by Al Sacco

Android Security Hole of the Week (and a Pile of New Mobile Malware Stats)

Mar 02, 20124 mins
MalwareMobileMobile Security

An Android security flaw that could let malicious apps steal images from users' devices was uncovered within days of the release of some frightening new mobile security stats, which spotlight Android as the mobile OS of choice for attackers.

I could literally write a blog all about Android security. (Note to self: Check with editor about creating a blog all about Android security.) I’ve covered a significant Android security flaw at least once every month for the past six months. (A few of the recent links: 1,2,3,4) I rarely wrote about device security issues in the past when I used to cover RIM and BlackBerry almost exclusively, but I digress…


This week’s Android security flaw relates to third-party Android applications’ reported ability to copy images stored on users’ devices to remote servers without the owners’ knowledge or consent, as long as the apps have been granted access to the Web.

In other words, some random Android app could potentially swipe those sensitive images on your handheld that you told your girlfriend you deleted, according to The New York Times Bits blog, as long as you grant it Web access. Or malicious software could nab any other pictures you may not want in a stranger’s hands.

The vulnerability was discovered shortly after a similar security hole was identified in Apple’s iOS, which reportedly allows iOS apps to access images stored on Apple users’ devices if they grant those apps location-access permission—a fix is supposedly in the works.

Both recently discovered flaws coincide with some new mobile malware research released by security vendor Kaspersky Lab. Here’s a quick look at some of the most notable findings:

  • Threats targeting mobile devices increased more than 600 percent between 2010 and 2011
  • In December 2011 Kaspersky identified more new malicious apps that target mobile devices than over the entire 2004-2010 period.
  • The most common mobile threat continues to be SMS-based Trojan attacks, followed by “backdoor” attacks that can give attackers full access to users’ devices especially if those devices are “rooted. Next up is mobile spyware, which steals users’ personal data or information related to their devices.
  • A ranking of the most targeted mobile OS software is as follows: Android; Java 2 Platform, Micro Edition (J2ME); Symbian; Windows Mobile; and everything else.
  • Last year, about 65 percent of new malicious mobile applications targeted the Android platform, compared with J2ME (27 percent), as well as Symbian (7 percent), and Windows Mobile (1 percent).
  • Kaspersky Lab breaks down all of the mobile malware it found for Android into two groups: threats designed to steal money or data; and threats designed to take control of infected devices.
  • More than 30 percent of malicious Android apps were created to steal personal data, with a nearly equal percentage of Android malware apps meant to gain control of users’ devices.

Yikes. Late last year, I predicted that 2012 would be the year when we start to see some very high-profile mobile-malware incidents, with a focus on Android, and just two months into the new year, that prediction seems to already be playing out.


Google wants you to think that Android is relatively secure, and it’s taking small steps to improve the overall security of its mobile OS. But these stats are tough to dispute. Android is now estimated to control right around half of the entire mobile OS market, and its share is only growing. I can’t help but wonder what exactly it will take to spark a major backlash against Android. I wouldn’t be surprised if whatever it is relates to mobile payments of some kind, or Google Wallet, since monetary theft of some sort would be sure to cause a major stir.

Whatever it is, I’m sure I’ll be covering the news right here in this blog. And until then, it certainly wouldn’t hurt to check out my Android security basics post, which was recently wasused as source material for an Android security app.


Via and