Owners of Android smartphones will be happy to learn that you’ve got a new feature designed to protect your phone from hostile software. Trouble is, it doesn’t work.
At least, not for tens of thousands of Android phone users all over the world. Their phones were recently infected with WireX, a new kind of malware that hides inside apparently legitimate apps, converting phones into computer-killing zombies.
On Monday, Alphabet Inc., parent company of the search service Google and creator of Android, said it had resolved the problem, with the help of network security experts, including some from Akamai Technologies Inc. in Cambridge. But the fact that WireX spread as far as it did should warn us all that our smartphones are more powerful, more dangerous, and more difficult to secure than we may realize.
Akamai specializes in helping big companies efficiently transmit huge amounts of data. It also runs a busy network security practice that got a lot busier on Aug. 17, when several Akamai customers — the company won’t say who — came under a distributed denial-of-service (DDoS) attack. That’s the kind in which a bad guy seizes control of thousands of networked computers, then orders those computers to attack some online target, such as a corporate or government server. The sheer volume of traffic can drive the target clear off the Internet.
In this case, the Akamai clients were getting hit by up to 20,000 data requests per second, quite enough to overwhelm an unprepared server. But DDoS attacks are old news at Akamai. The company is good at fending them off, though it takes lots of network capacity and costs lots of money.
When Akamai saw the scale of the attack, it consulted experts from several other firms, including Cloudflare, Flashpoint, RiskIQ, and of course Google. What they discovered both alarmed and charmed them.
“It’s awful, but it’s kind of this neat thing,” said Andy Ellis, Akamai’s chief security officer. “We pay researchers to do this. For them, this is fun.”
The fun began when the researchers realized the attack was not coming from the usual sources, desktop computers, but from smartphones. Lots and lots of smartphones. At least 70,000, and perhaps many more.
“We’re seeing numbers that are consistent for a couple hundred thousand,” Ellis said. These phones were transmitting from about 100 different countries. And there wasn’t an iPhone in the bunch. Every one was running Android.
The users of these phones had download apps from the Google online store that were tainted with WireX malware. About 300 such apps were later identified. On the face of it, these were innocent-looking programs, like video players and file managers, that we tend to download without a second thought. But somehow, the Google Play Store had failed to catch the poison inside them.
Android software isn’t nearly as secure as Apple’s iOS, for many reasons. Android is open-source, so anyone can learn exactly how it works and use that knowledge to create malware. Apple isn’t invulnerable, but its iOS software is tightly locked down and tougher to crack.
In addition, only Apple makes the phones, and cellular network operators like Verizon and AT&T aren’t allowed to modify the software. By contrast, there are dozens of Android phone makers, each producing many models, usually with the makers’ own customized version of the software. Cell networks tweak the phones, as well, adding “junkware” apps that often hinder performance.
You can’t install security updates on all of these phones without running compatibility tests, and that can take months. So at any given moment, hundreds of millions of Androids are running obsolete, vulnerable code, making them prime targets.
Also, Apple is more careful about what apps are allowed in its online store. Over the years, the Google Play Store has gradually tightened its standards, but it has never been quite as rigorous. These days, the company runs automatic malware tests on new apps when they’re uploaded to the store.
And in May came Google Play Protect, an anti-malware program that regularly checks all apps and has been automatically added to most Android phones. Yet Play Protect didn’t prevent WireX from infecting thousands of phones.
For that matter, Play Protect didn’t fend off a separate malware outbreak discovered in June by eZanga, an online marketing firm. EZanga researchers found that hundreds of approved Android apps contained “clickfraud” programs that run while the phone appears to be idle.
Crooks set up websites which host legitimate ads. Then they use clickfraud bots to automatically click the ads over and over and over. The site owner gets paid by the advertiser for every click, but none of these clicks come from paying customers, so it’s a total waste of money. EZanga estimates the phony clicks from these fraudulent Android apps cost advertisers as much as $10 million.
Google has purged the clickfraud and WireX apps from its Play Store and tweaked Play Protect so Android phones won’t fall for them again. In addition, Google is remotely deleting infected apps from Android phones worldwide. Bet you didn’t know they could do that. It’s a slightly creepy feature, though welcome in this case.
Still, it’s another reminder that smartphone software has a life of its own. And sometimes it’s a life of crime.Hiawatha Bray can be reached at firstname.lastname@example.org.