The FBI's Internet Crime Complaint Center has recently issued a warning about Android malware, citing two new malicious applications and how they can cause all sorts of havoc to the unsuspecting user. From the IC3 page:
Loozfon is an information-stealing piece of malware. Criminals use different variants to lure the victims. One version is a work-at-home opportunity that promises a profitable payday just for sending out e-mail. A link within these advertisements leads to a website that is designed to push Loozfon on the user's device. The malicious application steals contact details from the user’s address book and the infected device's phone number.
FinFisher is a spyware capable of taking over the components of a mobile device. When installed the mobile device can be remotely controlled and monitored no matter where the Target is located. FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.
Loozfon and FinFisher are just two examples of malware used by criminals to lure users into compromising their devices.
While we applaud the intent of the message -- keeping users safe -- the mechanics and facts are sorely lacking. Both the examples involve user "phishing," or tricking someone into clicking something. These aren't just flying around in space looking for your phone. And there's a big difference there.
Case in point -- one of the popular methods of propagation for the Loozfon malware that wasn't mentioned involves a promise of meeting wealthy Japanese men. Presumably, you can meet these men by clicking a link in an unsolicited message or from a web page. Protip -- you won't. Don't click them. The FinFisher malware gets even more tricky, as they mention the user is promised a system update if they click a link. In realty the user gets a variant of a corporate trojan written by professionals with ties to law enforcement.
The FBI also gives a lengthy list of precautions to take to keep your phone safe, and we have to agree with them. Common sense items like not clicking unknown links and password protecting your phone are a must. Yet they forgot the most important one:
Applications can not install themselves after they have been downloaded.
Even if you've clicked and downloaded one of these malicious apps, you still have to ask to install it, agree to the permissions you're given, then OK the entire process. Until that happens, it's just a file that can do no harm. There's two real pieces of advice we can give here -- read what you're installing, and pay attention to what you click.