The Android ecosystem has taken the market by storm in the last few years, with hundreds of millions of devices, smartphones and tablets, already in the hands of customers, and more on the way this holiday season. As you will know if you read our recent blog post about malware trends in 2013, malicious code that targets Android is on the rise, so now is a good time to discuss what happens if you've been good and you get a shiny new Android device this holiday.
Unfortunately, researchers at ESET see no shortage of people who are bad, not good, and some of these 'bad actors' are likely to regard your new Android as one more chance to make a buck or two at someone else's expense. The first thing to know about your new Android is that it is a full-fledged computer with a full-fledged Operating System, one that just happens to be able to make phone calls (if it is a smartphone).
These are not the mobile devices of yesteryear that simply doubled as a clone of your home phone without the cords, they have powerful, always-on networking and can do many things only dreamed about even on full-fledged computers only a few years earlier. Dig up an old Pentium desktop and try to do live video chat if you’re up for an evening of frustration.
The next mental exercise is deciding where you will get your apps from. If you stick to the Google Play repository, you’ll be far safer than if you get the same app from a third party which hasn’t been vetted by Google’s safeguards. The trend lately for mobile device scammers is to find a popular download in Google Play, then wrap it with malicious code and make it available from a third party site. If you fall for it, the app will download and install fine, but then the malicious code will kick in and do things like ramp up your cell phone bill by sending premium rate SMS messages silently behind the scenes, charges that may be difficult to reverse with your provider when you get the staggering bill the next month.
So you’ve decided to stick to downloading from official sources, what next? In the excitement of getting a new device, don't rush to overload it with apps. That can lead to unwise responses to questions like "Do you agree to these terms?" Try to force yourself to read any terms of service and licensing agreement information before you agree to something you may later regret (like agreeing to premium rate messages).
Since you’re using a computer, the advice that “less is more” applies to an Android device, just as on a desktop or laptop machine. Remember that old computer you bought and then stuffed with every program available until it slowed to a crawl? That can happen with an Android. Cram your Android full of every dancing animal game you can find and it will get sluggish too. And remember, every new app is a new potential attack surface. Just like a desktop computer it is wise to run an anti-malware app on your Android to keep an eye out for viruses, worms, and Trojans. (There are actually people out there who will pay others to compromise your Android device, as we reported a few months ago in "Dancing Penguins–A Case of Organized Android Pay per Install.")
Also, keep in mind many that Androids will go hunting for Wi-Fi access points and prompt you to connect in order to make use of a larger capacity network connection. But information transferred by Wi-Fi connection can be subject to snooping as it goes across the network, so you’ll definitely want to make sure you connect to networks that check out as safe (use a WPA or better encrypted connection). Of course, you can always stick to your mobile carrier's network connection, which is a more controlled environment, less vulnerable to snooping.
Mobile devices, while convenient to carry wherever you go, can also be conveniently scooped up and stolen by bad actors or opportunists, so you’ll want to enable some kind of auto-locking technology like a password, PIN code, gesture, or face. It also may be a good idea to install an app (or enable native utilities) that allow you to track down your device via GPS and/or Wi-Fi hotspot proximity if you suspect your new Android device may have fallen into the wrong hands. Some of these features can be activated remotely via SMS (as in the case of the ESET Mobile Security for Android product), so you send a text to your mobile device, and it can either tell you where it is, or wipe off all your personal information before a bad actor has a chance to exploit your personal information stored on the phone.
None of this is to say that Androids are inherently dangerous devices to use, but having your guard up, and possibly some software protections in place, will go a long ways toward keeping your personal information safe from harm, and can instill some peace-of-mind as you become infatuated with your new mobile hotness this season.
You can read more about Android security here. If your digital holiday is more of a Windows affair, check out Securing Your Holiday Tech Gifts, Part 1: Windows PC Guide for some helpful security and privacy tips from ESET's resident Windows guru Aryeh Goretsky, MVP.
By Cameron Camp, ESET Security Researcher
Have you purchased a new phone or tablet running Google's Android operating system? If so, which did you choose and what steps are you taking to make it ready for use? Be sure to let us know, below!