Android-based Smart Phone: Threats vs. Security

Background of Android Security

In 2014, more than 1.1 billion android devices were shipped, taking more than 80% of the mobile device market share (DailyTech: Gartner). The number of mobile applications in Google Play Store has crossed 1.6 million overtaking Apple Apps store. As the popularity of Android application is growing exponentially, privacy and security has become a major concern. Malicious apps can get access not only to sensitive information such as location, files, photos and text messages etc. but can also do financial frauds which can lead to financial loss for the users or businesses. Fraudsters adopts innovative and sophisticated techniques in stealing money off innocent users ("Smart phone malware: The six worst offenders - NBC News,"). Android users unlike in iOS are allowed to install applications from outside the Google Play Store. This exposes them to lot more threats.

Demography of mobile banking attacks in the world (Roman Unuchek, 2016)

There are many types of vulnerabilities in Android ecosystem in various layers such as Application or Framework. Also, there are issues like code injection and repackaging. To address all this issues, a lot of effort have been made (Enck, 2011). This article tries to understand the Android Environment, builtin security features and the latest developments in Android security.

Types of Android Security Breaches

We need to understand the different types of breaches that takes place in Android Platform. Android platform faces the following kinds of security breaches:

Data Breach

This is the most common type of breach on Android platform which has Linux-based OS and millions of available applications from Google Play Store. Information relating to user of an android powered device such as name, date of birth, address, contact details, account details, sensitive messages, conversation on messengers, bank details are a few which can cause havoc if lost or stolen by hackers or stealing-specific applications or because of vulnerabilities in OS or poorly written applications.

Device Security Breach

Usually takes place when a mobile device is stolen or lost by the user or lent for a short time to others. Losing the device can be monetary loss for a few hundred dollars but the worst case scenario is someone’s personal information and other sensitive information can land at the wrong hands which can be disastrous, it can get worse it the device is provided by any company and has connection to corporate network

Table showing report from Fireeye on Android Devices (Fireeye, 2016)

Types of Security Threats on Android

Generally, android mobile devices will have combination of personal sensitive data, videos, user’s location, photos, contacts, messages, some cases sensitive business data and IP-intellectual property. That is a goldmine to who wants to steal and makes them find ways to exploit any weaknesses or vulnerabilities. A research conducted by Firefly (Fireeye, 2016) shows users are vulnerable to attacks or in risk of being attacked after analysing millions of applications in 2014. Android users face challenges and risks in many different fronts as there are many types and ways attackers can exploit and android device, some are outlined below:

Malicious applications designed to steal data

• Repackaging of applications also take place – is a very common security issue with android OS, Unpacking/reverse engineering of. apk files, decompiling, code injection and repacking processes are conducted to infiltrate devices (Fung, 2015)
• Denial of Service or DoS attack – with the increasing number of smartphones and other mobile devices such as tablets connected to internet is prone to DoS attacks. Malicious applications and poor or no protection such as antivirus program are some of the reasons.
• Malware surge on android devices accounts for 96% of them targets android, millions of malware are out there hidden in benign applications. (Fireeye, 2016)

Security Threats from Potentially Harmful Apps (PHA)

There are thousands of apps which have potential vulnerabilities ready to be exploited, on top of that Google listed them in their latest April 2016 PHA classifications which are described below:

