back to article Got a mobile phone? Then you've got a Trojan problem too

Something wonderful has happened: phones have got smart, but the bad news is they may open the door to those you don’t want to let in. Time was when getting software to run properly on your mobile phone was such a challenge that it was nigh on impossible for bad guys to write malware that worked. Most phones used proprietary …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "Google’s Android security team is good, he says, although he would recommend upgrading to version 4.3 or later."

    Well, that's rather in the hands of the manufacturer and operator than the user.

    1. Spearchucker Jones

      The [informed] user has a choice - choice of OS.

    2. Anonymous Coward
      Anonymous Coward

      "Lyne would put Apple and Microsoft in joint second place"

      Apple is way behind Microsoft. There have been a couple of hundred vulnerabilities in IOS, versus a couple in all versions of Windows Mobile and Windows Phone....

      1. Anonymous Coward
        Anonymous Coward

        Apple is way behind Microsoft. There have been a couple of hundred vulnerabilities in IOS, versus a couple in all versions of Windows Mobile and Windows Phone....

        Hahahahaha - thanks for the laugh. Very amusing, Steve.

    3. This post has been deleted by its author

    4. LarsG

      The majority of Android users can only dream of an update, unless of course they buy a new phone!

    5. Anonymous Coward
      Anonymous Coward

      Mr T says don't be a phone fool

      There are Two kinds of phone fool

      1. Jailbreakers

      2. Android users

  2. Anonymous Coward
    Anonymous Coward

    " one in 1,000 had some kind of spy phone software installed. Of these 53 per cent were Android and 47 per cent iOS"

    Surely not, the fanbois keep telling us iOS is perfect.

    1. Anonymous Coward
      Anonymous Coward

      > iOS is perfect

      Half a million users, so 500 infected of which 265 are Android and 235 are iOS. But Android market share 80% and iOS 15%? So 400,000 Android users, 75,000 iOS users in total? So 0.066% Android devices infected, 0.313% iOS devices infected? ie Almost 5x as many iOS infections as Android? Or is my maths failing me?

      1. Anonymous Coward
        Anonymous Coward

        Re: > iOS is perfect

        "Half a million users, so 500 infected of which 265 are Android and 235 are iOS. But Android market share 80% and iOS 15%? So 400,000 Android users, 75,000 iOS users in total? So 0.066% Android devices infected, 0.313% iOS devices infected? ie Almost 5x as many iOS infections as Android? Or is my maths failing me?"

        No you math isn't failing you but your English is!

        Perfect would assume 0 infections.

    2. Anonymous Coward
      Anonymous Coward

      53 per cent were Android and 47 per cent iOS

      I would put a hefty bet that virtually all the 47% iOS were Jailbroken.

      But of course this isn't stated :o

      1. MrWibble

        Re: 53 per cent were Android and 47 per cent iOS

        I would put a hefty bet that virtually all the 53% android installed apps from unofficial / crap sources.

        Doesn't make any difference to the stats though.

      2. BillG
        Meh

        Re: 53 per cent were Android and 47 per cent iOS

        I wonder how many of that 53% were LG phones. LG is very lax in software upgrades. They don't discontinue their phones - they abandon them.

        he contacted LG and waited six months until the flaw was fixed

  3. Anonymous Coward
    Flame

    Objective Viewpoint

    >He contends that BlackBerry is the most secure, both in its BB7 and BB10 incarnations – although for security you have to sacrifice the openness of the BB10 system and then you have to wonder what is the point of going to BB10 in the first place.

    Wow, cheap shot there - instead of lauding BB's security ethic from an objective perspective, you take the opportunity to stick the knife in. Great journalism, well done.

    1. sabroni Silver badge
      Happy

      Awww, did they say something nasty about blackberry?

      You're going to have a hard time on this site if that's got up your Goat.....

      1. Anonymous Coward
        Stop

        Re: Awww, did they say something nasty about blackberry?

        Heh, no, not really fussed about people I'll never meet having a go at BB (the company, phone *or* OS), and yes, I've seen a lot of abuse levelled their way (I do wonder if any of the abusers have actually tried to use the OS though). I was actually just intrigued that in a pretty level-headed and objective report on the state of things (ie no wild "Android is crap" headlines), he slipped in a cheap shot to BB, who in the context of the article come out on top.

