Top Tips for Mobile Users to Avoid Malicious Applications and Attacks

Posted September 5, 2018

Top Tips for Mobile Users to Avoid Malicious Applications and Attacks

All of us use – and love- our smart devices which can make life much easier and sometimes more interesting. However, these helpful gadgets make us more vulnerable than ever before by sharing our information and opening a virtual door to our life.

Top pieces of advice for protecting against malicious mobile apps are to always keep your operating system up-to-date, as security features are constantly being updated, including new security patches. Also, rooting or jailbreaking your device makes you a much bigger target as a lot of checks and security restrictions are then turned off.

Android devices are generally more vulnerable than iOS (iPhone, iPad, etc) devices so additional caution should be taken on what you install on your device, even from Google PlayStore. Most people think if an app is published on PlayStore then it is safe to use it. However, it is not always the case, as most malicious applications download the damaging part of the code after installation, when they have passed the Google evaluation phase. If you’re using iPhone or iPad there is less of a chance of downloading malware without knowing, but there is still a chance – so caution should also be taken.

Pointers for Android Users when Installing Apps

  1. Always keep your Google PlayStore up-to-date as it updates a set of libraries called “Google Play Services API” which helps app developers detect malware and malicious apps.
  2. Before installing an app read the set of permissions that the app requests and make sure those permissions make sense for the functionality of that app. For example, if the application is for food delivery then it doesn’t make sense to need to access your contacts, or a video downloader app shouldn’t need to access your location.
  3. It’s very important to remember no application should need “administrator access”. If you grant administrator access to an application it can access everything on your device including reading/sending text messages, making calls, even preventing you from uninstalling it.
  4. When you want to install an application that has many competitors with similar functionality and you don’t know which one to install, pay attention to the “Additional Information” section. You can see who implemented the app, how many installs it had, etc. which can help you choosing the one from a trustworthy developer.
  5. Please remember if you are using Android 6.0 and higher you can revoke permissions (unless you grant administrative permission to a malicious app) whenever you want go to Settings -> Apps -> App name -> Permissions and revoke a permission.
  6. You also can use this website to see if an application is marked as a malware. Please note that this website doesn’t always have information about all applications as it’s a free website and people investigating applications do it as a hobby.

Installing an application is not the only way of being targeted, there are other basic strategies that hackers use to access end users’ information that apply to all platforms iOS, Android, Windows, etc.

Tips to Avoid being Tricked into Falling for Malicious Attacks

  • Never share your sensitive information via email, if you need to enter your information like credit card detail, security id, tax file number (Aus) online, please check your browser to make sure that website is what you expect it to be (your bank, etc) and also trusted.
  • Be aware of phishing emails: These emails are one of the most popular ways of stealing credentials in which a hacker impersonates a famous company and sends you an email. For example, you may receive an email from “Google” stating that there is a problem with your Gmail account and if you don’t verify your password using the link provided then your account will be closed. It is vital to check the sender’s address first as most of the time the sender is not even from that company, which is a certain giveaway that the email is not valid.
  • The second thing to remember for phishing is that big companies give you a link to verify your password they ask you to go to their website and login. If for any reason you receive and email with a link please pay attention to the link to see if it directs you to the website you expect. Most suspicious emails say “Click here” instead of showing the actual link (mostly because they want to hide the link), in this case right click on the link and chose “Copy link address” then open another tab/window in your browser and paste the link there to make sure it belongs to the website you expect.
  • Always have a backup of your data to avoid ransomware attacks, these applications encrypt all your data then the attacker asks for some money to decrypt it.. Unfortunately, most of these attackers don’t even provide decryption key after being paid. So it’s safer to have a backup instead of even thinking about paying them.
  • Beware the adverts being displayed as you surf the internet. Sometimes you will see a website that offers a great deal (e.g. much cheaper price) however, many of those links are not valid and they are using Javascript to download a malicious application. If you want to give these websites a try then disable JavaScript and flash in your browser beforehand.
  • Finally, the rule of thumb, is that if something is too good to be true… then it most likely is fake. If you receive an email that you won a lottery don’t click any links and check where you bought the lottery ticket from. Same goes for emails from a wealthy person in Africa who needs help ‘transferring his money out of the country.’ Beware that it is likely a scam aiming to steal your information.
Samin Pour

Samin Pour

Senior Developer, ThreatMetrix

close btn