Leaving the front door unlocked is a risky move. And that risk is the same with smartphones running Android, Google’s open operating system. Android phones come with unlocked doors, allowing them to install applications found almost anywhere online.
But when downloading applications from somewhere other than the Google Play store, Android device users must be more cautious than ever, according to Juniper Networks third annual Mobile Threats Report.
People who create viruses and other malicious software, or malware, for mobile devices have targeted Android because it has become the dominant mobile operating system worldwide. Although Google cracks down on malware found in the Play store, other websites and stores are less likely to scan for malicious software.
“In the interest of building up their inventory, third-party app markets may have few – if any – barriers to entry for mobile application developers,” the report states. “That results in poor quality and malicious applications making it onto these online stores and, from there, onto Android devices.”
Karim Toubba, Juniper’s vice president for security products and strategy, said he expects third-party app stores to try to grow through increased marketing. That could expose even more users to dangerous apps.
At least 500 alternative app stores contain malware. About 3 in 5 are focused on countries where Juniper says Google Play isn’t popular, including Russia and China.
The most common thieves in these stores are apps that quietly send premium text messages. After the app gets a user's phone to send a text message to a special number, money gets routed from the user to whomever created the “SMS Trojan.”
The money transfer shows up as an extra charge on cellphone bills, but many cellphone subscribers miss the extra few dollars and cents. Juniper found that each successful attack earns malware creators about $10.
Updates to Android software have made such SMS attacks more difficult because users get a warning before a premium text is sent. But the latest version of Android is installed on just 32% of devices, though it was released in November.
Smartphone manufacturers must review Android updates, adapt them and test them. The extensive process can take months. Toubba said that’s not good enough.
“The operating system vendors need to be more diligent about collaborating with service providers to facilitate and automate the ability to push security updates to these devices,” he said.
Google did not respond to a request for a comment. Last month, Android's engineering director said developers are working to solve the security gap.
Juniper, Sophos, Lookout, McAfee and many others offer mobile apps to scan for malware.
Apple users who “jailbreak” their devices can also open devices' doors and download applications from third-party markets.