The security stakes only seem to be rising when it comes to the threats that affect us as modern-day consumers.
Over the past year, we have seen a list of notable mobile threats that put people’s privacy at risk. Previously unseen vulnerabilities surfaced, such as Certifi-gate and Stagefright, both of which can be exploited to spy on users. Certifi-gate put approximately 50 percent of Android users at risk, and Stagefright made nearly 1 billion Android devices vulnerable to spyware. In 2015, for the first time, cybercriminals were able to attack users on a vast level.
Another mobile threat on the rise in 2015 was mobile ransomware, using asymmetric cryptography, making it nearly impossible to recover the encrypted data on a smartphone. The most common mobile threats in 2015 were adware — often apps disguised as fun gaming apps that provide little value and spam users with ads. We believe that 2016 will be the year in which we see threats moving from smartphones to smart homes — and beyond.
Android Mediaserver vulnerability looks similar to the Stagefright bug.
Android owners may recall the Stagefright bug, the “worst ever Android vulnerability yet discovered”. That malware exposed a billion (that’s nearly every) Android device on the face of the earth to malware.
The latest critical bug has similarities to Stagefright, but exists in Android’s mediaserver. Google warns that an attacker could use the bug to remotely run malware hidden in video or audio.
In an announcement published in the Nexus Security Bulletin for January, Google said it has fixed 12 vulnerabilities affecting Android versions 4.4.4 to 6.0.1. Five are rated as critical security bugs. Partners were notified about and provided updates for the issues on December 7, 2015 or earlier, said the post.
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”
How to protect yourself from the Android bug
For nearly 10 years, AT&T has been bringing an annual developer conference to their partners and collaborators. This year, they creatively chose to combine their conference with a hackathon in order to encourage the participation of budding developers and to support young talent in achieving career-related goals.
This year’s conference and hackathon, which took place on January 2-5 in Las Vegas, Nevada, was packed with an array of topics split into six main sessions: devices and wearables, IoT, real-time communications, video, network advances and the connected home.
I’ve put together several of the sessions that stood out to me as especially relevant to the evolution of today’s technology.
Yesterday, we walked you through a set of our 2016 predictions in regards to home router security, wearables and the Internet of Things. In addition to these important topics, mobile threats are not something that should be ignored as we move into 2016.
“Most people don’t realize that mobile platforms are not really all that safer or immune from attack then desktop platforms,” said Ondřej Vlček, COO of Avast. “Most people use mobile devices in a more naive way then they use a PC because they just don’t understand that this is a full blown computer that requires caution.”
Hackers have done their homework to prepare for the new year
Over the course of this year, we’ve seen a list of notable mobile threats that jeopardized the privacy and security of individuals. Our own mobile malware analyst, Nikolaos Chrysaidos, has a few ideas about several issues that could crop up in the new year:
Your home and the devices in it will be a viable target for cybercrooks in 2016.
Back in the good ol’ days of the early 2000s until just a few years ago, all we had to be concerned about was security on our desktop computers and laptop. In the intervening years, mobile devices have become so ubiquitous that hackers have turned their sights on them, especially Android devices.
But starting in 2015, everyone began to realize just how close to home cybersecurity really is. Home networks are the new gateway, and 2016 will be the year that vulnerabilities in the Internet of Things (IoT) and wearable devices combined with weak home router security will lead to personal attacks.
The weak link is your home router
“The security situation with home routers is actually pretty bad,” Ondrej Vlcek, COO of Avast told Fast Company. “Most of the companies do a relatively good job of . . . patching the vulnerabilities, but the problem is that no one updates the firmware in the routers. The user doesn’t at all, and usually the ISP doesn’t either.” He added that we saw the most attacks on routers by far in 2015.
“Right now, attackers are targeting routers en masse,” said Pavel Sramek, an Avast Virus Lab research analyst. “It’s highly probable that they’ll expand their target list to network-attached storage and “smart” TVs as well, since the security aspect of these devices has been almost completely neglected by their manufacturers so far.”
“Many of the companies and engineers don’t really think about security,” says Vlcek. Data, for example, is often transmitted without any encryption, making it easy to steal or fiddle with.
Since this is the time of year to look forward, I asked several of our Avast Virus Lab research analysts about what to expect in 2016 for home networks, wearable devices, and all the gadgets that make up the Internet of Things.
