Android malware: how to keep your device safe from filecoders (and everything else)

When ESET researchers analyzed the first file-encrypting Trojan to demand a ransom from Android users via a control centre hidden on the anonymized Tor Network, the malware was “somewhat anticipated”, ESET malware researcher Robert Lipovsky writes.
The malware Android/Simplocker, available as a bogus app, seems at present to be a proof-of-concept rather than a fully-fledged attack ready for mass release.
Only last month, Lipovsky reported on an Android worm, Samsapo.A. which displayed as an SMS message with text reading “Это твои фото?” (which is Russian for “Is this your photo?”) and a link to the malicious APK package.
In ESET’s Threat Trends Report predictions for this year, ESET experts warned of “an escalating increase in serious threats targeting Android phones and tablets – ESET detections of such malware increased more than 60% between 2012 and 2013. This trend is predicted to continue in 2014.”
ESET Latin America’s Research Laboratory in Buenos Aires points out that malware afflicting Android now uses classic PC attack methods – the discovery of vulnerabilities, then their exploitation through malicious code.
Thankfully, most of these threats can be avoided by sensible use of your device. Robert Lipovsky writes, “We encourage users to protect themselves against these threats using prevention and defensive measures. Adhering to security best practices, such as keeping away from untrustworthy apps and app sources, will reduce your risks. And if you keep current backups of all your devices then any ransomware or Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance.”

Install ALL apps from Google Play or other big-name app stores unless you have a good reason not to

There are good reasons to install apps from outside Google’s Play Store (or other big-brand stores such as Amazon’s) – for instance, if your employer requires you to install a messaging app for work. Otherwise, don’t. Third-party stores, particularly those offering big-name apps for free are generally infested with malware, and downloading apps from them is a good way to get infected. If you HAVE to install a file from an unknown source, ensure your device is set to automatically block such installations afterwards.

Don’t assume you’re safer on your Android

“Stay alert and don’t fall for common social engineering tricks,” says Lipovsky. Links, downloads and attachments can be just as risky on Android as they can on PC. It’s easy to assume that, for instance, opening emails on Android isn’t as risky as it can be on PC – but while Android malware is still rarer than the PC variety, phishers, for instance, may direct you to a fake website to harvest private information just as easily on an Android phone.

If posssible, don’t use any old ‘Droid

In an ideal world, you should use a new phone, running the latest version of Android – KitKat. Older versions are less secure – and your operator may not issue an upgrade for your handset, even if Google does. ESET Senior Research Fellow Righard J. Zwienenberg wrote last year, in response to a vulnerability  “The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version. Many phones still run the very popular, but outdated, Gingerbread Android platform. Regardless of whether Google releases patches for these  versions, the phones will remain vulnerable.”

 Ensure you are running the latest update of Android available for your device

Updates from Google should be available OTA (over the air) – and on newer phones, you should be able to set your phone to auto-update (with a restriction to do so via Wi-Fi rather than cellular networks). The area under Settings where you can alter these settings varies by manufacturer (on Samsung’s S5, it’s under About Device), but the menu option you need is Software Update. Select the first menu option to check you are running the latest version, and if not download and update it immediately.

Do the basics – lock your phone

If you own the very latest handsets such as Samsung or HTC’s flagships, you might have the luxury of locking your phone with up to three fingerprints using a built-in scanner- but if not, there’s no excuse for not locking it with either a  PIN, or, ideally a password.  Settings > Security > Screen Lock. On new devices, you’ll usually get a choice of pattern, PIN, or password. A pattern’s less secure than a PIN, and a password is your best choice. If you’re using your tablet or smartphone for business, be extra careful. Talk to your IT department, and read our guide to encrypting data on Android here.

Don’t keep your valuables on your device

Lipovsky says, “If you keep current backups of all your devices then any ransomware or Filecoder trojan – be it on Android, Windows, or any operating system – is nothing more than a nuisance. “Backup your phone when possible – either manually, by connecting to a PC, or by using your manufacturer’s auto-backup (Samsung accounts, for instance, will allow you to back up phones). Use apps such as Google Drive or Dropbox to ensure data – like photographs – is not solely stored on the device.

Lock off apps which might give away information

Apps such as Dropbox can contain information that is very useful to cybercriminals – a passport scan or a photograph of a credit card, for instance. There are various options for hiding and locking apps – the free App Locker remains highly popular, despite its slightly annoying adware which inserts pop-up ads throughout the OS. Download from Google Play, and lock off sensitive apps – messaging, email, social networking, file storage, banking – behind a PIN or password.

Inspect every app’s permissions before

When installing an Android app, you will see a list of “Permissions” – functions the app is allowed to access. Permissions such as “Full network access” or the ability to send and receive SMSs should make you think hard about installing the app. It’s not a guarantee the app is malicious – Facebook’s list of Permissions is long and alarming – but particularly when attached to a screensaver, clock, or other app which has no logical reason to need communications abilities, this should be taken as a warning that you might be dealing with malware.

Use a mobile security app

Android malware used to be dismissed as a myth – or largely an annoyance designed to run up bills via premium SMS messages. The discovery of PC-like malware such as Android/Simplocker shows just how fast malware is evolving for Google’s devices – and how like its PC cousins it’s becoming. Google’s own policing of its Play Store has improved hugely, but for peace of mind, a regular malware scan of your device is recommended. ESET’s Lipovsky says, “A mobile security app such as ESET Mobile Security for Android will keep malware off your device.” Set the app to scan your phone regularly and automatically.

Use Google’s own defenses to the full

Google offers a pretty decent selection of security features built in – including a location tracker, which can help find a lost device. Visit Google’s Android Device Manager page to activate it while logged into your Google account and you’ll be able to force a device on silent mode to ring, remote-lock a device, and view its location on a map. If you own several Androids, you’ll be able to see them all. More advanced protection is offered by AV programs such as ESET’s Mobile Security and Antivirus, but Google’s own, rolled out quietly to any users of Android 2.2 and above last autumn, is a good first step.

Never pay a ransomware author

While the implementation of the encryption in Android/Simplocker is clumsy compared to notorious PC malware such as Cryptolocker, it can still effectively destroy files. Lipovsky advises that the one thing users must not do is pay up, “The malware is fully capable of encrypting the user’s files, which may be lost if the encryption key is not retrieved. While the malware does contain functionality to decrypt the files, we strongly recommend against paying up – not only because that will only motivate other malware authors to continue these kinds of filthy operations, but also because there is no guarantee that the crook will keep their part of the deal and actually decrypt them.”