'Chatty' Android rich pickings for hackers, telcos: Symantec

Verbose mobile handsets cost users money, endanger their privacy.

Symantec had Android phones squarely in its sights as the next big target for hackers, executives for the anti-malware software maker said this week.

"You've seen a massive explosion and popularity of Android and what makes it so popular is the ability for any application developer to write, innovate and do lots of good work," said Symantec consumer product manager David Hall. "It's not using a closed application store,"

Hall pointed to the ability to install applications through email as central to the popularity behind Google's mobile operating system that was more open than Apple's iPhone AppStore. "But it also dramatically increases the need for security on the Android platform."

It was a problem identified in a recent report by security researcher SMobile Systems, which recommended enterprise users exhibit caution before deploying such handsets.

Related

• Next Norton is free and easy

Symantec US product manager for its Norton products Dan Nadir said the lack of multitasking on the Apple iOS was also a factor in its decision to concentrate its efforts on the open Android system.

"That's why we focused on Android first, we'll see with the new OS from Apple that supports multitasking but that's one of the limitations for [Symantec] because we want to run background apps and resources."

Symantec's Live Update was pressed into service to alert users when malicious software was bound for their handsets.

Nadir said that Android's verboseness when new software was installed, alerting the user to which parts of the handset's operating system were to be affected, led to user apathy akin to the Windows experience because there was too much information to digest.

"It's cool for the first few times and then everyone goes, 'yeah, whatever' click OK. It's almost like the [user-account control] prompt with PCs.

"I guess if you're downloading a solitaire game and it brings up a big list that says this will give access to your address book, this will give your GPS location maybe if you're a savvy user you'll go 'Err, that seems kinda strange'.

"So it is nice that they incorporated that amount of information to tell  you what an app is going to do but when we've looked at it most users don't know, don't care and they don't understand so it's not going to help them."

Changes to the Android operating system raised red flags with security vendors worried that the welter of malware that plagued the PC will migrate en masse to mobile handsets.

"In the new [Android] 2.2 version I can literally email you an app and there's only one button and it says 'Install'," Nadir said. "So just imagine how many users could be fooled into installing something if you said 'hey, check out this new insert-name-of-interesting-thing here' - lots of users probably just click the button and run."

He said the maker of Norton anti-malware software was looking at Blackberry but the sweet spot for potential mobile infections and privacy exploits rested with Android: "We want to make sure we have the user experience and feature set correct [before moving to Blackberry]".

Protect your private parts

Users were "by far" more interested in securing their handsets from prying eyes than they were in malware such as viruses, Nadir said; "they really care about losing their phone, about having access to their data".

For instance, security researcher Jeremiah Grossman last week revealed a flaw known in hacker circles for a year in Apple's Safari web browser also on iPhone that filled in details in forms from a user's address book without their intervention.

The time-saving "AutoFill" feature that wrote in fields such as email, address, phone number and sometimes credit card number on online forms was activated even if the user had never entered this data on a form before because it was grabbed from the operating system's address book.

A hacker could breach an iPhone owner's privacy in seconds and without their knowledge, Grossman found.

Grossman was still awaiting a response from Apple after informing it about the exploit on June 17.

Such malicious mobile apps would soon turn from a "trickle" to a deluge, Nadir said: "We've seen some prototype rootkits to capture user names and passwords and where people are trying to steal data, your address book, and any doc[uments] you have on the phone."

Symantec met this need with new tools such as Norton Connect so users could access their files stored on Symantec servers connected to the internet ("in the cloud" in boffin parlance) and Norton Smartphone (Mobile) Security to remotely find and erase their mobiles if they were lost or stolen.

"We want to make sure that if you lose your phone or your phone gets stolen you've got the ability to delete your own data or be able to lock the phone."

Strike the kill switch

Symantec was also moderating the bandwidth excesses of Android devices by alerting users to what the device was doing behind the scenes, known as "running-state detection", Nadir said.

"Android phones are really, really chatty. You have a lot of apps you're downloading, all types of things behind the scenes.

"I was in Paris for 20 hours and I left my [Android] phone on and they said I downloaded 1 Gb [of data]. I don't think that's true but I think it downloaded some amount of data at $15 a meg[abyte] that bill ends up being a lot of money.

"This has happened to a lot of people. They leave their phone on, they're like, 'I'm not going to make a call, I don't check emails because that's sucking up data' but they don't realise that behind the scenes it's [the phone] actually using data."

Nadir said the "kill switch" on the Norton mobile application was for when a web connection was unavailable, such as when travelling and a phone was left behind in a taxi. The owner could send a text message to the phone from a borrowed device to securely lock or erase the AWOL handset.

"If I was sufficiently paranoid I could actually wipe the data."