Earlier this week, a report citing an Indian Air Force (IAF) circular about Xiaomi smartphones being a security threat and banning its use by staffers and their immediate family, created quite a flutter. The circular had called upon an old F-Secure finding that Xiaomi smartphones send data to servers based in China – an accusation Xiaomi had categorically denied and followed it by rolling out a software patch that asked for user’s permission to send data to Xiaomi’s servers for some of its add-on services to work. However, the point IAF is currently missing is that security threat of snooping or loss of data isn’t limited to a particular brand of smartphones but affects every smartphone that is connected to the Internet.
According to a recent F-Secure report, India is the fourth most affected country in the world when it comes to mobile malware. Just in the second quarter of 2014, the company found 295 new threats – 294 of which were on Android and just one for iOS. The top threats in the quarter were Trojans that either send SMS messages to premium numbers or harvest data from a device and forward it on to a remote server. Slocker malware reported in June, which pretends to be a legitimate app, was the first ransomware to appear on the mobile platform, the report added.
Another report from June this year, claimed that fake smartphones from China came pre-loaded with malware. The report showed a smartphone called Star N9500, which looks deceptively like Samsung s Galaxy S4, was being shipped with a dangerous malware called Uupay.D bundled. The Trojan essentially collects the user s personal information and sometimes also turns on the phone s mic to listen to conversations taking place near the smartphone.
But buying a smartphone, especially an Android smartphone, from a reputed brand isn’t enough either. In its Q2 threat analysis report, McAfee warned that weakness in app security was becoming a growing problem with many cyber criminals taking advantage of popular apps by creating clones loaded with malware.
McAfee Labs sampled 300 Flappy Bird clones and found that almost 80 percent contained malware. Some of the behavior we found includes making calls without the user s permission; sending, recording, and receiving SMS messages; extracting contact data; and tracking geolocation. In the worst cases, the malware gained root access, which allows uninhibited control of anything on the mobile device including confidential business information, the report said.
The McAfee report said some legitimate apps have security flaws which can be exploited by hackers. The researchers said they discovered an Android trojan which exploits an encryption method weakness in the popular messaging app WhatsApp and then steals conversations and pictures stored on the device. Although this vulnerability has now been fixed, we can easily imagine cyber criminals continuing to look for other flaws in this well-known app, the report said.
Quick Heal, another security solutions company, claimed that it had found as many as 400,000 Android malware in the first quarter of this year alone. The massive rise in Android phone, tablet users and the unregulated nature of Android application markets, has led to an exponential growth in the numbers of malware , the report said. It also called out free apps that many users install from other third-party sources could be loaded with malware and usually go unnoticed.
Rather than issuing advisory on just one smartphone brand, the IAF should instead come up with a detailed smartphone usage policy for its staff, especially for devices that could host sensitive data or its user having access to sensitive information.
Having a central IT policy that can also control smartphones used by the staff and what they can install on it. Smartphone encryption solutions are already available for most smartphone platforms that also let the user inform the IT administrator in case the smartphone is lost and by which it can be tracked and even remotely wiped.
Finally, basic training in smartphone usage, especially about things to keep in mind while downloading an app or clicking on any weblink or even obtaining files from unknown sources, would go a long way.