• Backdoors: this type of applications allow full control of android devices, authorizing them to access data and control remotely which is potentially harmful.
• Fraudulent Bills: some apps intentionally charges its users without their consent.
• Fraudulent Calls: apps can be designed to make expensive calls without the knowledge of users.
• Fraudulent SMS: apps sends premium texts to premium numbers incurring high bills without the consent of users, for an example, a game app secretly downloads premium numbers associated with fraudsters and send messages while playing.
• Fraudulent WAP: some apps connect to third-party services via Wireless Access Protocol and add charges to their bills
• Collection of Data: apps which collect data about the apps installed on device without the consent of the user, including currently installed list of applications or applications which are active.
• Spyware for Commercial Purposes: apps can transmit user’s personal information and data without the knowledge of user, this then used for targeted marketing purpose, or used on behalf of parents for supervision.
• DoS: apps can execute DoS attack or take part of a DDoS attack targeting particular system or its resources. To paralyse or take out a web server, it send http requests in huge volumes.
• Phishing Apps: apps which acts as it is from trustworthy source, can transmit user’s credentials and financial information. It can also intercept user credential while in transit.
• Ransom-ware: when app takes over control of a mobile device or user’s data in it and demands for money in return for releasing control, it can also encrypt data and ask for money for decryption of data, it escalate its authority to administrative level so the app is not removable by ordinary users.
• Spam apps: some apps use user’s email as an email spam to send premium messages to user’s contacts or simply use it to send spam emails to other users.
• Trojan apps: typically apps that looks innocent such as pretending to be a game but perform harmful activities without the consent of the user. It can also have other hidden programs to learn about user’s personal information, transmit it to third-party or send premium texts to incur charges to user’s bill. (The Google Android Security Team’s Classifications for Potentially Harmful Applications, April, 2016)

List of countries mostly attacked by mobile banking malware (Roman Unuchek, 2016)

Reasons behind Security Breaches in Android

Android is now the most popular platform in the world, which is also susceptible to security risks. That is making its users and devices prime target to steal information about users and their resources whether personal, financial or corporate. There are many reasons behind these attacks in the form of unauthorised access, malicious attacks, malware, DoS, apps designed to sniff user information without consent etc.

• Information leakage is one of the main issues with current android architecture- users must grant permission before installing and using the apps, authorizing apps to collect information without any restriction from OS.
• A vast majority of well-known and trusted apps contain adware which are not actively controlled, collects information about users and devices for better ad targeting.
• Some unsuspecting applications which contains aggressive advertisement libraries (Fireeye, 2016)
• By exploiting known kernel vulnerabilities attackers can launch privilege escalation attack and gain higher access to device resources, or any files on the cloud or corporate network
• Some applications allow intruders to pry on user identity 
• Poorly written apps – easily exploited
• Lax Google Play checks on malware and aggressive adware applications which are deemed safe to ordinary users
• Mobile device access is not protected properly by using strong password or fingerprint touch, so when lost or stolen access to sensitive information is unchallenged.
• Phishing emails are highly sophisticated these days, ordinary users can easily fall to give away their bank account password and other details
• Data stored on storage cards which are unprotected can easily be accessed when lost or stolen
• Legacy version of apps and software can expose security loopholes to attackers
• Bringing your own device or BYOD – most organizations from schools to corporations allow users to bring their own devices such as mobile, laptop and tablet etc. Devices can get infected by malware or virus if they exist on the connected network already or vice-versa. Security on devices locally are as important as how secured the network they are connecting to. In some cases insiders can be the reasons for breaching devices for stealing important information from colleagues or visitors or from the devices connected to the network externally.
• Users of an organization or ordinary users sometimes do not follow new practices or keep their devices updated including their installed applications, once any application is breached or compromised by attackers, typically there will be security updates or patches to tackle the issue.

Image above showing fake login of bank applications in New Zealand (welivesecurity, 2016)

BUSINESS AND SOCIAL IMPACT

In recent years there have been number of large scale cyber-attacks on business enterprises through medium of mobile. There have been instances of back to back attack on US retailers for example Neiman Marcus, Target etc. with Michael Stores being the latest victim. This has led to constant vigil upon Android mobile devices looking out for risks and vulnerabilities. Also mobile carriers like T-Mobile have also been affected. It was found that most of the attacks involved complex malicious programs attacking and stealing financial card information. Large scale attacks like at Target affecting more than 40 million customers cards losing their name, address, email address and credit card details is the trend now. It was found that more than 1.1 million customers were affected by the Neiman Marcus hack.

