Skip to main content

Information Technology News

Case Study 1: Android Mobile Device Security

Posted by on Monday, October 5, 2015 in News.

This is the first of a series of case studies to be released during October for National Cybersecurity Awareness Month. Vanderbilt IT will publish new case studies Mondays and Thursdays throughout the month.

In July 2015, a serious security flaw in Google’s Android operating system called Stagefright was disclosed, potentially affecting 95 percent, or 950 million, Android mobile devices. Stagefright is a set of seven vulnerabilities that allow an attacker to gain access to all data on a mobile device without the owner’s knowledge. An attacker would simply send a video text message (MMS) or get a user to play a malicious video on a webpage or download a malicious app. Many websites posted a quick workaround to disable a feature to auto-retrieve MMS, but many have failed to mention that users are still vulnerable until a patch is released by their device manufacturers or wireless carriers.

Stagefright is said to be the worst of all Android security vulnerabilities thus far, but concerns over data safety do not stop there. Researchers estimate that 96 to 98 percent of mobile malware is targeted at the Android platform. There have been more than 5 million threats found since early 2015, and more than 5 billion downloaded Android apps are said to be vulnerable to remote attacks.

Why Android is Targeted
Cybercriminals want an easy target with high profit. Android currently dominates the mobile device market share. With various vendors making customizations, centralized security is impossible. This forces informed users to take security into their own hands while others remain oblivious. Furthermore, Google lacks rigid regulations to control security in their Play Store, which allows malware to slip through occasionally. In addition, users can download apps from questionable third-party app stores that disguise malware inside popular apps.

Problems with Android Patches
The challenge centers on the support model for Android operating system. Although Google is generally quick to patch its code, the device manufacturers are responsible for downloading the code, applying the code to each of their product models, testing, and publishing the new updates. In many cases, the wireless carrier must then review, approve, and distribute the updates for smartphones. This process often takes several months, assuming that a patch will be made available in the first place. Due to market demands of having the latest and greatest and since consumers do not think about strong security or extended support lifecycles, there is little incentive for manufacturers to continue supporting and creating patches for older devices. The only way to protect yourself is to buy a new device.

What You Can Do
Here’s what you can do to secure your mobile device, whether you have an Android or another type of device:

  • Add a strong password to your lock screen.
  • Stay up to date with software and app updates.
  • Do not save passwords in browsers or apps.
  • Encrypt your device.
  • Only install apps from official app stores, and even then, only install apps from known/reputable companies.
  • Be careful what you click on and when opening texts, MMS, or emails—especially from unknown senders.
  • Do not connect to unsecured Wi-Fi.
  • Don not “root” or “jailbreak” your device.
  • Install antivirus.
  • Set up antitheft protection and be prepared to remotely wipe all data if your device is stolen.
  • Check the app’s permission requests before installing.
  • Use a web browsing protection app to block known malicious sites.
  • Replace your device if it is no longer supported.