A Highly Sarcastic Android Security Warning
A Highly Sarcastic Android Security Warning
A terrifying new strain of Android malware is wreaking havoc on unsuspecting Android phone owners', stealing passwords, and emptying bank accounts.
The malware, referred to as FluBot works by infiltrating your phone, gaining access to all of your most sensitive data, and then sending your most intimate secrets to hooligans who are preemptively cackling over your unavoidable misfortune.
It's enough to make you want to throw your Android phone into the nearest quarry and hide indefinitely. However, before you head to the nearest bunker, there is something you should know about this dangerous Android malware.
FlutBot: Android Malware
- An unknown source sends you a message containing a link and the friendly suggestion that you tap it to install a program you've never heard of.
- If you click the link, you will be directed to a website that will attempt to download an Android program file — referred to as an APK file — to your phone. That step would prompt your phone to display a warning informing you that the file type is potentially harmful to your device and asking if you're absolutely certain you want to proceed.
- If you disregard the warning and continue, the file will be downloaded to your device. At that point, it would be up to you to initiate the operation by tapping a command. Notably, nothing here occurs automatically or without your active participation at any point.
- If you tap the command to open the file, you'll see a strong warning informing you that your phone is not permitted to install unknown apps from this source for your security.
- To bypass this, you'd tap the "Settings" link within the warning, which would take you to a screen informing you that your phone and personal data are "more vulnerable to attack by unknown apps" and confirming, once again, that you truly, truly want to continue.
- If you accept the warning and toggle the switch to allow the app to be installed, you'll then see another confirmation prompt displaying the app's name and once again asking if you're sure you want to install it.
- If you make it this far and continue, the app will be installed on your phone! However, persevere: Android applications can access a variety of data and system functions only if you explicitly grant them permission. In the case of this particular ne'er-do-well, it appears as though it would need permission to send and manage SMS messages — as it uses your messaging app to spread its link-love to other people in your phone's contacts — as well as the system accessibility service permission, which would allow a program to read anything on your screen and see what you type into fields. That level of access is reserved for genuine accessibility-related services and apps such as password managers that require it to function properly, and the warning displayed prior to activating it is extremely stern and explicit about this fact.
- If you decide to grant the app those levels of access despite the warnings and the fact that there is no logical reason why it would require such access or why you should do so — then yes, the app can then run on your phone and perform the task for which it was created (although keep in mind that it would also need permission to access the internet in order to obtain your deepest secrets from your device).
Apart from analogies, there is one more asterisk to this, and it is a critical one: In an enterprise setting, any company whose IT department is not entirely comprised of complete and total nitwits would have policies prohibiting users from installing apps from random unknown sources. Indeed, such policies are enabled by default on a managed Android enterprise deployment, which means that the IT staff would have had to disable that layer of protection deliberately in order for any of these shenanigans to be possible on a company-connected phone.
Android enterprise policies can also specify which apps are permitted to be set as accessibility services, adding another layer of protection against nitwits. That's not to mention the anti-phishing measures that many businesses also implement on their devices. Thus, in virtually any (non-nitwit-involved) business situation, no matter how hard you tried, you'd never get past step 3 — or possibly even step 2.
And even if you were an individual user, you'd have to work pretty hard to allow an app like this to do its dirty work, given all the barriers Android erects before you reach the point of actual danger.
And you know what else? Every freakin' time, it's more or less the same freakin' story. That is certainly the case with another Android bogeyman currently circulating — a "sophisticated new malicious app" that "disguised itself as a System Update application" and stole "data, messages, [and] images" while simultaneously "taking control of Android phones" and monitoring everything from your phone call contents to your messages and even your browser history (yes, including that one site you looked at before bed last night).
However, you'd have to visit some random unofficial website in order to locate and download the thing, and then navigate through all those same sorts of prompts in order to install it and grant it the various forms of advanced access it requires to operate. And, if you're using a work-connected phone, you're unlikely to be able to do any of that.
Oh, and by the way, which company is spearheading the publicity campaign for that one? It's Zimperium, which also happens to sell security software for Android devices. (Isn't it strange how that always seems to work out?)
The Bottom Line
On the surface, Android security can appear frightening, especially if you spend a lot of time immersed in the never-ending stream of sensational stories about it. And, goodness gracious, those fear-infested waters can be near-impossible to avoid some weeks.
When you look closely and ask the right questions, however, an Android security scare is almost always much less frightening than it appears at first glance. And, contrary to what the companies pushing these narratives would probably prefer, there is rarely any reason to panic — as long as there is even the tiniest shred of common (non-complete-and-total-nitwit) sense involved.
IT Courses and Certification
Android Programming Course and Certificate
Mobile Security Course and Certificate
Mobile Testing Course and Certificate
Mobile Computing Course and Certificate
Mobile Development Course and Certificate
Mobile Marketing Course and Certificate
