Hackers, viruses, phishing: why all smartphone and tablet users need to know about mobile security
Tell someone they need antivirus on their mobile gadgets and most people react with incredulity. The idea that we have to treat a mobile device like a desktop or laptop is still foreign to many smartphone and tablet owners, yet the devices we have in our pockets are powerful computers brimming with valuable personal data.
Given the rapidly rising popularity of smartphones (over 200 million were sold in 2012), is it any surprise that hackers and virus writers are increasingly turning their attention toward the portable devices a significant percentage of us now use for everything from texts and calls to online banking and shopping?
At MWC this year mobile security was a major theme; all the big security vendors now offer mobile versions of their desktop software and are keen for mobile users to get up to speed on device security.
We sat down with Norton Antivirus technical expert Stefan Weshe and McAfee’s Director of Mobility Products Lianne Caetano to find out more about the latest threats and how you can protect yourself from hackers, thieves and viruses.
Educating mobile users
They might be old rivals but Norton and McAfee do agree on at least one thing: the big issue with mobile security right now is user knowledge.
It took years for the average computer owner to understand the importance of anti-virus and the mobile security situation is analogous to Windows PCs in the 90s, when many of us did not use security software allowing viruses and trojans like the infamous NetBus and Back Orifice to spread.
“On PC everybody is aware they need protection”, says Stefan, “on mobile most people are not aware, and that’s where we should start, telling them about the problem.”
Lianne agrees. “They’re not aware, they don’t think of it as a PC, but it’s a most powerful PC and it’s very personal. But people don’t have passwords! It’s definitely an awareness thing right now.”
It’s not just about users failing to lock their smartphones with a PIN code though. One big area of concern is the route viruses are taking onto phones and tablets.
On the official app stores software is checked to ensure it is virus free. While some malware does sneak through it’s a very tiny amount compared to the third party app stores...and piracy.
“Say you download Angry Birds for free...it’s easy for a developer to pick that up, trojanise it and put it back on”, says Lianne. “And we know that people are willing to give up a little privacy for something free. So you might be using Angry Birds and it might be sending your contacts to the developer who ends up selling it to somebody.”
Pirated apps are an easy target for virus writers. They can distribute modified software via torrent sites, forums and other avenues and by the time anyone notices it could have been downloaded hundreds, if not thousands, of times.
Third-party app stores are another popular vector. These are common in Eastern Europe and Asia (the areas where, not coincidentally, mobile viruses are currently most prevalent), provided by manufacturers, networks and other parties in order to offer app downloads while bypassing the official channels. But they do not have the same stringent standards as the proper outlets so viruses can be very easily disseminated.
And right now the mobile operating system most affected is Android.
Is Android insecure?
Android has been hit with some high profiles virus attacks and is frequently criticised for its insecurity, with comparisons made to Windows vs the safety of Apple devices. But is this fair?
“We see attacks for all of the operating systems”, says Stefan, “but the biggest number clearly for Android and then some attacks for iOS as well, but not nearly as bad as Android.”
This is also McAfee’s experience, says Lianne: “Because of the open nature of Google’s operating system it’s a big target.”
But this isn’t because Android is inherently insecure. Exploits have been discovered in Google’s OS just like every other system, but the issue once again comes down to a lack of knowledge.
By default Android blocks the installation of apps outside of Google Play, except this safeguard can be easily disabled in the settings and once that happens you can load your phone with apps obtained from any source, whether it’s a legitimate third party developer or a pirate app store overflowing with virus-laden freebies.
As Stefan explains: "On Android you have this option to download from different marketplaces, but on iPhone you can go only to iTunes. We have seen and we do still see infected apps on Google Play, but the likeliness of an infected app is way lower than if you go to a third party app store."
This results in the rapid spread of annoying and sometimes dangerous malware which can do anything from stealing passwords to sending premium rate texts to generate cash for criminals.
The freedom Android gives its users is its biggest advantage over the competition, but also its biggest problem.
Another aspect to consider is Android’s enormous popularity. It’s now the biggest mobile OS by a significant degree; 144 million Android smartphones were sold last year dwarfing even Apple’s iOS which shipped ‘just’ 43 million.
Whether virus coders and hackers are doing it for money or fun, they want victims and that paints a big glowing target on every Android device, says Lianne: “It’s the fastest growing OS. There’s a business element, they go where the market is.”
So Android users have to be extra careful...but that doesn’t mean the rest of you can relax, every smartphone owner should exercise caution. Implementing basic mobile security measures is very important and doesn’t have to cost you anything but time.
PIN codes, patterns and permissions
It’s shocking to find that many people do not have any kind of password on their smartphones. A survey carried out by Norton found 35% had no password while McAfee’s research suggests it could be as many as 50%.
Every smartphone owner should have a security lock on their handset. iPhone users can enable a PIN-code while Android has various options - as well as a PIN you can choose to have a pattern or password.
Pattern lock is quick, but not particularly secure. Simple routines can be easily guessed and it is possible to work them out by examining finger marks on the display. PIN and password are by far the best options.
Newer Android devices also offer ‘Face Unlock’ which utilises the front camera to recognise your mug but these have been found to be very insecure, they can even be unlocked with a photo. Fun as a gimmick but it’s only slightly better than no security at all.
One interesting new development which was demonstrated at MWC is EyeVerify. This is a third-party security add-on which identifies users by veins in the whites of their eyes. Unlike iris or fingerprint scanning it doesn’t require specialised hardware, and it can’t be fooled by photos like Face Unlock. EyeVerify is due to release on Android and iOS later this year with the firm offering it to developers to integrate into their own apps.
