?
Scary, isn't it?
Chinese Phone Tapper/Tracker Arrives as Virus
NetQin Security of China reported that "X Undercover", a cellphone surveillance app that can be spread as an attachment, has infected over 150,000 phones in China. The app can reveal GPS coordinates, turn your 2-way call into 3-way call (i.e. tap your phone call), and more. It is being sold as a way for parents to track their child, boss checking up on subordinates, or jealous husband checking on wife (and vice versa).
Okay, okay, what do I do now?
Did I scare you enough? it is actually not that difficult to secure your phone.
Set a Password or Lock Pattern
While passwords and lock patterns can be hacked, it takes time to hack it. Setting a password will give you time to do some other security measures... such as remote wipe.
Use a Password Manager
LastPass or KeePass can be cross platform and give you security without affecting usability too much. Use a different password for every login would give you far better security.
Do NOT Lend Your Phone to Any One
Someone can install malware into your phone, whether intentionally or not, while it is in their possession. Yes, that includes your children.
Load a Security Package that includes Scan, Phone Tracker and/or Remote Wipe
If you lost your phone, you need to be able to locate it, and/or remotely wipe it clean so nothing from you can be stolen. (And those apps cost $$$, no way around it). Remember, if they have the phone in their possession, they can hack it.
The Security Package should also update itself and scan for malware threats upon every install.
Do NOT Click on Mail Attachments or Links (unless you're sure)
This is same as PC... Do NOT trust attachments or links, even if they appear to be from legitimate sources, unless you are sure.
Do NOT Download / Install Apps from Unknown Sources
By default iPhones only get apps from iTunes Store, and Android only get apps from Android Marketplace. You have to explicitly bypass those restrictions, and that opens you to vulnerability. There are a LOT of pirated stuff out there, promising free apps, but how do you know what are really in those apps?
(ANDROID) Even if it came from legit sources, have some common sense!
Just because it's on Android Marketplace does NOT mean it's automatically safe and legit. Google does NOT inspect all apps.
The fake apps were distributed through Android Marketplace, but they come from unknown developers. Look for reviews and direct links to Android Market or Appbrain instead of downloading sound-alike apps.
(ANDROID) Check those app permissions!
When you install an app on Android, it asks you for certain permissions. When an app asks for more permissions than it should (the fake Steamy Windows app asks permission for "sending and receiving SMS") you should abort the install.
Beware of Abnormal Phone Behavior
- Does your phone seem far more sluggish than usual?
- Did you notice strange charges in your phone bill?
- Does your battery not last as long as before?
- Does your internet data usage seem much higher than usual?
Make backup of all information so you can restore them if you have to.
If you do NOT have a security package loaded, you should get one immediately, and set a password on your smartphone. You may not get hit by smartphone malware, but there is no point in taking chances, is there?
For Android, the big names are already on the Scene
- Norton Mobile Security
- Lookout Mobile Security
- AVG / DroidSecurity Pro
- Webroot Security
- Trend Micro Mobile Security
Be safe out there.