  4. RyokuMas
    Trollface

    A picture springs to mind...

    ... Eadon, crying into his keyboard. Or more likely, claiming that this article was written by a Microsoft shill.

    1. Katie Saucey
      Happy

      Re: A picture springs to mind...

      I miss those amusing Edon rants as well. I've almost considered resurrecting him in chatbot form. Maybe this weekend I'll modify the dictionary file for an old bot I wrote at uni. I figure it'll only take 2-3 of my MS hating friends and a case of beer to prefect it.

  5. Ugotta B. Kiddingme

    BB10 less secure? Doesn't seem so.

    "The model of using a container for applications cuts the risk of the data leakage associated with BYOD (bring your own device). A secure container is set up for corporate applications such as email, calendar, browser, storage clients and so on.

    "Data downloaded from the enterprise, such as email attachments and files, cannot be accessed by applications outside that container."

    That pretty much exactly describes how BB10 was explained to our team at unveiling. By far, the coolest feature of BB10 was the ability to have your corporate and personal stuff on the same device AND easily transition between the two AND satisfy corporate security types that there was no co-mingling of said stuff.

  6. FSM

    "Smarter polymorphs and the like"

    They don't steal your emotions, they take your intelligence.

    Or I guess that's technology in general.

  7. Anonymous Coward
    Anonymous Coward

    Yeeee Ha!

    "Lacoon found that one in 1,000 had some kind of spy phone software installed. Of these 53 per cent were Android and 47 per cent iOS, with 22 per cent of the infections being on Android 4.x."

    My Lumia 920 will stay in my poke.

  8. Anonymous Coward
    Anonymous Coward

    What do they consider "spy software"?

    Is it something that does something unintended, like an app that sends data about your phone to the developers, even something rather innocuous like a wireless MAC? Or is it only ones that are actively doing something evil, like texting premium numbers or stealing your contact lists?

    I'd sure love to see examples of the kinds of software they consider spy software, especially those that just barely make the cut. I have a feeling they're inflating their numbers, but maybe I'm cynical since they're a security company and undoubtedly feel that creating worry about smartphone security will help their business.

    They probably consider any rooted Android or jailbroken iPhone as "spy software", as if it was someone other than the owner who did it.

  9. John Tserkezis

    Said it before, I'll say it again.

    Every time you hear someone saying that mobile devices are inherenty insecure, they're trying to sell their antivirus/malware/whatever product.

  10. STZ

    Only dumb devices are secure ...

    Simple fact of life: Any device that accepts downloaded code is of course threatened by malicious code downloads. That's why no smartphone/tablet/laptop/PC will ever be really secure.

    If you want real security, you need to get back to something like dumb terminals. Not necessarily those 3270 or VT100 character-oriented terminals of the past, but to dumb phones or hardcoded browser terminals that don't accept any code downloads. Updates only by inserting new ROM modules supplied by your trusted dealer or IT support staff ...

    Less flexibility ? Yes. More security ? Yes. More stability and lower support cost ? Definitely yes ...

    And dumb terminals are ideal for cloud computing ...

    1. Alan W. Rateliff, II

      Re: Only dumb devices are secure ...

      The terminal is secure in that manner, sure, but what about the mainframe or whatever server which powers that? If you are expected to be able to run code of your choosing then the terminal server would be vulnerable in some degree.

      Beyond the 90s definition of downloading code, even just simple browsing opens up a whole a world of infection vectors. Java, Flash, or other "rich content" plug-ins which the user will want (or need) are not just ripe, but actively being used for remote vulnerabilities. Then we are again stuck with the notion of the black box we use being secured.

      The only protection I see at that point is a fully virtualized environment at the terminal server end, where your session is built on-demand from a template and injected with the software you have selected or, in the case of enterprise environments, has been provided to you. You can play all you want, and if you become infected your session is destroyed and subsequently rebuilt from the original template. There is still the concern of your data being affected, such as with CryptoLocker, but good versioning should help with that factor.

      Of course, this scenario relies upon the security of the underlying virtualization platform which is going to be a black box to us as, let's face reality here, how many of us perform a full source audit of every open software we deploy?

