Whenever security experts discuss Android security, they always recommend downloading apps only from the Google Play Store, as it contains significantly fewer malicious apps than other such sites. Still, developers manage to sneak in malware every now and then. So, how do you avoid picking up something nasty?
One sound defensive strategy is to pay close attention to the permissions requested by the app, according to researchers from the security firm Kaspersky. Think carefully about why the app needs those permissions before you give it the green (or red) light.
Kaspersky recently discovered a couple of fairly unhealthy programs in Google Play posing as photo apps. Both hung around in the store long enough to chalk up 10,000 downloads each. There was nothing particularly eye-catching about them; they were just two members of the "yet another photo editor" class.
The only detail that might have alerted the observant user was that both apps persistently requested access to notifications, and they wouldn't take no for an answer. All incoming messages appear in notifications, which means that the photo editors, if given permission, could read them.
A photo editor has no need for such access -- normally, that's something used for communicating with a smartwatch. So, why would it request that?
Well, after installation, the putative photo editor collected information (phone number, smartphone model, screen size, mobile operator, etc) and sent it to the cybercriminals' server. In response, it received a list of web addresses pointing (via several redirects) to a paid subscription sign-up page.
You've probably come across paid subscriptions at some point -- either in the form of a ringtone that requires regular payments, or a WAP or SMS mailing that you don't need but that still empties your mobile account, penny by penny. Carriers in various countries are fond of such paid subscriptions.
More often than not, people subscribe to them out of sheer carelessness, not on purpose. Fail to read the fine print and before you know it, you're paying for a horoscope. Victims usually become aware of such subscriptions only when their mobile phone account runs dry earlier than expected.
In this particular case, the malware's task is to sign the victim up for paid content in a way that raises no flags whatsoever. To do so, it disables WiFi and, using mobile data, loads malicious pages in a window unseen by the user.
To fill out the required fields (for example, with a phone number), it uses the previously harvested information. If the sign-up process employs a Captcha, the image is sent to a special service for decoding. And the SMS verification code, if required, is intercepted through access to notifications.
Avoid unwanted sign-ups
It is difficult to immediately gauge an app's potential for harm. That said, there are ways to recognise a suspicious app and protect against undocumented features:
- Carefully review the list of permissions that the program requests. If an app requests access to potentially dangerous permissions that you consider unnecessary, don't be afraid to refuse. If it insists, delete it.
- Use a robust security solution that detects "subscription pages" and warns you of the danger.
- If your mobile operator offers the option, make such subscriptions impossible by opening a separate "content account" or activating a subscription-blocking service.
