I am sharing this article, written by Shelly Tzoumas – Thanks, Shelly!
How close are relentless cyber criminals to hacking your mobile device—really? Security reports indicate 1 in 5 Android apps contain malware. What do you need to know? To find out, Shelly sat down with Alex Hinchliffe, Mobile Malware Research Manager at McAfee, who explained the risk and provided five valuable mobile safety tips.
“Your everyday tasks may be the most revealing,” explains Hinchliffe. “Despite a recent rise in ransomware malware, today’s biggest mobile threat is data leakage from app ad libraries and other privacy-invasive apps.”
Tip 1: Skip the ‘free’ version of apps and don’t download apps that share too much
We all, by nature, want to get something for free. Usually, when you download the “free” version of an app, you accept in-app advertisements. The ads are a little annoying, but the worrisome part is happening behind the scenes. The app has permissions to collect data from your mobile device that it doesn’t need.
“Typically, ad libraries are tracking your tasks, what network you are using, and collecting your account information,” says Hinchliffe. The data enables retailers to target you with coupons and promotions. “You can avoid over-sharing by reading the app reviews and permissions information,” advises Hinchliffe. “We are finding only a handful of ad libraries associated with malware, so the risk here is primarily to your privacy.”
Tip 2: Install a good security software to guide you through confusing app permissions
If you are using an Android device today, you have little control over apps once you install them. This means you don’t know how the app is using any permissions you may have granted. Some mobile security apps, like McAfee Mobile Security help by alerting you to permissions when you download an app. They can also inform you if the app is able to do something you don’t expect.
Tip 3: Avoid third party app stores and direct download sites; get your apps directly from the Play Store, Apple Store or Microsoft
The reports of mobile malware are staggering and we asked Hinchliffe to help us better understand the landscape. McAfee Labs reports a staggering 6 million mobile malware samples in their zoo (see chart), most of which are designed for Android. Few mobile breaches, however, have been reported. “When you look at data breaches as a whole, like the Verizon Data Breach Investigation Report does, stats in the mobility vector are low,” says Hinchliffe. “This can be deceiving because mobile malware is evolving from spyware to more dangerous capabilities that give the attacker remote control over the device, or to encrypt your cherished photos and other data then hold them to ransom.”
Just as attackers learn how to gain control of devices, more and more users are switching to mobile payments. In fact, overall dependence on mobile devices is growing with reported usage of more than 30 hours a month.
“The primary method of installing malware on mobile remains consistently via apps delivered through third-party app stores or direct download sites,” says Hinchliffe.
Tip 4: Don’t click hyperlinks sent in SMS messages – even links in messages sent from trusted contacts
The scariest scenario involves SMishing (SMS phishing). “Mobile attackers are sending SMS (text) messages, prompting users to click a hyperlink to a direct download site,” describes Hinchliffe. “Unsuspectingly, they download malicious apps and, if installed, lose control of their data or even their device.”
Tip 5: Avoid connecting to your web accounts with mobile apps, or only connect to websites offering two-step verification
Bad apps are universal, as evident by recent reports showing thousands of apps in Apple’s App Store could be used to spy on your communications. Further, McAfee found 18 of the 25 most downloaded apps from all primary app stores remain vulnerable to man-in-the-middle (MITM) attacks four months after the vulnerabilities had been reported.
“This means that all communications between the mobile apps and their websites, including usernames and passwords, are potentially viewable by cybercriminals,” says Hinchliffe.