Avast Wi-Fi Finder saves your data and roaming fees by locating safe and reliable connections.
Everyone loves free Wi-Fi. You can surf the web, check your email or newsfeed, make Skype video calls across the world, or stream games, movies, and music – without eating up your data plan. That’s a great deal! Or is it?
The problem with free Wi-Fi hotspots is they can’t be trusted to be safe and keep your data secure. Cybercrooks can eavesdrop on your conversations and even break in to steal personal information.
When you need to find safe Wi-Fi, use Avast Wi-Fi Finder
Our new mobile app, Avast Wi-Fi Finder, lets you instantly search for available networks on the map or browse through a list. Wherever you are in the world, you can always find a safe connection, because after a successful beta test, we launched the app with nearly 800,000 networks in our database. The more people who use Avast Wi-Fi Finder, the bigger and better that database will become.
Traveling can be stressful, but even more so during the holiday season. AAA projects that the number of year-end holiday travelers in the U.S. will top 100 million for the first time on record. Nearly one in three Americans will travel this holiday season and more than 100.5 million are expected to travel than 50 miles or more from home.
The one thing you really want to make sure you protect while you travel is your smartphone. Not only may you have your boarding pass on your smartphone, but more importantly, the hardware is expensive and it most likely contains a plethora of personal data.
There are two main ways your phone could be compromised while traveling, especially during the holidays: physical device loss and network threats.
Have an anti-theft app installed
Airports and train stations will be bustling with people, you may have to dash to catch a flight or make a pit stop during a long car ride. In all of these situations, your phone is at risk –physical risk. Pickpockets prefer to work in high density areas, and it’s easy to lose things like your phone when you’re in a rush.
By using some retailer’s apps to make your holiday wish list, more people than just Santa Claus can see your list. In fact, it may be accessible to anyone over the Internet!
America’s most popular retailers collect more information about you via apps than you may be comfortable with.
Recently, the Avast Security Warriors began looking into shopping apps to see what your favorite retailers know about you. They found that these apps, like many other apps out there, collect data and request permissions that are unnecessary for their app to function properly.
Initially, we were curious to see what retailers wanted to know about their customers based on the data they collect. We randomly chose apps from the following retailers: Home Depot, J.C. Penney, Target, Macy’s, Safeway, Walgreens and Walmart. In this blog post, we focus on Target and Walgreens.
You’re making your list and Target is checking it twice!
If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and email addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!
David Vávra is our team’s talented Google Developer Expert (GDE) for Android. Throughout this autumn, he attended a collection of valuable Android conferences. In this post, David walks us through his experiences and outlines his most interesting takeaways from the conferences.
Droidcon Stockholm (September 3-4)
Droidcon Stockholm was a two-day event held in Debaser Medis, a classic rock club in Stockholm. As you might imagine, it proved to be an interesting venue for a tech conference! The organization was a little more “punk” than most other conferences, but the conference was still jam-packed with talks containing strong content and served as a great opportunity to network with fellow industry professionals. Fun fact: Czech beers are quite popular in Stockholm. We visited a place where they served five different Czech beers on tap.
One talk that I found to be especially useful discussed building Android SDKs from Fabric, a platform for mobile developers from Twitter. It was also interesting to take a closer look at Spotify’s automated testing environment in a talk Sustainable test automation. As for me, my presentation at the conference dealt with Android TV development. All the Droidcon talks can be found here.
An Avast team calling themselves the Security Warriors, comprised of intra-departmental specialists, are running experiments in the streets of San Francisco. They spent a few days setting up the first of them and have already gathered some interesting statistics. In Filip‘s words, here is what they have done so far and what they want to achieve.
One of our first experiment’s objectives is to analyze people’s behavior by seeing how they have their devices preset in terms of outside communication. We didn’t have to go far to find out – it’s pretty disturbing. Currently, we have a variety of devices prepared for different traffic experiments but now we are using them for one really easy target – to analyze how many people connect to a fake hotspot. We created fake Wi-Fi networks called Xfinity, Google Starbucks, and Starbucks. From what we’ve noticed, Starbucks is one of the most widespread networks here, so it’s pretty easy to get people’s devices to connect to ours.
What is the problem we’re trying to point out?
Once your device connects to a known SSID name at your favorite cafe, the next time you visit, it will automatically try to connect to a network with the same name. This common occurrence becomes a problem because it can be misused by a hacker. Read more…