As well as locking down your mobile devices with a password of some sort, Norton’s Stefan Wesche was also keen to point out the importance of app permissions. “Make sure that you are always reading what’s going on with the device. People don’t do that.”
When installing software on an Android device the operating system will give a detailed list of the system functions to which that app will have access. Rather than skipping past this it’s vital to check it carefully for oddities.
It would not be unusual for a phone dialler app to have the ability to make phone calls or see your contacts, but what if it’s a game, video player or wallpaper tool?
If you see a permission that seems out of place cancel the installation and do some research. Check the app descriptions - legit developers will often state why they require a particular permission if it’s out of the ordinary, and reviews from other users can warn or reassure you as to the app’s legitimacy.
Which mobile security software?
Lockscreen passwords and user vigilance offer a basic level of protection but in order to properly secure phones and tablets additional software is necessary.
Mobile security apps have two basic goals: blocking viruses and protecting your privacy.
Viruses are caught by scanning for known threats or watching for unusual behaviour to snare unknown malware. Typically, mobile anti-virus tools will scan for threats on memory cards, web sites and other vectors, examine existing apps and monitor new installations.
Privacy protection is achieved in a number of ways.
Web addresses are checked against a database to prevent phishing or drive-by downloads (exploits delivered by web pages). Call and SMS blocking can stop spam and other unwanted communications. Some more advanced security tools may also offer encryption to block packet-sniffing when using Wi-Fi networks.
Vitally, remote control functionality is now a standard feature. If the worst happens and you lose your phone it’s possible to track handsets via GPS, sound an alarm (useful if it’s just gone down the back of the sofa) and, if all else fails, remotely wipe the memory.
Losing a phone is expensive and annoying but this way you can at least be reassured that a thief isn’t accessing your email or messing with Facebook profiles.
With mobile security such a rapidly growing market there are numerous apps available on all platforms so here’s a few recommendations to get you started...
Norton Mobile Security
For a number of reasons, including those we outlined above, Android is the main focus for mobile security right now, but Norton’s product also works on iOS so you can protect an iPhone or iPad.
It offers strong AV protection thanks to Norton’s extensive online database which is used to identify malware rather than consuming a large amount of system resources on scanning. There’s also a nice web-based interface that makes it very easy to manage all your devices.
The basic Lite edition provides tracking and AV scanning, but upgrading unlocks privacy protection extras such as remote wiping and call blocking. Usefully, mobile security is now also part of the Norton One service, which means you can protect any combination of five computers or mobile devices with one annual subscription.
McAfee Mobile Security
McAfee offers a great combination of anti-virus protection backed up by years of experience and some excellent anti-theft features thanks to its acquisition of WaveSecure a few years back.
Its AV scanning monitors app installs, SD cards, downloads and malicious payloads hidden in other files, while also blocking dodgy web sites, texts, emails and even QR codes.
In the event you lose your smartphone, McAfee jumps into action to lock, wipe and track a wayward mobile. Data can also be backed up to a cloud server and easily restored, so theres less hassle when it comes to setting up a new handset. Important apps can also be locked so thieves won’t be able to get their hands on your emails or other vital stuff.
Good news for BlackBerry and Symbian users too, because McAfee also works on those platforms, with iOS in development for later this year.
avast! Mobile Security
Famous for its free desktop AV, avast! got a leg-up into the world of mobile security by purchasing Theft Aware, a popular anti-theft tool. Thanks to this canny buy it now has the best anti-theft security package on Android.
avast! offers anti-virus as part of the suite, but it’s the remote control functions which make this a real stand out.
Like others it can remotely track, lock and wipe a phone however it’s particularly clever and powerful, doing smart tricks like sending warnings if the battery is low or alerting you when the SIM is swapped out.
Most importantly, it has the ability to stay installed after a factory reset, though this does require a rooted handset
And despite all that good stuff this one remains totally free.
Thanks to Symantec we've got a copy of Norton Mobile Security to give away to one lucky reader.
Worth £29.99, this package will give you a year's peace of mind by securing your mobile phone or tablet against all kinds of threats...
- Remotely trace, lock and wipe stolen or lost phones
- Set off a 'scream' alarm via remote access
- 'Sneak Peek' remotely snaps a photo of the person using your device
- Access security options for all your devices through one easy web interface
- Blocks phishing sites
- Cutting edge anti-virus that detects threats on apps and removable memory cards
- Back up and restore contacts
- Compatible with Android, iPhone and iPad
For the full list of features visit the Norton Mobile Security site.
This competition is now closed.
Congratulations to winner @greigo_uk !
The competiton opens 11 March 2013 and closes 15 March 2013.
Terms and conditions
By entering this competition you agree to the following terms and conditions:
- Competition opens 11 March 2013. Closing date is 5pm on 15 March 2013.
- Winner will be selected and notified by 18 March 2013.
- Winner will be notified through Twitter and their name published on this page.
- Open to residents of England, Scotland, Wales and Northern Ireland aged 18 or over.
- One entry per person.
- Entry via Twitter only.
- Entrants must have Tweeted a link to this page and be following Broadband Genie when the prize draw takes place.
- No purchase necessary.
- No cash alternative.
- Not open to employees of Genie Ventures Ltd.
- This promotion is operated by Genie Ventures, Unit 9 & 10 Millers Yard, Mill Lane, Cambridge, CB2 1RQ