Your smartphone is surprisingly vulnerable to viruses and malware. But you can protect yourself.

BARCELONA — The smartphone industry has given birth to a vibrant growth sector distinguished by its creativity, drive and entrepreneurship. Unfortunately, that sector is malware.

Conversations with security professionals here at Mobile World Congress, the world’s largest mobile tech show, provided a dismaying, but necessary, reminder that the computers in our pockets are targets for authors of malware and other scams — and that many of us don’t care about those risks.

“The amount of thought that consumers are giving to security is almost nonexistent,” said Gary Davis, chief consumer security evangelist at Intel (INTL).

App anxiety

The major malware risk on smartphones remains downloading a hostile app that tries to compromise your data or run up your phone bill. The best advice to avoid such threat is to stick to the Google (GOOG, GOOGL) Play Store instead of downloading apps from third-party stores or off the Web.


The fact that Google screens its Play Store apps makes the risk of malware there “dramatically less than a third-party app store, by far,” said Davis. Still, the Play Store isn’t immune from crooks.

Last month, for instance, the Slovakian security firm ESET found a trojan app on the Play Store disguised as a world weather app. Google yanked the app after ESET notified the company.

“We encounter these things … I would say every couple of months,” said ESET chief technical officer Juraj Malcho. The risk of downloading malware on iOS is vanishingly small in comparison to Android, thanks in part to the strict limits Apple (AAPL) places on how apps interact with the operating system.

A recent report by Intel’s McAfee subsidiary noted a related issue: Many customers still have copies of apps on their devices that have long since been removed from the Play Store. The report urged more notification and disclosure when apps are taken out of the marketplace.

Read the reviews, please

But many users may ignore those alerts if an app looks legit. The McAfee report noted an example of a photo app that silently signed users up for premium text messaging services — and yet still earned a 3.5 out of 5 rating on the Play Store.


ESET’s Malcho said he wished people would look past apps’ ratings and instead check users’ comments. “Many times, we encounter clear reviews in the text, ‘Don’t install this,’ ‘this is bloody malware,’ and people install it anyway.”

Some of the countries represented at MWC don’t have access to the Play Store, because their governments block Google. That leaves those users subject to whatever defenses their local app store alternatives offer.

Niloofar Amini, business developer at Tehran-based Cafe Bazaar, said his Iranian firm has a dedicated review team to assess and re-assess apps. Of course, the company also has to ensure that titles comply with the Islamic Republic’s morality laws and limits on political speech.

If you’re in China? Good luck. Intel’s Davis described app stores there as “just riddled” with malware.

Good and bad news on phones

The show floor provides one reason for optimism about the state of Android security: fingerprint sensors. When even cheap, unlocked phones like the $229 Moto G5 Plus can be unlocked via its fingerprint sensor, we should begin to see more people securing their phones.

Today, a disturbingly high number — 28 percent of Americans, according to a Pew Research Center study released in January — don’t lock their phones at all. Without that, a stolen phone can easily be wiped and resold … after the thief abuses all the personal data on it.

“Let’s stop calling it a phone,” said Raj Samani, Intel Security’s chief technical officer for Europe, the Middle East and Africa. “It’s not even a computing device — it is our digital passport.”

Unfortunately, most of the devices on the floor don’t run the latest version of Android, which can leave them open to security holes. Demo units of Samsung’s new Tab S3 tablet, LG’s G6, Moto’s G5 Plus and HTC’s (headphone jack-deprived) U Ultra all ran Google’s Android 7.0, which shipped in August, not its subsequent updates.

The new Nokia 5 was a refreshing exception, showing the current 7.1.1 release and security patches current through March 1 — but that phone hasn’t been announced for the U.S. market yet.

Meanwhile, the majority of Android phones run older versions that lack the stronger security of 7.0, and the stricter control of apps added in 2015’s Android 6.0. Intel’s Samani called those “brownfield” devices, after the term developers use for environmentally contaminated sites that they sometimes must build on.


ESET’s Malcho mused out loud about a more extreme fix for that brownfield-phone problem: “Make the device so it dies in two years.”

Source : Yahoo.com

Categorized in Internet Privacy

Google has detailed the latest Android Security Bulletin and released the fixes for Nexus and Pixel devices.


These are exploits and other security concerns that affect Android as a whole. Issues with the operating system, kernel patches, and driver updates may not affect any particular device, but these need to be fixed in the Android base by the folks maintaining the operating system code. That means Google, and they've detailed the things they have improved for this month.


Updated factory images for Pixel and Nexus devices that are supported are available, and over-the-air updates are rolling out to users. If you don't want to wait you can download and flash the factory image or OTA update file manually, and here are some handy instructions to get you started.


These changes have been released to the people making Android phones for at least 30 days, but Google can't force anyone to deliver them to you. If you're using a phone from Samsung, LG or anyone besides Google, you'll need to wait for them to send an update and shouldn't try to flash any of the above files.






Of course, Google has safety checks in place to prevent any problems on your phone because of any security exploits. Verify Apps and SafetyNet are at work anytime you add an app to your phone, and seamless updates to Google Play Services will keep them up to date regardless of any hold up from a manufacturer or carrier. Details and incident numbers can be found in the yearly Android Security Review (.pdf file).


Highlights for December 2016


December 2016's update comes with two patch dates: 12/01/2016 and 12/05/2016.

