igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Smartphone security threats plague Android and iPhone alike

As the global smartphone market slows, it's becoming readily apparent that the rise of smartphone security threats isn't slowing -- and no OS is safe.

Statistics published by IDC Thursday forecasted smartphone growth to slow to 11.3% in 2015, down from the 27.6% growth rate of 2015.

But even though the growth curve for smartphones may be flattening, the news this week suggests that security threats faced by smartphone users are holding their own.

Using a smartphone to … track train riders?

A non-peer-reviewed article published this week by Chinese researchers Jingyu Hua, Zhenyu Shen and Sheng Zhong from Nanjing University claimed train riders can be tracked by data emitted from their mobile device's accelerometer.

"When a person takes the metro," the paper reported, "a malicious application on her smartphone can easily use accelerometer readings to trace her.

"While this attack is very effective," the paper noted, "the supervised learning part requires the attacker to collect labeled train data for each station interval, which is a significant amount of effort."

However, researchers tested their theory on a railroad system in a "major city" and claimed they achieved accuracy rates of up to 92%.

"The cause," researchers wrote, "is that metro trains run on tracks, making their motion patterns distinguishable from cars or buses running on ordinary roads. Moreover, due to the fact that there are no two pairs of neighboring stations whose connecting tracks are exactly the same in the real world, the motion patterns of the train within different intervals are distinguishable as well. Thus it is possible that the running of a train between two neighboring stations produces a distinctive fingerprint in the reading of the 3-axis accelerometer of the mobile device, leveraging which attackers can infer the riding trace of a passenger."

The researchers discovered that accelerometer tracking is "more effective and powerful" than using GPS or cellular networks to track train riders because the latter options lose reception and service when a train runs underground.

However, the researchers noted that for the attack to be successful, malware has to be written to infiltrate a target device and read and upload its accelerometer data.

To defend against the threat, researchers suggested users be aware of apps installed on their mobile devices and the permissions granted to access sensor data. Blending noise into sensor data could also prevent attackers from eavesdropping on accelerometer data. Additionally, researchers noted, such malware would consume a great deal of power, making it "highly possible" for users to know it is operating in the background.

Don't trust remote wipe … it doesn't always get the job done

When users get rid of a smartphone, it is recommended they do a factory reset or remote wipe to purge personal information from the device before recycling, selling or donating it. Though destroying the device is the only known way to remove confidential data from a smartphone, remote wipe has been the go-to option for years, despite skepticism and potential risks.

However, research published this week by Cambridge University security researchers found an issue with the factory reset option of Android smartphones from five vendors running Android Froyo 2.3 to Jelly Bean 4.3, which researchers estimated could affect up to 500 million devices.

In "Security Analysis of Android Factor Resets," Laurent Simon and Ross Anderson disclosed that of the 26 devices they tested with remote wipe, Google tokens were recovered in all devices, and the master token was retrieved 80% of the time. Tokens for other apps, including Facebook, were also accessed. In addition, the researchers were able to find email on 80% of the devices as well as some "conversation" data -- such as SMS and chat -- on each device tested.

Anderson explained in a blog post that while newer Android smartphones fare better with factory reset than older ones, "vendors need to do a fair bit of work, and users need to take a fair amount of care."

Mobile anti-malware is … anti-smartphone?

In addition to their paper on Android factory resets, Simon and Anderson published a second paper this week that takes an in-depth look at consumer-grade anti-theft features on Android anti-malware apps.

Studying the top 10 mobile anti-malware apps with antitheft functionality (remote wipe and remote lock), the researchers not only found flaws that undermine the security claims of the mobile  anti-malware, but also that the remote lock functionality is often unreliable due to poor implementation practices, Android API limitations and vendor customizations. The researchers also concluded mobile OS architectures rarely allow third-party apps the ability to improve on built-in factory resets, making mobile  anti-malware anti-theft features essentially ineffective when used on a device with a flawed built-in remote wipe.

