If you’re one of the lucky ones who unwrapped a Google Nexus tablet
or one of Samsung’s army of different-sized Androids, congratulations –
but there are a few sensible steps to take before taking that device
into the ‘real world’, especially if you intend to use it for work.
There have been many scare stories about Android this year,
often relating to malware targeting the OS – some rather overstated,
but many, sadly close to the truth.
ESET’s
Annual Threat Trends Predictions report
for 2014 found that detections of Android malware have increased 63%
from 2012 to 2013 – with new strains of malware posing serious threats,
such as Trojans targeting online banking apps. Previous generations of
phone malware often merely ran up bills using premium SMS numbers, or
assaulted users with unwanted adverts.
If you’re a user ‘switching sides’ from an Apple iDevice,
you might be alarmed – and it’s easy to feel at risk when you’re getting
used to a new system. But it’s not quite as bad as it seems.
Thankfully, Android itself now offers some great built-in protection
against theft and malware – including a great anti-theft system quietly
rolled out by Google to many Android users.
Downloading free AV software such as ESET’s
Mobile Security and Antivirus is
a great way to ensure your device – and your data – are safe, but our
tips should help even novices get the most out of their new Androids,
and ensure that even if the worst happens, and a cellphone is stolen,
the data on it will remain safe.
Once it’s started up, lock it down
Various Android devices from different manufacturers offer their own
different security systems built in, but the really bulletproof ones are
Google’s, and common to all up-to-date Android devices – the most basic
one is getting a screen lock in place, and it’s common to every model.
Do this before you take your device anywhere. Head to
Settings > Security > Screen Lock.
On new devices, you’ll usually get a choice of pattern, PIN, or
password. A pattern’s less secure than a PIN, and a password is your
best choice. If you’re using your tablet or smartphone for business, be
extra careful. Talk to your IT department, and read our
guide to encrypting data on Android here.
While you’re at it, double-lock the important stuff
If someone does crack your code (sometimes possible simply by turning
a handset sideways and looking for greasy finger marks – which is why
choosing a pattern code can be risky), you can add another line of
defense by locking individual apps – a very sensible step, and the
reason that the excellent, free
App Lock is,
its makers claim, the most-downloaded app on Google’s Play Store.
App
lock lets you create a PIN which locks important apps – your email,
Dropbox, or anything else which could hand data to cybercriminals.
Better still, App Lock is pretty good at defending itself – it has
mechanisms to ensure it can’t be uninstalled unless you have the PIN.
If you share ANY devices, be careful with Google Now
Google’s Now service can be accessed on Android via either a
swipe up from the bottom of the screen, or via a Google Search box on
screen, depending on which make of Android you choose – offering
“predictive search” – ie guessing information you might need, based on
your habits. Used carefully, it’s great – offering reminders of flights
you have to catch (culled from Gmail), and traffic conditions on your
commute (based on GPS data harvested by the handset).
But while the
‘predictive’ search experience adds a lot to Android, it can also give a
lot away. Any device signed in to the same Google account – ie a tablet
you share at home – will ‘know’ whatever information you opt to share
with Now, including potential privacy minefields such as your web search
history. Thankfully, you can tailor how it works for you from Now, or
from Google’s
dashboard page – do so carefully.
Taking your phone to work? Talk to IT first
The trend for workers “bringing their own devices” to work
is increasing year-on-year – but your boss, and your IT department will
thank you if you ask first. Around 30-40% of devices in workplaces fly
“under the radar”, according to former vice-president of security body
ISACA Rolf von Roessing, who warned that workplaces faced a “tidal wave”
of threats unless users were educated about risks, as
reported by We Live Security here.
If
you’re taking your own phone to work, ask your IT department for advice
– and remember that even an email ‘Sent’ box can contain information
invaluable to a criminal looking to penetrate a company network. Your
boss will thank you if you’re open about using your own smartphone in
the workplace – or even for working from home. Our in-depth guide to
bringing devices to work – and not bringing disasters with them – can be found here.
Lost it already? Don’t panic!
Despite frequent malware attacks – and an official app
store that is still home to thousands of malicious and spammy apps –
Google offers a pretty decent selection of security features built in –
including a location tracker, which can help find a lost device, even if
it’s just down the back of the sofa.
Visit Google’s
Android Device Manager page
to activate it, while logged into your Google account, and you’ll be
able to force a device on silent mode to ring, remote-lock a device, and
view its location on a map. If you own several Androids, you’ll be able
to see them all. More advanced protection is offered by AV programs
such as ESET’s
Mobile Security and Antivirus, but Google’s own, rolled out quietly to any users of Android 2.2 and above last autumn, is a good first stop.
Keeping sensitive info on your smartphone? Don’t store it on a removable SD card
If you are keeping sensitive information on your phone –
you really shouldn’t, if at all possible – don’t keep it on a removable
SD card. This makes it easier for attackers to access data. If, for
instance, your photos include an image of your credit card or passport,
don’t store them in external memory.
Ensure anything you want to keep
safe is stored in your device’s internal memory, and protect this using a
strong password. Google’s
Android Device Manager page offers useful options to wipe data remotely if a phone is stolen – and AV apps such as ESET’s
Mobile Security and Antivirus
offer more options for users who have lost a handset, including playing
sounds and remotely locking devices (with built-in password protection
so criminals can’t disable the anti-theft functions.
