App attacks: How can mobile users stay safe?

New academic research and a string of attacks show how susceptible mobile devices are to hackers, particularly a type of attack known as "ransomware." 

Nati Harnik/AP/File
Noah Meloccaro, right, compares his older iPhone 4s to the new iPhone 5 held by Both Gatwech, outside the Apple Store in Omaha, Neb.

New research shows that common smart phone operating systems are easily susceptible to attack. 

An academic paper by researchers from the University of Michigan and the University of California, Riverside reveals that the Android, Windows Phone, and iOS operating systems can all be accessed to retrieve sensitive personal information on users. But Android phones are the most susceptible, as the research shows that for six out of seven of the most popular Android apps were susceptible to hackers exploiting weaknesses in smart phone memory. 

This comes at the same time that around 900,000 Android phones have been found to be infected in the past month with what's known as "ransomware." These recent string of attacks have been found to be the work of Eastern European hackers, according to The New York Times, citing Lookout, a San Francisco-based mobile security firm. The particular strain of ransomware described by Lookout is called "ScarePackage." 

As per its name, ransomware functions primarily in two ways: 1) By gaining access to a user's device and then holding that device hostage until the user agrees to pay a certain amount of money and 2) finding embarrassing or incriminating activity on a person's device, such as pornography, and then threatening to distribute that information to a user's address book unless the user pays. 

Ransomware has been long known to infect PCs but has only recently been making its way onto mobile devices. First appearing in late 2011, mainly in Japan, it has only been found on devices in the US in the past few months of 2014, according to Domingo Guerra, president of Appthority, a separate mobile security firm also based in San Francisco. 

Often, users become infected through malware by visiting an insecure website, such as a pornography site, or downloading an app from third-party app stores outside the mainstream Apple App Store and Google Play store. When users do become infected, it's common for attackers to pose as government agencies or cybersecurity firms and tell users that they're being fined for illicit activity and that the only way to avoid a heavy fine is to pay a fee immediately. 

But Mr. Guerra strongly cautions against paying these types of fees as payment does not mean a hacker will keep his or her word and it could embolden this type of behavior. 

"[Payment] only promotes this going forward and there's no guarantee that the hacker will actually unlock your phone," he says. "There's no code of ethics on their part." 

The recent example of Android hacks underlines the fact that because Android phones can easily download apps not from the official Google Play store, Android phones are therefore more prone to ransomware attacks. Devices running iOS, meanwhile, are typically only infected when hackers access their iCloud account and can gain access to a users' Apple devices connected to their iCloud accounts, including iPads and iPhones. Only when a user removes limitations on his iOS device – a process known as "jailbreaking" – does an iOS device like an iPhone gain the ability to install apps from a third-party store outside the traditional Apple App Store. Consequently, iOS devices are less prone to such attacks, Guerra says. 

However, a report published by Appthority earlier this month showed that, on average, 93 percent of all top iOS apps demonstrate "risky behavior" as opposed to 89 percent of all top Android apps. These types of risky behaviors included apps sharing users' information with advertisers, allowing for in-app purchases, and tracking users' location.

But when it comes to ransomware, Guerra cautions users to be vigilant when downloading apps, particularly when downloading apps from third-party app stores onto an Android device. In addition, he advises that users take basic precautions regarding their iCloud passwords and create a strong password. After all, access to a user's iCloud password could mean access to every one of a user's Apple devices. 

Both Lookout and Appthority have natural interests in warning users about the dangers of these types of security threats, as both companies make their money in detecting and aiding in the prevention of mobile security threats.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.