Tallinn University of Technology

Author: Alejandro Guerra Manzanares, TalTech Centre for Digital Forensics and Cyber Security early-stage researcher

According to the statistics, 7 in every 10 mobile devices run on Android operating system. If you are one of those, this article is a must read for you. But even if you are not, you should read it anyway as iOS (running in almost 3 of every 10 devices) is also not impregnable and the main security-related concepts and advices related to Android OS are also applicable for iOS smartphone users. So let’s begin! 

Android inception 

Android is a popular open-source mobile operating system (OS) developed by the Open Handset Alliance (OHA) consortium. The OHA is a group of 84 technological companies who developed Android as a complete, open and free mobile platform aiming to “accelerate innovation in mobile and offer consumers a richer, less expensive, and better mobile experience”. Top companies such as Google, Samsung and Huawei (but not Apple) are relevant members of the OHA what, as a result, have empowered the Android OS to run on almost every single smartphone and tablet produced on Earth. A notable exception being Apple devices, powered by a highly tailored, closed and proprietary OS developed by Apple, iPhone Operating System, also known as iOS. Since its inception, in 2007, 11 versions of Android have been released, using confectionery-themed naming scheme until the 10th version (e.g., Android 5 was named Lollipop and Android 9, Pie). In constant evolution, new and improved features are included on every release, mainly related to design, usability and, especially, security. Android has then become the reference and most popular mobile OS.  

Android as the main target 

Nowadays, mobile phones and specially the so-called smartphones are used for almost anything you can imagine, ranging from simple communication to daily life activities such as banking, job-related tasks to leisure and entertainment. As a result of this interactivity a vast amount of data is generated, stored locally (in the phone/computer) or remotely (in the cloud), most of which can be considered sensitive, highly personal, such as credentials, passwords, pictures, documents and so on. As a result, despite of the great benefits on our daily life, their ubiquity and the high amount of user-sensitive data generated pose mobile phone users as interesting targets for cyber-criminals, those bad guys whose main aim is to get profit by deceiving naïve (or maybe not so naïve) users and/or stealing or hijacking data and resources from the end-users, the smartphone users, like you and me.  

Why is that? Cyber attackers are bad guys but not idiots. From a cost-benefit point of view, attacking Android, the OS that runs on over 70% of the devices, becomes the smartest option to perform massive cyber-attacks, in order to get profit in the mobile era, developing applications and techniques tailored to exploit the OS weaknesses and vulnerabilities, the so-called Android malware. Malicious software, malware for short, are programs specially designed and “inserted into a system usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim”. Thus malware threats come with many and varied shapes. From messaging services-based malware (e.g., SMS) to mobile botnets, spyware and destructive Trojans. One of the most usual (and effective) form of attack is performed hiding the malware code inside a “legitimate looking” application that the user downloads and installs, believing it is reliable and trustworthy. This type of malware is called Trojan horses, as once the user is deceived and the app is installed, the malware starts its activity under the “legitimate” cover.   

According to Karspersky, the mobile threat is showing an uptrend from the second quarter of 2019. Peaking on 2016-2017, mobile malware prevalence has diminished a little, but being a permanent threat to any user, evolving in a more sophisticated way and most likely running undetected in many devices.  

So is Android secure? 

Android is a secure operating system but no operating system is 100% secure. All software, such as operating systems, have flaws or weak spots, also called vulnerabilities, that can be leveraged, or exploited, by attackers and compromise or “hack” the system, getting temporary non-authorized access to “privileged” data or ensuring hidden control of it, depending on the malware capabilities. Nevertheless, Android users can feel pretty secure as usually the attacks need some sort of collaboration from the weakest link in the security chain, us, the human element.  Software can be patched (solve known issues or spotted weaknesses), updated and made stronger and resilient, but humans are not so easy to “update”, at least in cyber security related issues.  

As Android is built on top of the Linux kernel, it provides the user important security features at software level, such application sandboxing or encryption. Additionally, some vendors add extra security features at hardware level in order to strengthen their devices against cyber-attacks (e.g., Samsung Knox), thus making Android OS devices secure at both hardware and software level. Additionally, antivirus solutions for mobile platforms, traditionally being quite inefficient for the mobile world before are now evolving and becoming better thanks to Artificial Intelligence. Showing promising results in threat detection for mobile devices. So, as can be seen, the machine is the weakest element. So in order to bypass this hardware and software level harsh security, attackers leverage the weakest element of the cyber security chain, the human behind the machine. Malware authors need a key element to carry on their actions and bypass the security features, so they target us, naïve and unaware users. Machines are not perfect; they can have flaws but the user is the key agent to their successful exploitation. Most of the attacks today are carried using some kind of social engineering (i.e., tricking the human to do something that will trigger a malicious action) that facilitate in a great manner the exploitation of the system. But not all is lost, with the joined forces of the promising AI and us, as a rational behind the machine we can (ideally) aim for a malware free future. Want to know more? 

Keeping your Android device safe 

The open and free features make Android suitable for any technological device designed and it can be secure, as secure as the user that manages it. So the following are a few guidelines that will not make your device, impenetrable but almost. 

1. Patch and update your Android version constantly.  Especially the security updates provided by Google or the manufacturer. 

2. Download applications from trusted sources.  No market place is 100% secure (malware is also find constantly in Play Store), but third-party markets are the realms of malware. You will there paid-software for free, with not-expected extras included, and you will pay for it with another currency, your data.  

3. Monitor application’s permissions.  When you install an application, it needs your consent to perform some specific actions considered as potentially dangerous by Google, so they enforce each application to ask for permission. Read them and if it has no real sense that your new calculator asks for access to your memory card, do not accept that permission, it will probably do something more than solving mathematical equations, for sure. Common sense is the best advice on this issue. 

4. Use some malware scanner (and enable Google Play Protect as a first defense).  It would be advisable to check if an app is malware every time you are going to install something on your device. Use malware scanners, there are some free online that can help you on that issue (i.e., VirusTotal). One of the latest security tools included in Android is Google Play Protect, that scans for malware in your applications. Enable it, it is sure not enough, but a good first firewall. 

AI powered cyber defense solutions are the future, but we, researchers, are still working on make them much better. Just give us a little time.  

5. Cybersecurity awareness. Be aware that cyber security is an actual threat, an invisible but real one. Your data can be accessed, collected, hijacked or stolen without you noticing about it. Malicious software do not wear balaclava or use knives, but they can harm you at all levels. It will cause you problems or damages so be aware that cyber security is not something alien to you, it something that you have to enforce and be really aware of. It is a silent threat. Do not trust by default and double check what you install or download. It is not being paranoid, it is avoiding losses, sometimes really important losses.  

AI to your aid 

We know that you cannot be vigilant 24/7 so that is why artificial intelligence is getting into the field of mobile security. Artificial intelligence solutions aim to overcome traditional antivirus limitations in the mobile world, mainly related to unknown and new malware detection (or zero-day malware). We are still working on these solutions and the results are promising, with joined forces of AI and aware users we can aim that the future could be a much malware-free one. We can create very smart and effective systems but we will always need you. Prevention is always better than cure. 

The article was published in Edasi.org in December 2020.

Photo: Unsplash