  • Fixes in the 12/01 update cover Android in general, and address issues with the Android operating system itself. The most serious exploit addressed was in the CURL library (software used to transfer data that covers most transfer protocols and security certificates), where a man-in-the-middle attack could be performed by someone with a spoofed security certificate. Other patches for Smart Lock, the telephony system, and comm stack are also included.
  • The 12/05 patch date covers issues with the kernel or drivers. These aren't part of Android, but Google is the central maintainer and assembles updated code and resources from the folks making the hardware components. This time we see fixes for serious exploits from Qualcomm, MediaTek, and NVIDIA — so chances are your phone needs these. Samsung's Exynos chips are covered outside of the Android Security Bulletin and are patched by Samsung themselves.


If you get an update with a patch date of 12/05 you also have every issue addressed by the 12/01 update in place.




Source:  http://www.androidcentral.com/

Categorized in Online Research

The monthly Android security update released this week fixes the serious Dirty COW privilege escalation attack that can allow malicious apps to take full control of devices.

Dirty COW (copy-on-write) is a privilege escalation vulnerability that has existed in the Linux kernel for the past nine years and is already being exploited in the wild. It affects Android because the mobile OS is based on Linux, but it was initially believed that the SELinux security policies enforced by default in Android provided some mitigation against the attack.


That's not necessarily the case, according to security researchers from Trend Micro, who devised a new Dirty COW attack variant that bypasses SELinux restrictions by injecting malicious code directly into other processes.

"Our proof of concept patches libbinder.so to give our app system/root privileges," the Trend Micro researchers said Tuesday in a blog post. "We used this ability to bypass Android’s permission security model to steal information and control system functions."

Google developed a patch for Dirty COW last month and shared it with device manufacturers. However, it didn't include it in its firmware updates for Nexus and Pixel devices at the time and didn't make its inclusion mandatory for manufacturers either, until this month.

This month's security update also fixes an interesting security vulnerability in the mechanism that downloads GPS satellite information, known as the GPS almanac.

Researchers from security consultancy Nightwatch Cybersecurity have found that some Android devices with Qualcomm chipsets download this GPS information file from Internet servers without authentication, encryption or file signature verification. This means that an attacker in a position to intercept the download requests from Android phones can serve bogus GPS assistance files to the devices.

Google has rated this vulnerability as high severity, because it can result in a denial-of-service attack that delays the phone's GPS receiver from establishing a GPS lock.

According to the Nightwatch researchers, Qualcomm has known about the GPS almanac issue since 2014 and has advised its OEM customers to download the GPS assistance files over HTTPS or to switch to their latest format which includes a digital signature.


The December Android security update also includes patches for critical vulnerabilities in the kernel memory subsystem, NVIDIA GPU driver, NVIDIA video driver, kernel ION driver and various Qualcomm components.

Source : http://www.pcworld.com/

Auhtor :  

Categorized in Science & Tech

Every day, millions of people all over the world use their smartphones, but many people don’t realize that these phones are not completely secure. If you own an Android smartphone, you need to take steps to protect yourself from fraud and identity theft. You can lose a whole lot more than just contact information and other day-to-day information! Someone could end up getting your financial information, and then you would really be in a mess. Also, you can lose the things that mean a lot to you, including photos, social media accounts, documents, emails, and more, or even worse, your information could be shared online for the rest of the world to see. With these things in mind, here are some things you can do to tighten the security on your Android device.

Encrypt Your Data

Encrypting data is like securing your data with a secret code that only you know. Using encryption helps to increase your security, and you can open encrypt while using any type of smartphone setting. You will need to have a password to access any of your data.

Lock all Apps

You need to lock all of your apps. This is particularly important for apps that contain personal information that you don’t want anyone else to see. Investigate the range of app locking apps, or search within individual apps and disable any options that allow simple and easy access – unless you’re certain that you don’t mind anyone else having access!

Use Built-In Security

There are all kinds of screen locks available, from passwords to pins to patterns to face unlock. Make sure that you are using at least of the screen locks that can be found in your Android settings. Be sure to make it so your passwords are not easy to guess, even with this security.

Choose the Best VPN Service

It is important to use the right VPN for your Android device, but there are so many out there that it can be difficult to know which one is the best for your particular needs. Do your research before you buy, and be sure to consider all the options carefully.

Don’t Save All Passwords

A lot of people save all of their passwords to sites and online services they use. But, if you do this, and someone were to get your device, they will have access to all of your passwords. Do not save them in your Android device, in particular, banking and payment apps.

Create Multiple User Accounts

If you share your device with others (spouse, children, etc.), it is important that each user has their own accounts in order to protect your privacy. If you’ve a reasonably new tablet you can create guest accountsfor other users – just like on your desktop computer.


Install Antivirus Software

There is antivirus software available for Android devices, and we strongly suggest that you install one. Smartphones are basically hand-held computers, and they are as subject to viruses as any other computer.

Watch for Safe Apps Download

Loads of software and applications are available for Android devices, and you could end up unwittingly downloading harmful applications. For this reason, you need to pay attention to the smart phone agency terms and application before downloading anything. Also, you can set your antivirus to check every app that installs.

Avoid Financial Transactions

Never do any type of financial transactions on your smartphone or tablet. If you must do online financial transactions, be sure to use a private home computer that is password protected. If you can get a dedicated Internet line to your home, that is even better, because there is no chance that others in the neighborhood can use your service and possibly access your information.

Author:  Jane Hurst

Source:  http://www.lifehack.org/

Categorized in Science & Tech

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media