Is A Mobile Virus Coming To Get You?

Is A Mobile Virus Coming To Get You?


 Is my smartphone going to get a virus?

Chances are you’ve seen some sort of warning about mobile phone viruses. Mobile malware is on the rise, we’re told.

There are literally millions of viruses being released and if you don’t buy software to protect yourself, your phone will be looted for its personal data, used to call premium rate numbers until your bill maxes out, or even explode in your pocket.

Reality check

  • The chances of you getting a virus on your mobile phone is very, very small
  • Yes, there’s mobile malware (the more generic term for ‘nasty software’) out there, and lots of it, but you probably won’t come across it
  • Be very suspicious of scary virus alerts
  • But that doesn’t mean you can ignore the threat either.

What mobile malware is out there?


In general, there are three broad kinds of malicious software. First there’s the kind which just tries to break stuff – electronic vandalism, basically. That’s old-school malware, and we don’t see much of it. The second kind tries to make money by subverting your phone.

It’ll make calls or send SMS messages to premium-rate numbers, reset your browser homepage to a site which displays ads (thereby generating ad revenue). And lastly there’s the kind which steals information – passwords, contact details, financial info. That data will either be sold on the black market or used for identity theft.

I hear all these scary numbers…

Oh, yes. You might have heard that there are multiple millions of mobile viruses in the wild. That 97% of them are found on Android devices. That the average user has dozens of potentially malicious apps on their phone.

Take a deep breath.

This is the antivirus industry doing what it’s done for years – exaggerating the threat to scare people into buying protective software. And because it wouldn’t look scary if the numbers were ever adjusted downwards, they just keep going up, year after year.

Every phone manufacturer has stringent security checks in place to prevent malicious software getting into their app stores. And while those checks aren’t perfect, they’re pretty good. There are drastically few outright malicious apps in official app stores. If you stick to those apps, you’re probably mostly fine, with some caveats that we’ll get to in a moment.

The vast majority – 99,9% of the malicious apps – are found in unofficial app stores. And which platform supports unofficial app stores? Android. Ergo, all the malware is on Android.

If you go out of your way to find third-party software – tick the ‘allow software from external sources’ setting, then click through the security warnings, then go looking for alternative software, then install it (again clicking through security warnings) – then yes, you might get a virus. But you’ve kinda asked for it, to be frank.

Those app stores aren’t rogue operations – they often serve parts of the world where there isn’t local support for developers. China and Russia have been notable hotbeds. A common technique is to repackage a popular app like Angry Birds, add something malicious, and distribute it there. So it’s genuinely tough luck for those users, but unless you’re side-loading software from a Chinese app store, you’re probably ok.

So I’m ok?

Unfortunately, there’s another risk, and this one’s real.

App stores block malicious software from getting to your phone, but they can’t protect you from yourself. If you install an app and give it permission to send SMS messages, then that’s what it will do. The app store won’t block that – it’s doing exactly what it said it would do.

So check those permissions. If you don’t know why an app needs a permission, either disable it or find an alternative app.

Be judicious about it: Big mainstream apps like Facebook and WhatsApp do ask for a sweeping set of permissions and while there are privacy concerns there, they’re not likely to conduct a malware attack.

But less popular apps with questionable permissions are best avoided. Only you can protect yourself from this risk, and most people are unfortunately very trusting when it comes to apps.

When to believe and not believe the alerts

Antivirus companies are guilty of overhyping the threat, and you should take their warnings with a pinch of salt, but they’re not actually malicious. Not so are the fake virus warnings, and those should be avoided like the plague. I’m sure you’ve seen them, if not on your phone then probably on your PC.

“Your phone/PC has a virus – click here to remove!” or “Your system is slow, click here to optimise!” even “Your WhatsApp is out of date – click here to update!” Ring any bells?

Those are lies. Every single one of them. And they will at best dupe you into buying some placebo non-functional fake antivirus, and at worst install malware of their own and get busy attacking your PC or phone. So don’t, whatever you do, ever click them. They’re not system messages, they’re just ads, being pushed out through the usual advertising channels. If nothing else, ask yourself whether you should be making a trusted purchase from an entity which stoops to such a level to promote their product.

In short: Any ad which makes a system maintenance claim of any sort is a scam.

Be wary of ads


And that brings me to the last area of concern, which is those advertising networks. A popular business model for app developers is ad-supported freeware – you and I get to download the app for free, and we get the occasional ad popping up. Unless it’s particularly obnoxious and in-your-face, it’s a fair deal, right?

In principle, yes, but in practice there are some serious risks. For one thing there’s the duplicitous business practice I described already, but there are actually architectural risks – those ad networks are poorly secured and can be attacked to push malicious software down to phones instead of adverts.

That isn’t hypothetical – there are real-world demos of this in practice. And no hype this time, Android really is more at risk. Apple and Microsoft less so, and BlackBerry (which operates its own, closed ad network) has no known vulnerabilities so far.

And you can’t blame the app developer – they don’t have much control over what’s pushed down by the ad servers. So what to do?

If you’re paranoid (because honestly, the risk here is currently very small), avoid ad-supported apps and just pay the couple of bucks for an ad-free version. Realistically, most of you will ignore this advice – the freemium model is too deeply ingrained in our web psyche to overcome that easily.

But bear it in mind, and in particular consider dumping any apps which subscribe to ad networks promoting those fake virus messages.

Do I really need mobile antivirus then?

So if the risk of mobile malware is so much less than the vendors claim, and you’re a bit more careful with choosing which apps you install, do you need antivirus on your phone?

Well, it depends. Although antivirus software isn’t actually all that good at catching malware (the CEO of Symantec, one of the antivirus market leaders, recently admitted that antiviruses only catches about 45% of threats), the security suites actually do offer a lot more than just malware protection.

Depending on the product, it’ll check for apps which are known to misbehave in other ways, look for suspicious activity, back up your data, let you locate your phone geographically, remotely lock and wipe the device, and so on. You can do lots of that on your own, but the security tools bring it all together.

Do you absolutely need it? No. Is it a useful set of tools for the security-aware mobile user? Yes. For the record, I have no antivirus on my phone, but I do have security apps to lock it down.

If you change only two things after reading this article, it should be this: Be more critical about the permissions apps ask for and reject those which are suspicious. And back up your data – so many bad things can happen to a phone, but there’s never an excuse for losing data.

Jon Tullett
Jon Tullett, Senior editor at ITWeb has been covering information technology for two decades, working as a journalist and editor in South Africa, Europe and the Middle East. He is currently responsible for news analysis and spokesperson for the Security Summit, Africa’s premier information security event for IT and business professionals. Jon has trained in computer forensics, visited Interpol's cyber crime task force in Lyon, chaired numerous security events and seminars, judged technology awards, and developed testing protocols for a lab operation which reviewed dozens of security products every month. He has very, very, long passwords.