  11. ecofeco Silver badge
    WTF?

    Smart phones not so smart

    The entire smart phone market, design, software and hardware is still a huge mess.

    I don't know why Google felt compelled to allowed mfgs to fork Android, but that should be fixed ASAP. (oh I can make some educated guesses why they did)

    Mfg should also trim their product line. A cheap entry model, a mid price and a premium. What more do you really need? (and stop introducing new models every week)

    AV should be MANDATORY from the factory.

    1. Christian Berger

      Re: Smart phones not so smart

      "AV should be MANDATORY from the factory."

      I'm sorry, but I don't see how something that has been proven to be just snake oil to have any beneficial effect.

      1. Alan W. Rateliff, II
        Paris Hilton

        Re: Smart phones not so smart

        Right on, brother. This is why I don't get my flu shot every year like the rest of the medical-industrial complex lemmings.

      2. ecofeco Silver badge
        Trollface

        Re: Smart phones not so smart

        Anti virus is snake oil?

        You're trolling, right?

        1. Pascal Monett Silver badge

          Re: You're trolling, right?

          Not so much.

          As recently as last week-end, I had a friend bring me his Win7 PC that was white-paged by some French version of the Homeland Security virus. I spent the day trying to get rid of it.

          The virus was good. It entirely blocked the launching of anything, it masked the icons, the Start button didn't work, and even the USB ports were inactive. In short, nothing but booting from a CD could have a chance of doing anything.

          I used my Knoppix LiveCD to snoop around and try to find the exe that launched itself before everything else, but no go. So I went to the major AV sites to find an ISO that might help. I went to Norton, BitDefender, Avast, Avira,Defender32, and a few others I don't remember the name of just this instant.

          They all had LiveCD ISOs for free download. I downloaded them all, using a rewritable CD so as not to waste opticals. I spent the entire day downloading, burning, starting up the infected PC, and booting on the CD.

          I also spent the entire day watching every single vendor solution fail miserably to even boot properly, not to mention actually take care of business. And this on a three-year old PC, not some old 286 dug out of a pit.

          All of these LiveCD solutions are based on some flavor of Linux or another, and not one of them managed to even get me to a proper selection screen, or useable UI of any kind.

          In the end, I slotted in my Win7 install disk and formatted the partition before launching the install. Problem solved.

          So, yeah, snake oil.

    2. Randall Shimizu

      Re: Smart phones not so smart

      I tend to agree. Google needs to implement a standard implementation for Android. I think the big issue limiting users ability to upgrade. This govt report points out that older versions of Android like Gingerbread is one of the biggest threat problems for Android.

  12. Christian Berger

    First we need to separate Hardware from Software

    The informed user must be able to switch the operating system just like switching an SD-card. Hardware platforms should be similar enough and discoverable so operating systems don't have to be ported to every little phone. Only then we will get the quality benefits we got in the PC world since the late 1990s.

    1. ecofeco Silver badge

      Re: First we need to separate Hardware from Software

      Exactly.

      Just one point of fact, though: PCs have been pretty much OS neutral since the 1980s. This was known as the XT platform.

  13. Randall Shimizu

    Google needs to do a better job of keeping the Android market free of malware. There is no excuse for Google to allow malware in the Android market. Now supposedly Android is secure according to Adrian Ludwig Google's security chief. Android has a layered defense model, but most of the malware is coming from apps that are installed via text message and or from phoes that have older phones (http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/ ). There is another govt report that indicates that 44% of phones are still on Gingerbread, which is more vulnerable to attacks. The other attack vector is via fake Google play domains. Much of this makes sense if you think about it.

    So therefore Google needs to require phone makers to keep their users phones up to date and or make it easier to do so. Most users want to be on the newer versions of Android anyways. Companies can secure Android BYOD devices by requiring users to be up to date on the latest version of Android or helping them to buy a newer one or supplying them one. Educating users safe use practices and having regular scans of the devices for vulnerabilities would help as well.

    Ultimately more must be done on Google's part to educate and enhance security in the Android community.

  14. Patrick R
    Headmaster

    Please change the title

    from "mobile" to "smart" phone. I got a proper mobile phone.

This topic is closed for new posts.

Other stories you might like