The total business impacts due to breaches in an organization can rise to millions of dollars of loss. It is forecasted that the loss is going to be on the rise. According to sensors placed all over the world attack on the SMB sector is thought to be on the rise and is predicted to increase in the future as new threats emerge every day.

Smaller companies are increasingly becoming targets as there are fewer defences and an easily available data. Manufacturing sector is the most targeted sector in this business environment.

There are major social impacts to this breaches as there have lot of instances of breaches on personal android phones and it is found that more than 90% of the android mobile phone has been breached. This creates a totally unsecure environment for mobile phone users and in the current scenario were mobile penetration is wholesome the risk is also too high. There have been lot of instances wherein people have lost their personal information like images and other critical information to cyber attackers. Now the latest trend of attack is on the financial sector wherein lot of applications of financial institutions are under attack and through malware like ransomware people are being blackmailed by the cyber criminals ("Impact Of An Android Data Breach,").

Bar graph showing apps added to android market each month along with low quality apps (Appbrain, 2016)

Android Security Breach- Technical Solution

We can categorise the proposed security measures into two categories:

Static Analysis

Here in Static Analysis the whole solution is dependent on the application code and structure. One of the techniques in static Analysis is by cross checking the signature with a collection of malware signatures. If a match is found proper action is undertaken. It has limited scope of protection since it will only be able to stop only some of the emerging threats e.g. generic or broad signatures only. The next method is using Permission Analysis. It checks the system for apps having the highest granted permissions and their capability on the resource access. This way they will be able to detect malicious apps based on the risk level. The next method is to scan the Control Flow Graph (CFG) and find any manipulations or vulnerabilities inside code.

Dynamic Analysis

Dynamic Analysis takes care of the behaviour of the application during runtime. It mainly monitors the applications battery consumption, network utilization and system calls (Bell, 1999).

One of the dynamic analysis methods is Crowd sourcing. In this call logs or user reviews of an app from lot of users are collected and studied to improve upon the security of device ("Crowdsourcing - Wikipedia, the free encyclopedia," n.d.). There are also Policy based and recommendation based solution. In policy based users are able to define policies regarding application services thus enabling level of permission. In recommendation based approach users are advised and recommended on decision making regarding granting permission

Mobile threats by platform comparison (Forbes, 2016)

Solution to Security Breaches

We will be discussing some of the best practices for securing Android mobile devices from being hacked into or attacked by opportunist attackers out there. There is no such mobile platform and security technology that are full proof, vulnerabilities of Android and its users’ are being exploited and new threats are on the rise every day. It is therefore best to stay ahead of today’s threats and keep applications, OS updated and patched for future attacks prevention.

• Android security platform has improved its safety and created what they call SafetyNet, which will make exploitation of vulnerabilities difficult, they also actively monitor apps from abuse using Verify Apps, PHA and Google Mobile Services especially for apps which are sourced outside of Google Play.
• Update: keep your device updated with patches and software version from manufacturer and Google Play which could prevent from malware attacks.
• Only use official App Store which is Google Play: downloading apps from legitimate source for Android devices, users can avoid installing malicious apps as Google Play checks for malicious apps and alerts users accordingly.
• Check rating ore review app before downloading and installing, other users leave their experience with any particular app, its security and privacy matter.
• Keeping device up to date with updates of anti-virus software on the device and when connecting to unsecured WiFi, refrain using banking app or sending sensitive information which might be intercepted by rogue users or make the device vulnerable to attacks
• Ensure lock screen is enabled, PIN or difficult to guess password are used to gain access to device.
• Google must also keep its android platform secured by updating and patching up new vulnerabilities from known CVEs, clean up its Play Store from malicious apps, close loopholes in its android OS core, engage users and keep them informed of any updates/patches.
• Make good use of Android Device Manager, remote lock and delete option should be enabled in case device is lost or stolen. Using third-party apps or built-in device manager can be used for the same purpose.
• Regular backup using Google or other apps is highly recommended, local backups should be encrypted or SD card should have PIN or password to access data.

Thanks for taking the time to read this article, would welcome any comment/feedback.