What exactly is Malware?
Malware (Malicious Software), is a term used to describe the various types of intrusive software. An intrusive software is named every software that acts against the requirements of the computer user and causes unintentional harm. Most known forms of malware are the following:
- Viruses: They are called viruses because of their ability to replicate their selves, modify other programs and infect other systems. Most of the times, viruses aim to make a profit from their victims and/or cause data corruption and software damage.
- Worms: These are similar to viruses, in that they spread to other systems connected to the same network. They do not cause any harm to the system’s data, but they consume network bandwidth.
- Trojan Horses: Taken their name from the Greek legend of the war of Troy, they try to mislead the user of their true intent.
- Spyware: This type of malware tries to spy on the victim, collect personal information and send them without the user’s permission to the attacker.
- Adware: Adware will display Advertisements to the victim, in order to generate revenue for the malware creator.
Despite the Malware type definitions above, boundaries between various types are not strict and a malware application can fall in more than one category at the same time.
How can Malware infect a device?
There are several ways malicious software can infect a device:
- Through e-mails: An e-mail is sent to the victim offering something interesting. The user opens and runs the attached executable/script and their device gets infected. Moreover, in some cases, a malware application can infect the device just by opening the email to read it. (for example, this Windows defect).
- Through attachments in chat applications: This intrusion mechanism works the same way as above.
- With an infected media device (USB stick, floppy disk, CD/DVD): The Malware runs automatically when the media device is opened by the operating system.
- Exploiting operating system vulnerabilities: There are various types of these (buffer overflows, code injection, race conditions etc.) which attackers can identify and use to execute malicious code. One example is the famous Linux Dirty_COW vulnerability. Most Android device rooting methods take advantage of such exploits to inject the su binary on the device’s system partition.
Malware on Android
As with every platform that enjoys a big usage share, Android has a number of malware threats. During the years, Google has invested a lot in enhancing the security of its operating system. Being built around the Linux kernel, Android utilizes many of Linux’s security mechanisms, like SE-Linux (fully enabled by Google on Android 4.3). On top of that, Google added their own security mechanisms that make the platform even more robust.
Despite all efforts though, Android still remains vulnerable to attacks:
- Linux kernels used on Android devices are usually several versions behind the official (upstream) kernel. Like every other modern operating system, Linux has a vulnerability management process: Several kernel developers are responsible for identifying and fixing security defects inside the kernel code. This process though is done in the upstream kernel and it is up to Google and OEMs to apply patches on the kernels used on Android devices. Considering the number of Android devices around, this job is very difficult and time-consuming. Google and OEMs have made an effort to speed up this process and managed nowadays to provide kernel security fixes just after these are applied upstream, but still only on flagship phones and some mid-range phones.
- Root on Android is different than GNU/Linux. Typically a user can get superuser access by just entering a terminal and giving the command “su”. An App is getting superuser privileges in a similar fashion. While most times the system asks for permission before allowing superuser access to an App, nobody but the App developer really knows what the software is doing after granting superuser privileges. It is up to the user to trust the App that it will not manipulate any personal information or cause intentional damage to the device.
- Google always checks Apps for malicious behavior before allowing them on the Play Store. Still, this process is not 100% effective and a large number of malicious Apps are hosted – or were hosted until identified as malware – on the Google Play Store. Most of the times, a malicious App is identified after infecting millions of devices and collecting great amounts of sensitive information.
- Most non-flagship devices do not get much support from the manufacturers. So, users of such devices resort to custom ROMS to get newer versions of Android and additional features. Sometimes, custom ROMs have security mechanisms disabled or kernels that are not up to date in terms of security patches.
- Lastly, whether a device will be infected or not mainly depends on the user’s behavior. An average Android user lacks advanced computer knowledge and can easily fall for websites sending notifications offering fake App updates, or informing the user that their device is infected and offering fake antivirus tools, etc. This kind of malware spread always existed, on any operating system, and is a result of the widespread of personal computers and mobile devices.
