A new Android trojan is in town, and it can steal your account passwords and social security numbers by recording your phone conversations, according to a report by a security researcher.
Dinesh Venkatesan, a security researcher for IT service provider CA Technologies, said the Android malware drops a configuration file, one that contains key information about the remote server and the parameters, once it is installed on the victim's device. It then records and stores phone conversations in "AMR" format on the user's SD card. Based on the configuration file, it is assumed that the trojan also has the ability to upload these conversations to a remote server maintained by the malware's author. (AMR, or Adaptive Multi-Rate, is an audio compression format widely used in mobile devices.)
Venkatesan didn't say how he came across the new malicious package, but explains that he tested the eavesdropping malware in "a controlled environment with two mobile emulators running along with stimulated Internet services." One screenshot confirms that the malware must ask permission before installing itself on the device like a legitimate app.
"As it is already widely acknowledged that this year is the year of mobile malware, we advice the smartphone users to be more logical and exercise the basic security principles while surfing and installing any applications," Venkatesan said.
How to stay safe when mobile technology is throughly integrated into our daily lives?
1. Set a password for you phone
Most smartphone users only lock their screens using the keyboard lock, but don't set a password for unlocking it. If the handset is lost, it is very easy for the thief to steal your identity.
2. Use only well-know app stores
The most significant security factor that should give Android users pause, said Vamosi of Mocana, is that "Android users can download apps from third-party sites not Google whereas iPhone users can only download from the App Store." So it's especially important to download apps from sources that are known for good security.
3. Scrutinize every app download
Regardless of whether an app is free or paid, any given download is a potential threat to your phone's security. Take the time to scrutinize each app's market listing carefully before downloading it to your device.
"Pay attention to the name of the app creator," said Symantec's Wilhelm. "An app that purports to be the legitimate version, but has a different author listed should be a definite red flag." Beyond that, take a good look at the permissions the app asks for, and cancel the download if the app wants access to phone resources that seem disproportionate to its function.
4. Beware strange texts and emails
"Just like emails, attackers can use text messages to spread malware, phishing scams and other threats among mobile device users," said Wilhelm. "So, the same caution users have become accustomed to applying to suspicious emails should be applied to opening unsolicited text messages, too."
5. Use mobile security software
According to Vamosi, there are several comprehensive device security apps in the Android market that can help detect and protect against mobile malware, and it's increasingly wise to use one.
However, businesses should be particularly vigilant in this regard, said Wilhem. "Enterprises should consider implementing a mobile management solution to ensure all devices that connect to their networks are policy compliant and free of malware."