In today’s digital era, smartphones and tablets are quickly becoming essentials for everybody. However, despite their increasing popularity, many people fail to take adequate security precautions with their mobile devices. Statistics show that roughly 75% of Americans do not use mobile security software. Moreover, approximately 36% of users do not have a basic PIN to secure their mobile devices. Therefore, it becomes imperative to understand the risks and take necessary precautions, particularly for Android users.

Android has, over time, become a popular target for hackers. Recently, McAfee Labs™ found that all new forms of malicious mobile software were solely designed to exploit vulnerabilities in the Android operating system. Multiple factors contribute to this increase in mobile malware. One of the major reasons is the exponential growth of the Android platform, which currently holds the largest share of the mobile marketplace. Naturally, cybercriminals are drawn to the size and potential for exploitation in the Android space.

Mobile Malware: Explained

Malicious mobile activity, particularly on Android devices, is generally driven by bad apps. These rogue applications come with a myriad of risks. They can access your contacts, sending them unwanted emails. They can track and record everything you do on your mobile device, leading to severe consequences such as data theft, keylogging, and unauthorized access to sensitive information like banking credentials. They may even hijack your device or distribute personal content without consent, posing emotional and reputational damage. 

In addition to individual risks, mobile malware can serve broader purposes, including espionage and geopolitical motives, often orchestrated by nation-states or hacktivist groups. These advanced persistent threats (APTs) may target specific individuals, organizations, or regions, posing significant damage potential. To protect against these advanced threats and prevent the proliferation of mobile malware, proactive cybersecurity measures, awareness, and safe online practices are indispensable.

→ Dig Deeper: 4 Mobile Malware Threats You Can’t Even See

Steps That Can Protect Your Android Device

While the extent of smartphone malware is currently less severe compared to desktop or laptop PCs, awareness of its existence can go a long way toward ensuring your data’s security. There are a few simple steps you can take to protect yourself and your data:

Begin by using a PIN to lock your device. Just as you would be cautious with your computer, always think twice before clicking on links, especially from unfamiliar sources. Ensure that you have web protection software installed which can help keep you from visiting malicious sites. When looking to download apps, remember to do your research. Reading the ratings and reviews can give you a good idea about the app’s credibility. Only download apps from well-known, reputable app stores to minimize the possibility of downloading a malicious app.

→ Dig Deeper: How Safe Is Your Android PIN Code?

During the app installation process, ensure you review what permissions the app is requesting on your device. Consider using an app protection feature that alerts you if an app is accessing data it does not require. Lastly, consider installing a comprehensive mobile security solution like McAfee Mobile Security. This type of software generally includes anti-malware, web protection, anti-theft, and app protection features.

Understand Your App’s Permissions

App permissions play a crucial role in this process. Android developers have the liberty to choose from over 150 different permissions that an app can access on your mobile device. Examples include turning on your camera to record images or videos, accessing all your contacts, and even accessing your IMEI code (a unique identifier for your mobile device). Therefore, it’s crucial to understand why an app needs to access specific information to prevent it from sending your personal information to potentially malicious entities.

With each download, apps request permission to access certain functionalities on your device. Unfortunately, these permissions can sometimes be used to compromise your personal data. For instance, an app might ask for access to your device’s camera, microphone, or location. While these permissions might seem harmless at face value, they can be exploited. Cybercriminals can potentially use these permissions to steal sensitive information or even engage in surveillance activities. That’s why it’s critical to cross-verify each permission an app requests and deny any that seem unnecessary.

For those unsure, consider asking the following questions: Why does this app need access to my contacts, SMS, or location? Is this access necessary for the functionality of the app? If you’re unsure, look up the app on online forums or ask for advice from trusted sources. Remember, it’s always better to be safe than sorry.

McAfee Pro Tip: Be careful when downloading third-party apps. Developers of third-party apps are not under the control of the OS owners and official application stores like App Store and Google Play, so they can have lower security levels. This enables advertisers and hackers to insert malicious codes within the app. Know more about third-party apps and how to check app authenticity.

Keep Your Android Device Updated

Another crucial measure to protect your Android device is to keep it updated. Software updates not only introduce new features but also fix potential security flaws. Hackers often exploit these security flaws to infiltrate your device, making updates a crucial part of your security toolkit. Regularly check for updates and install them as soon as they are available.

Google frequently releases monthly security patches for Android. These patches address various security vulnerabilities that have been discovered in the Android operating system. However, the responsibility for pushing these updates to individual devices lies with the device manufacturers and carriers. Ensure that you are aware of your device’s update cycle and prioritize installing these updates.

→ Dig Deeper: Why Software Updates Are So Important

Final Thoughts

Your Android device serves as a repository for a wealth of personal and sensitive information. As we continue to incorporate these devices into our daily lives, the need for stringent security measures has never been more urgent. While the world of mobile security might seem daunting, the right knowledge and a few preventive measures can help you avoid the majority of potential threats.

Start by locking your device with a PIN, be cautious about the links you click on, verify app permissions, ensure you download apps from a trusted source, and keep your device updated. Remember, your digital security is in your hands. Equip yourself with the necessary tools and awareness to navigate the online world safely. Lastly, consider investing in a comprehensive mobile security solution like McAfee Mobile Security to fortify your defenses against potential cyber threats.

The post Understanding the Risks of Using an Android Device appeared first on McAfee Blog.

Read More

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.

I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.

A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.

The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”

Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.

Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

And of course, a user who receives one of these notices will find that their credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!

In contrast, if you try to recreate an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.

Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.

“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”

Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?

Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”

“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”

The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.

“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”

I was fortunate in that whoever hijacked my account did not also thaw my credit freeze.  Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.

It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.

In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

More greatest hits from Experian:

2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Read More