Widespread Android Virus Could Hide in Popular App Updates

If you own an Android phone, your next Words With Friends or Facebook update could contain a virus.

By SHARE

The Android phone you carry around in your pocket can help you find restaurants, tweet, and navigate your around the city, but it might soon have another unwanted feature—creating a black hole in your bank account. That's because hackers are working on viruses that could quickly rack up charges on your account.

About half of all Americans have smartphones, according to Nielsen, and in February, Google revealed that about 850,000 new Android devices are being activated every day. With more than 300 million users worldwide, that market is quickly becoming a big target for hackers and virus makers.

[12 of the Best iPhone, iPad, and Android Apps]

"In the next couple months, I'd expect a big Android attack that's going to be very widespread," says Jacques Erasmus, chief information security officer with Webroot, a cybersecurity company. "It's going to be Android, because it's an open platform—there's much less regulation in terms of the app store that makes it much easier for criminals to target. Obviously, the Apple user base is massive, but I think that attack is going to come later."

Erasmus says users could be "e-mugged" by unwittingly downloading malware that automatically sends premium-rate text messages—the same kind used to donate money to the Red Cross after the earthquakes in Haiti and Japan. Erasmus says those premium accounts are easy to set up offshore and the money will be funneled back to the malware creator. Those charges will show up on users' cell phone bill.

The virus could be hidden in a trusted app, Erasmus says. A hacker could theoretically break into the Google Play Store, issue a fake update for an app with millions of users—Facebook and Words With Friends have more than 10 million users—and start automatically sending text messages to premium numbers.

"You could hack into one of the really popular app distributors' accounts and leverage its userbase," he says.

A Google spokesperson says that the company isn't aware of any current vulnerabilities and said that while it's hypothetically possible to hack into a distributor account, a recent update has closed some of those vulnerabilities.

[How to Track Terrorists From Your Phone]

But malware has made its way into the Google Play store in the past, and, in some instances, has stayed there for months at a time.

In February, Google introduced "Bouncer," which automatically scans the Android store for malware. The company says that they saw a 40 percent decrease in the number of potentially malicious downloads between the first and second half of 2011, but a study by Juniper Networks found that malware targeting Android users increased 3,000 percent in 2011.

Erasmus says Webroot has seen a similar increase.

"We've seen an increase in threats—there's now more than 9,000 known viruses and Trojans for Android," he says. "For most of the last year, there were very few threats, maybe two or three a day. Now, we're seeing 20-30 threats a day."

In November, Chris DiBona, open-source programs manager at Google, wrote on his Google+ profile that companies like Webroot and other antivirus manufacturers are "charlatans and scammers."

[Google to Split Stock]

"Virus companies are playing on your fears to try to sell you bs [sic] protection software," he wrote. "If you work for a company selling virus protection for Android, RIM, or iOS, you should be ashamed of yourself."DiBona may have a point. Last month, AV-Test, an independent German security institute, said that two-thirds of Android anti-virus software is "not yet suitable for use as reliable products." Of 41 tested anti-virus programs, just seven were able to detect 90 percent or more of Android malware.

Corporations are displaying the same fears as individual users. According to National Defense Magazine, Boeing will be releasing a secure Android phone meant for corporate use by the end of the year.

Erasmus says that no matter what security measures are taken, there's no way to be 100 percent secure when you use a device that is constantly connected to the Internet.