Fortinet Blog | News and Threat Research

It’s no secret that Android malware is starting to run rampant on users’ phones with no immediate signs of slowdown. And numerous reports indicate that the numbers continue to climb exponentially upward.

To give you a taste of what’s lurking out there, the following link points to a list of mobile malware variants that the FortiGuard Labs team has uncovered.

And the reason mobile malware authors are enjoying an extended field day on Android is overwhelmingly attributed to the open nature of the platform. Google’s Android has found its niche by providing an open forum that presents a logical antithesis to its Cupertino-based counterpart, known for locking down app development and distribution. However, while Android developers are allowed to flex their creative muscle and distribute apps that are often restricted from Apple’s store, malware authors simultaneously enjoy the same kind of freedom.

That said, here are a few security tips, provided by Axelle Apvrille, Fortinet senior antivirus analyst and researcher, aimed at keeping your data safe while perusing the mobile Web.** **

Apply A Healthy Dose Of Skepticism: The vast majority of malware finds its way onto users’ phones via social engineering schemes. In short, cyberthugs find ways to impersonate legitimate looking apps and SMS messages in order to compel users to open and install malicious code onto their devices.

In these kinds of scams, the users are generally the weakest link—mostly because it’s not always easy to decipher between a legitimate app and a malicious one. So before installing, treat apps with a healthy dose of skepticism. And pay attention to some of the most obvious signs—such as misspelled words in emails or SMS messages coming from unknown or unsolicited sources.

“Much of this social engineering can be spotted by a trained eye. So, being aware of this can in a way be more important than having an actual security tool on the phone,” said Aprville.

Don’t Install Apps You Don’t Need: With the rising tide of mobile malware, it’s easy to unintentionally download apps laden with malicious code. So in most cases, it’s best to apply caution and awareness and avoid installing apps you don’t absolutely need, especially if it’s on a work-issued phone.

Unlike PC-targeted attacks, most mobile malware can’t automatically propagate, instead relying on users for installation. As such, the onus is on users to recognize a “wrong” app and relegate installations strictly to what is absolutely necessary. “Do you need a PDF Reader? Perhaps. Do you need a pinball game because you are bored waiting for your flight? Well, perhaps, but it’s better if you can refrain from installing one,” Apvrille says.

Check, Check and Double-Check: You don’t have to rely on intuition when trying to determine if you’re installing malware onto your Android device. In fact, there is a plethora of ways you can tell if the app you’re about to install is the real deal.

First, users naturally can put the odds their favor when they download apps from known and reputable sources, such as the Android Market or Amazon’s App store.

Even still, there are a slew of checks users can make to ensure the app’s authenticity. Check the price. Check the developer’s name and Website. Angry Birds, for example, is made by Rovio Mobile. (If the developer’s name is Chinese, chances are good that it’s not the legitimate version, Apvrille cautioned).

Next, check the number of permissions that the application requests. “If there are more than three, be extra cautious,” Aprville said.

And if the application requests the SEND_SMS permission, treat that as a red flag as well. “Permissions must make sense with the application: a weather application has the right to get your geographic location, but there is no reason it should send an SMS,” Apvrille said. “If the application requests a permission you see no reason for, don’t install it.”

Don’t Root Your Phone: Unless you know what you are doing, this just opens the floodgates for trouble.

Install an Antivirus on Your Android Device: With the growing dearth of mobile malware, anti-virus is becoming a growing necessity. And in any case, it’s better to be safe than sorry. The good news is that there’s now a wide variety of mobile anti-virus products from which to choose. Users can find a comprehensive list of top AV products at av-test.org.

Regularly Check Your Bill: Look long and hard for anomalies–a little bit of scrutiny can go a long way. While major aberrations will obviously be the first thing you notice, also pay attention to small but mysterious fees and purchases, especially if you can’t remember making them. Mobile fraud and theft often goes under the radar when cyber thieves siphon off money little by little, as opposed to swiping large, blatantly obvious amounts all at once.

Any detected anomalies should be reported immediately to the user’s carrier. “And by all means, ask them what measures they are currently using to protect your phone from malware,” Apvrille said.