SAN JOSE, Calif. — Lurking amid the flood of games, tax guides and other mobile applications being downloaded onto mobile devices using Google’s popular Android software is a fast growing array of apps that can slap the gadget’s owner with unanticipated fees, rifle their bank accounts and cause untold other grief.
Known instances of Android-related malware — “virtually all” involving apps — have jumped steadily month by month from 400 in June to 15,507 in February, according to Sunnyvale, Calif., security firm Juniper Networks. So far, hundreds of thousands of phones and other devices have been infected. And although Google says it is working to block the malevolent downloads, experts fear what may be coming.
“I see the problem getting significantly worse before it gets better,” said Dan Hoffman, who heads Juniper’s mobile research center. “We’re very much in the infancy of this right now.”
Proliferating at a remarkable rate and offering everything from puzzles, music and videos to cooking tips, weather information to fantasy baseball, apps have fueled the global adoption of smartphones and other mobile devices in recent years. But security specialists say these programs also have spawned a dark cottage industry that is poisoning the Android market and posing an increasing threat to the public.
Apps for Apple devices can also be targeted, but security experts say that in general, they are more secure.
In August, San Francisco-based Lookout Mobile Security reported that “an estimated half-million to one million people were affected by Android malware in the first half of 2011,” all from apps.
Some experts say the biggest problem is in other countries, where apps frequently are downloaded from unofficial Android websites. Some of those sites have been cleverly designed to look just like Google’s official site, formerly called Android Market and recently renamed Google Play.
But U.S. consumers also have been victimized, and Lookout has recently determined the likelihood of downloading an infected app in this country has doubled since the report came out.
Another security company — Trend Micro of Japan, which has U.S. headquarters in Cupertino, Calif. — identified “more than 1,000 malicious Android apps” last year, 90 percent of them on Google’s site, which boasts more than 400,000 apps. Noting that the number of bad apps grew last year at 60 percent a month, Trend Micro has estimated the total this year “will grow to more than 120,000,” though it’s unclear how many of those might wind up on the Google site.
“There’s definitely a worry out there,” said Jon Clay, a Trend Micro security technology expert. “The bad guys have found a new environment to gain revenue, so they are going to start exploiting it more and more.”
In a blog last month, Google disclosed that “for a while now” it has been using a feature called Bouncer to screen out malicious apps. As a result, the blog said, “we saw a 40 percent decrease in the number of potentially malicious downloads” from Google’s site.
However, the company declined to answer a number of questions the San Jose Mercury News submitted to it about the bad apps it has detected. While some experts praised Google for trying to address the problem, Bouncer’s protections “will only be partial,” according to a recent blog by security firm Kaspersky Lab, noting that apps can be made to “appear to be non-threatening.”
North Carolina State University professor Xuxian Jiang said he has discovered a nasty app that can evade Google’s screening because it looks benign when first installed on a device. Then, after passing an initial security check, it downloads malware from a remote server.
Experts say pernicious apps can cause big problems for the owners of smartphones or other devices, from tracking their location to making their gadgets repeatedly call numbers that charge fees to stealing their online banking login information.
Consumers often are advised to protect their mobile devices with security software. But that’s not foolproof, either, according to a report in February by German research institute AV-Test. It tested 41 anti-malware products for Android devices and found most failed to detect some malicious apps, though well-known brands generally performed the best.
Cybercrooks aren’t just targeting Android machines.
Intel’s McAfee division reported this year that Apple’s operating system is more secure than others, but that vulnerabilities in its apps “are sometimes discovered.”
Security specialists say Apple doesn’t disclose how often it encounters malicious apps and the company declined to comment. But experts agree that Google’s Android operating system, the most widely used for mobile devices, is particularly under siege from cybercrooks.
Last year, malicious apps discovered on Google’s official site reportedly victimized 260,000 smartphone users. And in February, after finding other corrupted Android apps on an unofficial website, security company Symantec reported that “infected handsets appear to number in the hundreds of thousands.”
Given the growing use of mobile gadgets — Android or otherwise — it will be hard to keep the market free of nefarious apps, said Jimmy Shah, a mobile security researcher for McAfee.
“New threats are coming out every day,” he said, noting that some apps are capable of stealing virtually everything on a person’s phone. “That’s a hard thing to pass up for criminals.” As a result, he warned, “they will keep attacking.”
-Only use official app sites, such as those offered by Google and Apple.
-Be careful about downloading new apps, even from official sites.
-Check the consumer comments that are often listed alongside apps.
-Read the app’s “permissions” to make sure they won’t let it ring up charges or do other things you wouldn’t want.
-Consider protecting your mobile device with security software from well-known providers.
-Don’t “root” or “jailbreak” your devices to access apps on third-party sites. Such apps may contain malware and it may prevent your device from receiving important security updates.
SOURCE: San Jose Mercury News reporting