It is easy to assume that a properly functioning mobile phone or tablet device is secure, and most of the time it should be. But we can also assume that hackers are always testing for security flaws in these products. One of the latest discoveries has to do with the Android operating system.

Mobile security company Bluebox has announced that they have discovered a problem in the Android OS. The threat centers around a trojan application that can gain access to application data including email addresses and SMS messages, and can get service and account passwords. In other words, it can take over your whole phone.

The way this so-called trojan infects mobile devices is through an app. Hackers have figured out how to tinker with the application’s code, and implement the malware without changing the cryptographic features that are used by Google Play and other online stores to validate and identify apps.

What this means is that the changed app looks legitimate to Google, developers, our phones, and us, but it really has malicious code embedded in it, code that could give a hacker access to your phone. The good news is that, once identified, these holes can be easily fixed with an update. The bad news is that it is up to device manufacturers to actually release the fix, because most Android device manufacturers basically own their own version of Android and need to push the update to owners, something Google can’t do itself. It is also up to the device owner to actually download and install the update when the fix is released.

If this sounds a little worrying, it should be, especially since this affects every Android device except for the recently released Samsung S4 Touchwiz. However, there are steps you can take to minimize the chances of your device being affected.

1. Don’t allow your device to install apps from unknown sources – Think of Android apps as coming from two sources: Google Play and outside of Google Play. Any app that is not acquired from Google Play – for instance from the Amazon app store or from various sites not owned by Google – can technically be installed onto your device, as long as you have enabled your device to allow apps from unknown sources. If you haven’t enabled this on your device, you should be safe. If you have, you should disable the option immediately. You can do this by going to your device’s Settings, followed by “Security,” and ensuring “Unknown Sources” is NOT ticked.
2. Only download apps from the Google Play store – Unlike other mobile platforms, you can download and install apps from almost any vendor website on Android phones. While this may seem like a good idea, many of these external marketplaces don’t validate apps, so this is where you will find most of the apps with malware. Google Play does validate apps and will remove malicious ones if found, so play it safe and only download apps from the store.
3. Always verify the publisher – Malware does still make it onto Google Play, so you should also look at the publisher of the app. When looking at an individual app, scroll down to the Developer section. There you will usually see a webpage, email address and security/privacy policy. Pay close attention to the name, email address and do a Google search for the developer. If you notice that they use a different email address on the site, or detect a spelling mistake, you should probably avoid the app.
4. Look at the app download statistics – Finally, if you are still unsure, you should look for the app on your browser. Just navigate to the Google Play website and search for the app. When you find it, click on it and look at the right-side of the window. You should see ABOUT THIS APP with lots of information below. Pay close attention to the Installs graph. If it is an app from a big-name developer e.g., Google, there should be a high number of installs. If it does claim to be a Google App and the number of installs is low (under 1,000) it would be a good idea to avoid it.
5. Keep your device updated – If you get a notification to update your device, you should do so as soon as possible. This will ensure that you have the latest bug fixes and could also introduce new, useful features.

If you are careful about what apps you install and take steps to ensure that you only install apps from the Play store, your device should be relatively safe. Google has announced that they have patched their cryptographic features on Google Play, so any new apps going onto Play should be safe from this particular exploit. There is a good chance that they will also correct this issue in a future update to the Android OS (likely 4.3), but older devices may be left out of the loop. So, as we have already mentioned, make sure to protect your phone and data by avoiding apps from outside of Google Play, and take note of the tips we discussed above.

Should you require more information about Android in the workplace, please contact us today.