I’ve talked a few times in this space about the latest and greatest security threat to Android, whether it be a Trojan horse found in legitimately acquired software, or malware introduced via side-loading.
This past week, people had their fingers waving in the air again over another massive-sounding problem: BlueBox security identified a problem with cryptographic verification that’s been around since Android 1.6. This exploit could potentially affect 99% of all Android phones on the market, turning them into evil robots that spy on your every move and steal your data. So in other words (say the cynics), it’s business as usual.
No doubt Google is already working to create a patch for this hole in the next update to Android, but in the meantime you’ll have to wait for a patch from your device manufacturer. (Samsung has already issued a patch for the problem.) But since the problem has been around for four years now with very little panic in the streets, there’s no reason to freak out about this if your patch isn’t available immediately.
The reason is that in order for the Bad Guys™ to take advantage of this Android vulnerability, you need to have installed an app with malicious code designed to take advantage of the cryptography flaw. Google has since identified offenders and removed them from Google Play, which means you’ll now have to go out of your way to infect your Android device. Yes, it’s still possible, but it’s a lot harder now.
It’s the same old song and dance as we used to have (and to be fair, still do have) on Windows: we run things that we know we really shouldn’t be running. On Windows, that could be a self-extracting file that purports to be a new movie, or a cracked version of a game.
The same rules apply on Android: if the app is asking you to do things to get it installed that require you to defeat normal security checks, or to add things to your device that you generally wouldn’t add, you probably should think twice.
Your desire for something shiny and new is exactly what wil lpush you over the edge into doing something unwise, and that’s exactly what malware authors are counting on. (This seems like a really obvious thing to say, but you know what? It’s always good to have a reminder on this, because everyone has something that will tempt them against all common sense.)
Unfortunately, the lines on this are blurred a bit when you start to look at some seemingly legitimate apps, like the Samsung app offering up a free download of the new Jay Z album Magna Carta, Holy Grail to Samsung Android users.
The app, which was purportedly designed to get this album into the hands of Jay Z fans before the official release date, asked for some truly intrusive permissions while installing, like gaining access to information about the accounts used on the phone, your current location, as well as current call status. (Let’s not even talk about having to authenticate with one of your social media accounts in order to get your booty. Ugh.)
So in this case, in order to get your “free” download, you have to expose all of your information to Jay Z and/or Samsung. If that doesn’t sound like a good deal to you, you’re not alone – a lot of people took one look at that and said “no thanks”, with many deciding that they’d just buy the album when it came out, or steal it via the usual online channels.
Complicating this even further is the rush of cloned malware versions of this new app, which don’t just intrude into your privacy, but send your private data wholesale to a server elsewhere in the world.
Whether you go with the legitimate app or one of the pirated versions, you’re still opting in to something that’s not necessarily in your best interests….you know the old saw about how if something seems too good to be true, it likely is. Which means that if the lure of the free just seems too tempting to pass up despite a bunch of red flags, ultimately, the problem with Android…may well be you.