update: 2020-09: problems getting bigger without regular updates
because a SmartPhone (no matter Android/Samsung or IOS/Apple based) are essentially complete “notebook computers” with a very very small form factor directly or NAT (NAT better to avoid direct attacks, but no guarantee, ipv6 want’s to get rid of this security feature, “great”) connected to the internet via some sort of modem (GSM, UMTS, HSDAP, LTE internet modems or WIFI nic)
if a computer system connected to the internet DOES NOT receive regular software (security) updates and software developers maintenance (most Android SmartPhone vendors and even Apple are dropping support for updates very very fast)
- any mail received
- any WhatsApp or SMS message received
- any click on any webpage could be THE LAST for this SmartPhone’s and the user’s DATA (ransomeware encryption or worst case damage to phone’s firmware rendering unbootable etc.)
- devices with outdated firmware/software or without maintenance directly connected to the internet
- WILL at some point in time
- be a security threat / be compromised
this is why regular update intervals are important
of course: updates itself are also a threat to a systems stability / reliability and could introduce new bugs to the system
therefore: just as with notebook computers the workflow needs to be as follows:
- complete backup of the user’s data and the system itself
- testing according to a defined list of test-cases (what has gone wrong in the past with updates?)
either a law needs to be made, that obliges SmartPhone vendors to at least support the device 10 years or better:
SmartPhone vendors need to be obliged to open their hardware to “mainstream” GNU Debian 10 or other linuxes that receive regular maintenance updates aka become “full” notebooks 🙂
you get an app recommended by a friend and want to try it out – you download it – you install it – and a few weeks/months later – the app starts to encrypt all your data on your mobile device and threatens to clear the phonebook and post evil things about you on facebook if you don’t send hacker x from country y bitcoins worth 1000$ – too paranoid for you?
yes you have to be creative to make millions and millions of $ but there are people out there doing exactly this.
and they get away with it. you will have to pay. no police or nsa is going to help you.
“The conclusion reached by AV-Test [PDF] is that anti-malware apps (free and non-free) are simply not worth your time.
…free antivirus app from the Market miss nine out of ten potential threats, the paid apps were able to scan and detect about half of all preinstalled threats (first the virus was installed – then the antivirus software)
if an paid antivirus software is installed prior to any other apps the prevention rate is better.
AntiVirus Free, GuardX, and the rest are giving people a false sense of security, which can make them take more risks.”
by far the best way to avoid malware infestation is to use a little common sense, and understand how Android apps work.
When an app is installed, the system will always display the permissions requested.
The user can use this at a glance to evaluate an app’s intentions.
If a relatively simple app, like a wrapper for a website, asks for permission to send and receive SMS messages, that is a serious red flag.
In fact, a large number of these so-called “SMS Trojans” are in circulation around the seedier parts of the web.
When installed, they text premium rate numbers to rack up charges.
The same concern exists for apps that include phone calling permissions;
they could call premium rate numbers without the user’s knowledge.
Another important permission to be on the lookout for is access to the contact list, and Google accounts. If an app has no business looking at this data, there is a chance that it’s justmalware designed to harvest user data for spamming or phishing scams. The only time one might expect to see this permission is in apps that autocomplete contact names, or handle legitimate messaging actions.
Of less concern financially, but still a sign of shady behavior, is the location permission. This can come in either Fine (GPS) or Coarse (Network) varieties. An app that doesn’t need this data for its essential function could be using it for something as innocuous as location-aware ads, but there is a darker possibility as well. Questionable app could harvest a user’s exact location, store it over time, and sell that to advertisers.
The best way to stay safe on Android is to just stick to established apps from the official Android Market or the Amazon Appstore. While bad apps do occasionally show up in the Market, Google removes them swiftly and can remotely kill the apps on phones.
Most of the truly dangerous threats have been detected on forums and third-party websites masquerading as well-known apps. Basically, don’t install a version of “Cut the Rope” obtained from a Chinese pirated software forum. By leaving the Unknown Sources option disabled in the Android settings, apps cannot even be sideloaded from other sources, which blocks this vector completely.
It just takes a little forethought to avoid the most serious Android malware threats out there. Sticking to the official application repositories is a good policy, as is checking out the permissions for an app. Users might even prefer to leave the Unknown Sources option disabled. There is now good evidence that free Android antivirus apps just don’t work, and could even cause users to believe they are protected, and thus take more risks. Paid antivirus apps work better, detecting more threats, but still fall short of the mark. In the end, it is still very much up to the user to be on the lookout for suspicious behavior in order to stay safe.