Encrypting your phone WILL slow it down – but keep your data safe
Encrypting your device – so that all data on board is
PIN-protected – isn’t for everyone – it will slow your device down,
which can be painful if you’ve just unwrapped a top-of-the-range
smartphone. But if you are carrying work information on it, it’s a good
way to ensure sensitive data is safe, even if the device falls into the
wrong hands.
Thankfully, it’s easy to encrypt your device in Android’s
own settings menu – Settings/Security/Encryption – in an option
available since Android Gingerbread 2.3.4. Choose Encrypt Device and
Encrypt External SD Card, then wait while the device crunches your data
(this takes a while). After that point, your data is PIN-protected. This
will slow your device, though.
A more detailed We Live Security guide
to encryption – on mobile and PC – can be found
here, with explanations of when and why you might want to encrypt data.
Google’s Play store isn’t perfect – but it’s FAR safer than most ‘unofficial’ stores
For ‘defectors’ moving from iOS to Android, the fact that malicious
and spammy apps sneak into Google’s official Play store may be a shock –
unlike Apple’s App Store, there is not an approval process, so ‘bad’
apps can sneak onto Play.
Play, though, remains a far safer place to
shop than unofficial stores – or bogus ‘review’ sites offering free
apps. Google removes ‘bad’ apps once users complain – but some lurk
around for quite a while. Watch out for close-but-not-quite clones of
popular apps and games – a classic trick – and in general, think like
you are shopping on eBay (ie does the developer sound legitimate? What
do the reviews say?).
Most apps on Play, though, ARE safe – if you
follow our
detailed guide to being a happy app-y shopper here.
But the most crucial oogle Play, Amazon’s App Store and GetJar, you
will be much safer – although “bad” apps can still sneak into those.
Don’t feel you HAVE to root your Android
For many tech-savvy phone users, the chance to ‘root’ an Android
device – gain root access to the phone’s OS, which allows users to,
among other things, uninstall all the unwanted apps with which Samsung
and other phone makers routinely bloat their devices. There are dozens
of tutorials on how to root devices online, and many Android forums make
it seem like a “first step” for users, allowing Android fans to run
apps which require root access, such as firewalls – normally blocked by
the OS.
But rooting a phone opens users up to new risks – and cuts off
many of the protections built into Android itself. It will also severely
annoy your employer, if the handset happens to be a work one. Malicious
apps with root access can cause far more damage than normal ones – and
the unofficial app markets where apps for rooted devices are traded are
filled with malware, sometimes disguised as popular apps.
“Free”
versions of the predictive text app Swiftkey appeared on pirate sites –
infecting users foolish enough to download with a keylogger which took
note of every keystroke in Swiftkey, with the goal of stealing data.
Read the “permissions” screen EVERY time you install an app
Most computer users are pretty impatient while shopping –
and used to skipping straight past huge legal documents without reading a
word – but while Android’s App Permissions page looks boring, it’s THE
single most important defense built into the system.
“Bad” apps will
request access to and control over huge amounts of your Android’s
functions – such as reading all network communications, or sending SMS
messages – if an app has a huge list of Permissions, it’s an “alarm
bells” moment. Why WOULD a screensaver need to send SMS? Our detailed
guide to safe
Android app shopping can be found here.
Don’t EVER install a banking app from a link
Governments around the world have warned of the risk to
consumers from ‘fake’ banking apps – either delivered on their own, or
as part of an attack against a PC, where the malware attempts to fool
users into downloading the fake app by delivering messages through bogus
bank sites.
An increasing number of PC Trojans target Android devices
with fake banking apps – with several families of
banking malware such as Qadars, reported by We Live Security here attempting
to fool users into installing malicious apps via their PC’s browser –
aiming to bypass two-factor authentication systems used by banking
sites.
Banking Trojan
Hesperbot, discovered by ESET and reported
here
uses a malicious webpage to instruct users to enter their cellphone
number and make, and attempts to install a malicious app that bypasses
security systems. Your bank will NEVER distribute apps in this way –
instead, download your bank’s app from Google’s Play, and ensure yours
is up to date. . “ESET products like
ESET Smart Security and
ESET Mobile Security protect against this malware,” says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat.
Paying for something with your phone? Be VERY careful
Up-to-date Androids such as Samsung’s Galaxy S4 and HTC’s
One ship with an NFC (Near Field Communication) chip – a new technology
designed to transmit data over short distances, and used in some
countries, such as Chile, as a tap-to-pay system in stores. But
point-of-sale terminals have become an increasing target for
cybercriminals – as witness these
We Live Security reports - and ESET researchers warn that NFC payment systems could become a target for cybercriminals this year.
In this year’s
Annual Threat Trends Predictions 2014 report,
ESET researchers wrote, “Any technology used for bank transfers is a
potential target of computer attacks. As this means of payment becomes
more popularly used, malicious code may appear to steal information
relating to these transactions.” Be cautious about any means of storing
money on your phone – such as Bitcoin wallets – or paying direct via
NFC.