The Android Operating System (OS) is soaring in popularity and has now a dominating 52.2% of the smartphone market in the US. However, a string of flaws and vulnerabilities uncovered over the last year has cast a shadow on this OS. This leaves even users who follow safe browsing habits and download apps only from the official Google Store at risk for no fault of theirs.
To compound matters, cyber criminals seem to have become aware of the fact that Android phones are easy pickings and now increasingly target devices with this OS. “Sophos 2013 Security Threat Report” estimates that during a three-month period in 2012, 10% of all Android-powered devices in the US suffered a malicious attack while the corresponding figure for PC’s was just 6%. The most recent report from Kaspersky Lab reveals that 99% of mobile malware detected every month now targets Android phones!
The Issues
Research by Duo Security conducted last year, covering 20,000 Android-powered devices, reveals that one out of every two Android phones remain susceptible to a minimum of one flaw that attackers could exploit, and this is a conservative estimate. These flaws usually allow cyber attackers to exploit zero day vulnerabilities in apps and websites, and launch attacks.
In December 2012, researchers discovered that malicious applications could gain root access to many Samsung phones running on the Exynos processors even without securing permissions. The vulnerability was owing to the way in which Samsung implemented the kernel. The popular range of Galaxy S2, S3, Note and Note II all remain susceptible to this vulnerability.
Cyber criminals aggressively attacked Android phones right throughout 2012, leveraging zero-day vulnerabilities to the hilt and unfortunately, such attacks seem to continue in 2013 with an even greater intensity.
The Attacks
The most common type of malware attack carried out against Android phones include installing fake applications that either send spam or steal information.
Many attackers peddle fake apps that secure permissions from the user on the sly to send SMS to premium rate SMS services. The most recent instance of such an exploit was 600,000 Chinese Android users being infected with the “Bill Shocker” malware that used the infected devices to spew spam.
In January 2013, botnets made their mark in the Android space. A million Android users in China are already infected and more than 7000 Android apps slip in malware that allow the cyber criminals to commandeer the phone as part of a botnet.
A common type of Android malware is eavesdropping malware which intercepts the authentication code sent by banks and thereby subvert the two factor authentication system in place to protect online transactions. As many as 41 apps in the Google Play Store leak remain capable of leaking sensitive data without user permission, as per the findings of researchers from Philipps University of Marburg and Leibniz University of Hannover!
Attackers also slip in malware to harvest data from phones. The Exprespam malware, for instance, made its way to many phones through a service that mimicked the Google Play Store and has since then stolen anywhere between 75,000 to 450,000 pieces of personal information in a matter of few weeks.
Causes
The root cause for the security issues is the haphazard way in which the OS delivers patch updates. In this case, Android’s biggest strength of being an open source platform has also proved to be its major weakness. Google has relatively little power with device manufacturers as it offers the Android OS free.
Carriers decide on making updates independently and as such, the end users have no idea as to whether they have a fully updated OS or whether they need to expect an update. Carriers, overall, are conservative with updates as they fear to upset the applecart, leaving most systems vulnerable most of the time. The average Android OS is two years behind in updates, according to researchers at Kaspersky labs.
Solution
The risks notwithstanding, Android still remains a safer bet than Windows.
The obvious solution is to protect the Android-powered device with any mobile anti-virus suite which would detect and block malicious apps that may try to exploit the vulnerability. However, this may not be enough as mobile anti-virus suites have not yet reached the level of maturity of their desktop counterparts and cyber criminals have, by now, developed many ingenious ways to bypass the anti-virus suites.
One good option for the end user is to update Duo Security’s X-Ray app which, incidentally, is available only at the company’s website and not the official Google Play Store. This device works differently from conventional anti-virus suites in that it unearths known flaws in the OS for which a patch has not been applied.
Summary
Most Android devices spot vulnerabilities. Cyber criminals have realized this and are targeting Android powered devices aggressively.