Mobile users may know better than to allow downloaded applications to access their personal data, but for those programs that don’t bother asking nicely, the problem may be more severe.
Leviathan Security Groups’ Paul Brodeur created a test program that he sent to several Android phones and found that he was successfully able to harvest personal data from the smartphones’ memory cards without ever asking the owner to give his program permission to do so. Brodeur found that allowing trusted applications to store information like passwords or account numbers, even if they appear encrypted to the user, may still create vulnerabilities if the device suffers a data breach. This highlights the need for smartphone users to move their sensitive data to secure online backup platforms or find a different data backup solution.
Applications willingly installed on a phone by a user may not ask for any permissions to begin with, but a University of California case study ‘A Survey of Mobile Malware in the Wild‘ discovered that, once downloaded, these programs will rewrite and gain access to root applications and can potentially hijack the device. The study found malware exploits were available nearly three-quarters of the time in Android applications, so online backups of data and removal of sensitive information from mobile devices is encouraged.
Last March, Google announced it had removed 58 applications from Android phones and its online marketplace, saying about 260,000 users were affected. More recently, a Trojan was detected in a cracked version of an Angry Birds Space application, according to mobile security firm Sophos. Downloading the game gives permission to a third party to put malware on the infected smartphone. Any data on the phone that hasn’t been backed up or is available on the phone is then compromised.
Google announced last year it had created a “remote kill” function to remove detected malware from phones without the user’s permission,but if phone owners don’t take the initiative and conduct data backups regularly, their information could be lost or stolen. While only allowing information from trusted sources may be a step in the right direction, the less downloading a smartphone has to do, the less permission it potentially has to lose.