Anderson wrote in a log post that mobile anti-malware vendors "have struggled with a number of design tradeoffs, but the results are not that impressive … these failings meant that staff at firms which handle lots of second-hand phones (whether lost, stolen or given to charity) could launch some truly industrial-scale attacks."

Modify Android apps with the click of a link

Researchers from Trend Micro Inc. published details Wednesday of a vulnerability in the Apache Cordova framework allowing attackers to modify the behavior of Android apps when a user clicks a URL.

Cordova is a set of APIs mobile app developers use to access native device functions such as cameras, accelerometers, HTML, CSS and JavaScript. The majority of Cordova-based apps, which account for 5.6% of apps in the Google Play store, are prone to attack.

Trend Micro privately disclosed the vulnerability to Apache; CVE-2015-1835 affects all versions of Cordova up to 4.0.1.

Apache confirmed the revelation in a security bulletin, patching the "major" security issue in its Cordova Android 4.0.2. Apache recommended all Android apps built using Cordova 4.0.x or higher be upgraded, and all older Cordova versions updated to 3.7.2. Cordova on other platforms is not affected.

According to Trend Micro researchers, after a user accesses a particular URL on the stock browser, attackers can insert unwanted code into Android apps not having certain values set in Config.xml.

If exploited, attacks can tamper with app appearance; inject popups, texts and splash screens; modify basic functionalities and even crash the app.

iPhone crashing? Thank that text from your 'funny' friend

The iPhone text seen 'round the world caused quite a stir this week, despite its non-malicious nature. The issue, first posted on Reddit Wednesday, is caused by a particular string of text from either another iPhone user or even an Android device. Once infected, a device will continuously crash and reboot as long as the victim is not viewing their message history at the time the troublesome text was received.

According to The Guardian, it also affects the Apple Watch, iPads and Macs.

Reddit user /u/sickestdancer98 said the flaw is caused by how banner notifications process Unicode text; the banner "briefly attempts to present the incoming text and then 'gives up', thus the crash."

To fix the issue, users have suggested:

  • Having the person who sent the text send another message (effectively cancelling out the bad text);
  • Sending yourself a message from Siri, the share sheet or a Mac; and,
  • Sending a photo to the contact via the Photos app, which will allow the user to access message history and delete the conversation.

Apple told 9to5Mac it is "aware of an iMessage issue caused by a specific series of Unicode characters and we will make a fix available in a software update." The release for this update is currently unknown.

What's next? Android ransomware

On Tuesday, Romanian security software vendor Bitdefender published details about a new strain of Android ransomware that delivers a fake FBI warning to victims.

The malware poses as an Adobe Flash update and installs on smartphones as a video player. When the user tries to run the video player, the device and its contents lock and a spoofed FBI warning appears, telling users they have violated the law by accessing sites with pornographic content. Attackers demand $500 ransom be paid via PayPal, My Cash or MoneyPak. If users try to unlock the ransomware themselves, the ransom increases to $1,500.

Bitdefender researchers detected more than 15,000 spam emails containing the malicious download originating on servers in Ukraine. To make the hack seem legitimate, hackers have also "added photo captures of so-called historic sites previously visited."

The malware -- a variant of Anroid.Trojan.SLocker.DZ -- disables smartphone "home" and "back" buttons; powering down and restarting the device will not remedy the issue.

In certain instances, Bitdefender researchers found that devices with the Android Data Bridge enabled can manually uninstall the malicious app. Users can also try starting the device in Safe Boot mode, which runs a minimal Android configuration and should allow time for the user to uninstall the malware manually.

However, researchers also noted that prevention is key to avoiding smartphone security threats. For example, never install unknown apps; back up data in the cloud or on an external device; scan smartphones with anti-malware often; avoid risky browsing behavior and use a spam filter to reduce the possibility of clicking or downloading malicious content.

Next Steps

Learn more about the growing threat of smartphone security risks

Discover one user's experience with the OnePlus2 mobile phone

Read part two of our examination on OnePlus2

Follow our continuing series on OnePlus2 with an examination of the software experience

Dig Deeper on Mobile security threats and prevention