Android Phones Will Keep Getting Exploited, Researchers Say

Android is still the most attractive smartphone OS for malevolent hackers, so devices based on the platform will continue to get compromised, researchers said at Black Hat Europe Friday.

Mobile devices are loaded up with private data, a very attractive target for hackers, though not all information on a phone is useful. “They won’t go after 200,000 Yelp credentials, that wouldn’t help them much,” said Dan Guido, a researcher at information security company Trail of Bits, in a combined keynote with Mike Arpaia, security consultant with Isec Partners.

The researchers compared the attractiveness of Google’s Android mobile OS and Apple’s iOS platform for malware makers. As it turns out, Android is still by far the most preferable smartphone OS to target, according to data the researchers presented at the Black Hat conference, held this week in Amsterdam.

For malware makers to get anything out of attacking a mobile phone, the cost of exploiting the system has to be lower than the revenue gained, the researchers explained. The attacks also have to be easy and the risk of being caught has to be low. The attackers are most likely to go after bank credentials.

Trying to load malicious apps on an iOS or Android phone is the most likely method used by attackers, and that is easier with Android devices. Because iOS is a closed system, app developers have to sign up for US$99 and provide information including their real identity. If Apple were to discover a malicious app, the risk of the attacker being caught is high.

Apple employees review the code of all the apps that are submitted to the App Store. Even if an attacker managed to slip a malicious app through the initial review, Apple’s monitoring system is such that it would probably be pulled within a week. “Say what you will about police states, but they keep down the crime,” Guido joked.

This makes iOS unattractive. Android, on the other hand is cheaper and the risk of getting caught is lower. Google charges $25 for registration, a process that only consists of filling out an online form. “And nobody here has ever filled in false information in a Web form,” Guido said jokingly to the audience. In addition, Android allows runtime modifications, which iOS does not.

“Android definitely has a bad future in front of them, they going to keep being exploited,” Guido emphasized.

Does this mean that iOS is entirely safe? “There is no evidence of abuse by malware authors at all,” Arpaia said, adding that “security researchers don’t count.” Security specialist Charlie Miller has proven malicious apps can be uploaded to the App Store. However, according to Arpaia, it is highly unlikely that any malware maker will ever try that for real.

IOS users that jailbreak their phones are more vulnerable to malicious apps, said Guido. According to the researchers, all third party app stores used by jail breakers are targeted. Attackers also prefer jail broken Android phones.

Mobile security is the main issue at Black Hat Europe Friday, with four out of 12 keynotes devoted to the subject, mainly focussing on iOS and Android.

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com