It was reported last week that certain Android phones manufactured in China are shipping with pre-installed malware. Worrisome enough are the risks associated with downloading apps from uncurated stores, but pre-loaded malware presents a whole new set of anxieties to privacy concerns in the mobile space.
The devices are infected with the Uupay.D Trojan, which poses as the Google Play Store app and runs in the background of a corrupted phone, stealing data and sending it to an anonymous server based in China. G DATA, the German security firm that discovered the malware, explains the threat:
The spy function is invisible to the user and cannot be deactivated. This means that online criminals have full access to the smartphone and all personal data. Logs that could make an access visible to the users are deleted directly.
Security vulnerabilities associated with Android aren’t new. The Google platform is home to 99 percent of mobile malware according to Cisco’s 2014 annual security report. In F-Secure’s most recent quarterly Mobile Threat Report, it found 277 new cases of malware. All but two of those targeted Android users.
Last year, the Department of Homeland Security and the FBI released a memo identifying the dangers of the Android operating system due to its architecture. It specifically warned about malicious code posing as Google Play apps like Uupay.D. Last month, the Federal Trade Commission requested guidance on its Mobile Security Project, and many that responded expressed concerns about Android’s security weaknesses.
But what do you do when the malware is baked into the phone? In this scenario, users have no way to remove code that criminals can use to secretly install malicious software. The phone’s default status opens up consumers to an array of exploitive behaviors including banking fraud, interception and recording of sensitive information, and the stealing and selling of data.
The case G Data has uncovered highlights the importance of platform choice. Smartphones and their corresponding apps continue to integrate into our daily lives – providing key services for our health, children, finance, travel, social lives and more. It is essential that consumers have confidence that their sensitive information is secure. There is no greater threat to the mobile ecosystem than lack of trust.
Aggressively curated stores are demonstrating much better results. Despite China consistently ranking as the top source for malware, the country has become a key market for the Apple App Store. According to industry research, iOS App Store revenue grew around 70 percent quarter-over-quarter in China in recent months. U.S. companies are finding that Apple’s curated platform is providing a secure marketplace that consumers can trust throughout the world.
The issue is simple: platforms have a responsibility to their users. If Apple can provide a safe place for consumers — even in China — Google should be doing more to protect Android users here at home. It is critical for the future of the mobile marketplace that consumers have confidence in security measures taken by developers, platforms, and industry leaders. When a single platform hosts 99 percent of the world’s mobile malware, it’s time for someone to get serious about consumer security.