Your phone knows an awful lot about you. Your location, your bank account, the names of all your contacts, the passwords to all your accounts… You name it. And different apps on it have access, and permissions, to transmit this data to God knows who. You may trust the manufacturer of your phone has put only software on it that respects your privacy. But what about third-party apps that have the same permissions? And what if you have no idea how these apps got on your phone?
Not all third-party apps are bad. Some are pretty legit. Hell, Uber is a third-party app and lets you book a cheap ride, which is cool (although, you may not be as thrilled if you used to make a living driving a cab). But not all apps are created equal – and many are created with the main purpose to be carriers of spy- or malware.
How malicious apps could end up on your smartphone?
Dangerous apps are installed on people’s smartphones the same way all apps are. Users usually do it themselves. It could be that the person is lured to a third-party store – an app store that isn’t Google Play or the Apple Store – by a lucrative price offer. And that store sells malicious versions of popular apps. Or they could be a victim of a phishing scam where an unlicensed store is disguised as a proper one. The end result is that the user’s phone is infected with malware, and new apps they never asked for start running in the background.
But apps could also get installed silently, without the user being aware of the same process. For example, in some countries mobile operators who also provide the SIM card for their services can push apps on phones without warning. The user just connects to their network and voila – they have the provider’s custom app for managing a user account. Their app is probably okay but the fact that software could be forced on a device in this way has serious implications.
For example, if you are subject to an attack with an IMSI-catcher. This is a type of device that imposters a cell tower and tricks your phone to connecting to it. It gives the attacker pretty much the same access and control over your device as your network provider. It is known that certain types of IMSI-catchers can install rootkits, bootloaders and other types of compromising software, including malicious versions of apps you normally use.
What can you do to protect your data from malicious apps?
Remember, it is the users themselves that usually compromise their own security. Just by being mindful and careful with how you use your smartphone and what you install on it, you could counter most ways via which malicious apps end up on your device. Here are some of the main ones.
- Don't install apps you don't really need. Restraint is the privacy-weary individual’s best friend. You may think that using your smartphone as a remote-control for your TV is cool. But then again, if you’re in the same room as your TV, so is its actual remote-control. Only that the latter doesn’t track your location, have access to your contacts and so on. You get the idea.
- Be careful from where you download apps. Most phishing scams aren’t particularly sophisticated – they mostly rely on people’s lack of attention. Just look what the page you’re on is and if it is really the URL of the trusted store it pretends to be. If it’s not, you better get out.
- Be careful what permissions applications require. When you install a new app on your phone, it notifies you what permissions it requires. Read them thoroughly. Installing an app that does nothing more than allow you to use a dust plug as a button for your camera and asks for access to pretty much everything on your phone is probably not a good idea.
- Manage app permissions. On older versions of Android, you can either agree with the list of permissions and app asks for, or opt out of installing it all together. On Android 6 and up you can later choose what permissions an installed app has through the app manager in your phone’s settings.
- Check what apps are installed on your phone. Speaking of the app manager, it is not a bad idea to go there every once in a while and see what apps you have. If you see something suspicious – an app you don’t remember installing yourself – this could be a red flag that your phone’s security is compromised.
- Get an IMSI-catcher detector app. Such apps maintain an updated list of legit cell towers. So, when a fake one pops up in your area, the IMSI-catcher detector notifies you that you may be subject to a man in the middle (MiTM) attack. The proper course of action then would be to turn off your phone and restart it only when you’re out of the fake tower’s range.
Paying attention will get you only this far, though. In order to be really protected from malicious apps, you need a secure mobile communications solution. For example, we at Secure Group have designed our proprietary mobile security device, Secure Phone, so that third-party app’s access to it is completely cut off. Read the blow whitepaper to find out more.