Example Malware Threats on Android
These are some Malware Applications targeting Android:
It was first spotted in Lovely Wallpaper App. It managed to infect over 4 million devices before exposing and removing it from the Google Play Store. ExpensiveWall sends premium SMS without the victim’s knowledge, charging their accounts.
A trojan horse, FakeBank opens a back door and steals information from the compromised device. Additionally, it is able to infect a connected Windows PC and tricks the user to exchange legit banking apps against malicious ones.
Spyware that can track and send the user’s GPS location. It is shipped inside a Snaker game clone.
It is available under the name “Battery Improve” and claims to help maximize a device’s battery usage. It also silently collects data from the device without the user’s knowledge or consent.
How to protect your Android from Malware
The most critical question an Android user can ask is, Do I need an Anti-Virus/Anti-Malware software on Android?
Short answer: If you know what you are doing, no.
As explained above, if you are running Android on a device with a frequently updated kernel and all the security mechanisms enabled, your chances of catching a malicious App without your participation (for example, opening a file), are small. In the same mindset, try to get the latest Android version available for your device, as new security solutions are available with each version of Android. Keep in mind that it does not matter if the ROM is official or third-party. Capable and security-concerned ROM developers have produced custom ROMs that are more secure than stock.
Furthermore, doing the following will also minimize your chances of Malware infections:
- Install Apps through the Google Play Store. While there are malicious Apps on the Play Store, Google’s check process makes sure that at least, you will not get exposed to already known threats.
- Disable Unknown Sources (usually found under Security Settings). This will disable installing Apps that are not signed by Google. In general, this disables installing anything coming outside of the Play Store. If you really need to install Apps from other places, make sure you are downloading from a place with a good reputation (like for example, F-Droid). Also, always remember that cracked or modified Apps almost always contain malicious code injected in them.
- Always check an App’s requested permissions before installing. An App that advertising itself as a photo editor should not require permission to access the Phone Services, for example. On latest versions of Android (6.0 +), App permissions are granted to the App while it is running and not at installation. As a result, you can have greater control on what this App is allowed to do on your device.
- Make sure you have Google Play Protect (formerly Verify Apps) enabled. This is a Google Service that monitors and checks your installed Apps and automatically disables known malicious Apps.
- Use Open Source Apps whenever possible. An App that is Open Source will have its code hosted somewhere, so anyone can take a look at it. While a general user might not have computer programming knowledge, someone who understands computer languages will spot something bad, if it exists in an Open Source App. However, since downloaded APKs include compiled code, there is no way to check if the code has been modified before distributing the App. To avoid this, you should download Open Source Apps through a trusted place like F-Droid (which hosts only Open Source software). In general, an Open Source developer would not include malicious code inside an App that easily, as doing this would damage their reputation.
- Never fall for weird notifications coming through the web browser. Web pages do not generally have access to information other than browser version, operating system, and IP-address. Even if your browser is old and your device really infected, you should go for a trusted solution instead (like Play Store).
- Get an email account from a provider with high-quality spam filtering and Anti-Malware protection. This way you will stay away from most emails containing malicious tools.
- Keep your device rootless unless absolutely required. Current Android devices provide rootless access to functions that used to be root-only in the past. If you have root support enabled, make sure you keep your superuser App and binary updated. Also, always install Apps requiring root access that you can trust (mainly Open Source Apps). It is best to do everything requiring root privileges manually, through the terminal. Linux’s power comes from the console, but this power could easily turn against you if you provide attackers privileged access to it. Mastering the console will also improve your experience with Android and also open up new opportunities.
- Try to always have SE-Linux set to enforcing. Despite what some might say, SE-Linux is a critical security mechanism. Many custom ROM developers disable it in favor of additional features. Some custom ROMs cannot even boot with SE-Linux enabled. Actually, SE-Linux can be configured for any device and allow strict security on custom ROMs too. Its configuration though can be difficult and usually discourages developers.
That is everything you need to know about Malware on Android. While threats exist on Android, getting infected is not as easy as on other platforms. Especially if you follow some simple rules and carefully select the Applications you install on your system.