FBI warns smartphone users of Android malware

By , Oct 15, 2012

Though Apple takes quite a bit of criticism, from both users and developers, over its rigorous App Store approval process, there is one significant benefit to the approach: security. iOS sees just a fraction of the viruses and malware as other, more open platforms.

Case in point: the Internet Crime Complaint Center (IC3), which does work for the Bureau of Justice Assistance and the FBI, issued a warning late last week to smartphone users regarding malware for mobile phones. And unsurprisingly, there was a focus on Android…

Fortune’s Apple 2.0 section points to the IC3 report, which highlights two versions of malware: Kozzfon and FinFisher. And here’s descriptions of each bug:

  • Loozfon is an information-stealing piece of malware. Criminals use different variants to lure the victims. One version is a work-at-home opportunity that promises a profitable payday just for sending out email. A link within these advertisements leads to a website that is designed to push Loozfon on the user’s device. The malicious application steals contact details from the user’s address book and the infected device’s phone number.
  • FinFisher is a spyware capable of taking over the components of a mobile device. When installed the mobile device can be remotely controlled and monitored no matter where the Target is located. FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.

Though the report seems to be geared more towards Android users, it’s worth noting that we have reported on an iOS version of FinFisher in the past. So we figured we’d share IC3′s preventative tips:

  • When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
  • Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
  • With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
  • Review and understand the permissions you are giving when you download applications.
  • Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
  • Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
  • Be aware of applications that enable Geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
  • Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
  • Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
  • If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
  • Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
  • Avoid clicking on or otherwise downloading software or links from unknown sources.
  • Use the same precautions on your mobile phone as you would on your computer when using the Internet.

You’ll notice that the sixth bullet point from the bottom says jailbreaking is a security risk. And while technically correct — jailbreaking does remove a lot of Apple’s security restrictions — we’ve been doing it for almost five years now without any major incidents.

Anyway, the moral of the story here is that all mobile phones pose some sort of security risk. It is believed that iPhones are less susceptible to security breaches than other mobile platforms, but you should still be aware of these security concerns and tips as a safety measure.

  • Share:
  • Follow:
  • http://twitter.com/MCaudebec Maxim∑

    FBI is a bit late on this…

  • jose castro

    and that why i don’t own a android.. even tho i know apples not perfect at least its somewhat secure to say the least..

  • http://twitter.com/franklylife Frank Anthony

    Seriously i haven’t operated/own android before but just the name sound very boring! Not a hater but don’t like that name “android”. By the way, I didn’t read this article but i guess its talking bout android virus alert from FBI. So people, BEWARE of ANDROID VIRUS. No quarantine or vaccine ooo! Am outa here.

    • http://twitter.com/T1rell T1rell

      Was there any point to your comment?

      • SoCoMagNuM

        To show his incompetence to read lol

    • http://twitter.com/therealjdizzle Jason Masters

      you my friend has your Brain permanently in power saving mode.

    • SoCoMagNuM

      Discussing about an article you didnt read…sigh

    • Dan

      I think I just lost a few brain cells after having read your comment.

    • http://www.facebook.com/antman217 Anthony Antunez

      Mr. Anthony, what you’ve just posted is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this comment section is now dumber for having read what you typed. I award you no points, and may God have mercy on your soul.
      *Billy Madison LOL*

    • philadelphia

      OP here raises a good point.. And that point is that ESC (extremely stupid comments) is a growing concern on the Internet.. And that together, we can beat it!

    • Carlos Franklin

      Stupid comments like these are even worse then the malware itself and even more serious is the fact that there is no vaccine for it.

  • Dan

    Android phone is like having a computer, you just need to be careful with that you click or download. I rooted mine and installed a firewall, I doubt I’ll get any bugs, I never do with my pc.

    • Carlos Franklin

      A very wise advice indeed!!!

  • SoCoMagNuM

    I read into the malware that was available for TouchWiz devices (ex My Galaxy 3) and it pretty much causes the phone to factory reset in 3 seconds. Doesnt steal data but still could be a pain in the ass if all information was lost without backup. Its been patched supposedly with latest update but one can still lfall victim under right circumstances (leaving NFC on when not in use, connecting to unsecured networks, ad scams, website url, etc) i havent had any issues with my galaxy 3 thus far so hopefully it stays that way. Ive contemplated root it for enabling hotspot feature without paying carrier the extra $20 for data i paid for already but decided to just play it safe. Phone works phenomenonal the way a smartphone should work without rooting/jailbreaking (customization and tweaking) so im pretty much content at this point.

    • Dan

      Rooting is pretty easy, even for android noobs (like me) and shouldn’t cause you problems. I’ve got a GS3 as well. The added plus, security wise, is that it allows you to activate the Avast firewall feature. You can also remove bloatware etc. It gets kind of dicey once you install custom firmware.

      • SoCoMagNuM

        Yeah i know rooting is an easy process. Just not sure if i want to go that route yet. Once jelly bean hits my device ill see into it. I know theres CM10 out that allows installation of jelly bean now for gs3 but i rather wait for official release.

  • Yujin

    Hahahaha…that’s all…

  • pawfyd

    That’s starnge. FBI is warning people about spyware, while 90% of it is made by them to monitor people. Or maybe they want to make Android look like an unsafe OS, because they were able to produce a nice hard to detect malware for iOS, so they are turning attention to another OS. Who knows?

  • http://twitter.com/Lehjr1 Leon

    “Use the same precautions on your mobile phone as you would on your computer when using the Internet.” Actually, your mobile device often has far more important personal information on it than your computer does, especially contact information, things you wouldn’t have a use for on your computer.