Smartphone applications seem to be a popular target of hackers of late. According to a report published by G Data in 2015, 574,706 different Android malware strains were found in the third quarter, and by the end of that quarter, more variations had been counted for the year than in the entirety of 2014. The third-quarter numbers, in fact, rose by 50 percent year-over-year, leading many to ask the question: How safe is my phone? How do we combat this malware?
Some of these malware strains get more time in the limelight than others. Now, according to Trend Micro researchers, there seems to be an exploit involving a particular flashlight app for Android smartphones. This app is called Super-Bright LED Flashlight, and when users launch the app, it opens a webpage that alerts them that their devices are infected with malware and that the batteries may be broken. The page then suggests to the users that they should download an anti-virus app on their phones.
The flashlight app has already been downloaded 6 million times, according to Trend Micro researchers. This means the malicious app has been a headache for users around the world, and a lot of them have left scathing reviews in the app store.
This isn't the first time such an exploit has been found in an Android flashlight app. PCMag's Max Eddy wrote in April 2015 that a similar threat had been discovered. This bit of malware took control over the unwary user's phone by requesting total access of the device and then hiding its app launcher, making it nearly impossible for unsavvy users to uninstall.
"When the victim goes to install the flashlight app, it requests superuser access," Eddy wrote. "The practical upshot is that when it's installed, the app has far more control over your phone than the average app, or even the average user. Unsurprisingly, the app does not include any warnings – in the app or the stores where it's available – that it will be attempting to gain root access on your phone."
The prevalence of this kind of malware – inside flashlight apps, of all places – is no doubt disheartening to smartphone users. However, they're not the only potential victims of such a scam.
Not just a personal problem
Malware and ransomware are insidious problems for smartphone users themselves, but there may be consequences beyond annoyance or financial burden for the affected people. If their phones are connected to a corporate network at their places of employment, they may run into a problem wherein malicious code infiltrates their companies' systems. Bring-your-own-device policies have allowed users to bring their smartphones and separate operating systems into their work environments, but what happens when a device on that specific network becomes infected?
BYOD has skyrocketed in recent years, and as a result, so has shadow IT. The latter is characterized by employees bringing in technologies and software tools that remain unknown by their IT departments. Shadow IT is actually becoming more of a problem day by day for businesses, and a lot of that has to do with security. How are you supposed to defend against something you don't even know is there?
The fact remains that CIOs are woefully unaware of the amount of shadow IT running on their networks. In a 2015 study, for instance, Cisco found that CIOs estimated there were 51 cloud services running within their organizations, when in fact, the number is closer to 730. This is simply an example of how in the dark CIOs are when it comes to the technologies running on their networks – and how critical it is for organizations to take steps to prevent security breaches from malware that's been downloaded to employees' devices.
Limiting employees' use of smartphones won't have an impact on their overall usage in the workplace. In fact, according to CIO, a 2015 poll of government employees showed that half of them claimed to use their personal devices to access email, and 49 percent used smartphones to download work documents. This includes those employees at agencies with rules against using personal devices at work – 40 percent of them just did it anyway.
"Mobile devices are indeed a blind spot for government," Bob Stevens, the vice president of federal systems at Lookout, the company that conducted the survey, told CIO in an email. "While some of that is based on naivety, I think we'll start to see reality set in as mobile threats become more sophisticated."
Next steps for smartphone users
There are countless "how-to" articles on the internet that detail how you can detect whether or not your phone has been hacked, but what about preventing intrusion in the first place? It's important to be able to use your smartphone safely, and if the very apps you use are providing key personal data to outside entities, who can say how safe you are? What can smartphone owners do to ensure that their devices – that they paid good money for – aren't being exploited by hackers via ransomware or other malicious programs?
One of the best ways to make sure your system is protected against malware is by upgrading the OS when new patches come out. The G Data report noted that only 20 percent of Android users are using the most updated version of the mobile operating system. Updates include patches to fix key vulnerabilities and can carry critical cyber security information within them, so users who aren't using the most recent version of their phone's software are playing with fire.
Malware creators will try to get their hands on your data however they can – including by hacking into seemingly innocuous programs like the flashlight app. It's integral to make sure you're taking precautions when downloading apps – and it's also important to make sure you have backup cyber protection in place in case malware infiltrates a company network. Running security solutions like the mobile security product offered by Trend Micro can also be another way to improve protections on your smartphone.
The bottom line is: Be cautious when you're downloading new, free apps onto your devices, and make sure your network is protected.