There's a good chance Android device owners will download malware from Google Play, McAfee claims.
On Tuesday McAfee pointed out the obvious in its first-ever "Mobile Security: McAfee Consumer Trends Report": that Google Play houses "risky" apps. The security firm also reports that cyber-criminals like to prey on children by luring them with links to popular apps listed in non-Google Play stores, only to serve up a plate full of malware instead.
According to McAfee, 75-percent of malware-infected apps downloaded by the McAfee user base were acquired from Google Play, showing that criminals are going to great lengths to insert attacks into trusted sources. That's a frightening thought considering that McAfee customers are apt to be more security conscious than the average consumer.
"The average consumer has a one in six chance of downloading a risky app," McAfee said. "Nearly 25-percent of the risky apps that contain malware also contain suspicious URLs, and 40 percent of malware families misbehave in more than one way."
McAfee defines a "risky" app as one that steals personal information (banking, email etc.) and combines that with the location data to compile a complete picture of the victim. A "risky" app also perpetuates fraud like SMS scams that charge your credit card or wireless bill without prior approval. It also abuses a device by making it part of a criminal bot network, which allows someone to remotely control your phone.
The report also states that mobile drive-by attacks, which were first spotted last year, will increase in 2013. These will fool mobile devices owners into downloading a malicious app without knowing it. Once the app is opened, the hacker gains access to the device.
McAfee also reports that hackers will begin to take full advantage of the new NFC technology this year. This tech is handy in making quick payments at the counter, or wirelessly exchanging photos or other media with friends with compatible devices. But hackers see another use for NFC, executing a sinister "bump and infect" attack to distribute malware.
"This scam uses worms that propagate through proximity," the report states. "The distribution path can quickly spread malware through a group of people such as in a passenger-loaded train or at an amusement park. When the newly infected device is used to “tap and pay” for the next purchase, the scammer collects the details of the wallet account and secretly reuses these credentials to steal from the wallet. Worm malware like this will spread by exploiting vulnerabilities on devices. This development would monetize the 11.8-percent of malware families that already contain exploit behaviors."
McAfee provides the full report in PDF format here. The firm also provides tips on how to stay safe from mobile threats which are listed here.
Defining a "risky" app as one that steals (uses) personal data and location data. Well that rules out 99.9% of all android and iOS apps as "risky."
Drive by app installs? Don't turn on third party app installs, your not supposed to unless you know what your doing.
NFC hacking to distribute malware? I think not. Possibly a NFC "hack" like putting a fake card reader over a real care reader to steal the data, but not for malware distribution. It would take so long to distribute malware in this fashion that no one would bother.
Every iOS app I install asks me the first time I run it if it can use location data...not so when I had an Android device. If this was said about Apple's app store people would be slamming Apple left and right but because it's about Google they are defending it...typical on here.
And yes I think so about NFC hacking. It was proved at the Blackhat convention last year with a demonstration.
I still have to meet someone (anyone) that has an infected Android-based phone.
Every android app lists its permissions needed on installation as well, and if the permissions ever change the app will not update until you manually accept the changes. If you weren't wearing apple shaped blinders you might have known this, but instead you covertly (and inaccurately) slam Google for their "bad" business practices.
Also, a quote from Charlie Miller from said blackhat NFC hacking demonstration
"the range was limited to contact in which the attacking device was 1-2 inches away or touching the targeted device."
I'm not sure about your practices, but if someone other than me has their hand or any body part with direct contact to my phone, then it was just stolen. At which point why would you even bother with NFC when you can just ssh/adb the phone instead?
While NFC has its vulnerabilities, the attack type quoted "bump and infect" would be so completely restricted in scope that no one would bother making one. If you write malware, you always aim for the biggest target, not the smallest that also actually requires you to physically be at the scene of the crime....
I understand how this logic doesn't make sense to you though, being a continual Apple user your logic stopped working when the iPhone 4 came out.
So many fails.
People are not defending Android, they're saying McAfee is full of S.
Android tells you in much more detail what an app wants permission to do. iOS asks you about one thing in a more obvious way, and you think you're safe.
No-one says NFC hacking is impossible. Someone stated their opinion that it's impractical.
No thank you,
I second that! Yes the program lists its permissions, but they all want almost complete access to your device. Every game wants location data and phone call state and so much more. Most people just blindley install because Android is so great (yeah right). I have very few items on my phone because of all the permissions they require. I can't speak for Apple devices as I have never owned any.
Ah, hahahahaha
"Yes, we employee murderers, but that NASTY Android has apps on the Playstore that are invasive! It doesn't matter that people are stupid and just click OK without reading the permissions first! We'd be out of jobs and in jail if people actually bothered to read before they clicked I Agree!"
Source: ExxonMobil.
Tom's is honestly becoming a sorry excuse for journalism.