Is Your Android Phone Spying On You?

android vulnerabilities

Is My Android Smartphone Secure? 

While Google is one of the most famous technology companies in the world, with a great reputation for excellence and creativity, it does not mean that their products and services are infallible. The security vulnerabilities of Android smartphones are a perfect illustration of the challenges they are facing.

“With a  staggering 85% of all smartphones in the world running on the Android operating system (OS), it is obvious that the hackers would continuously try to breach these phones”.

Resultantly, there is not a  single week without new security vulnerabilities being discovered. If you just received a new Android phone or are using one for quite some time already you may ask yourself, is my Android smartphone secure? It is a legitimate question that we will answer in this blog post.  

Let’s explore and find out who can be a potential victim of these security vulnerabilities, and then we will look at how it could happen. After that, we will depict some solutions that you can use to strengthen your security footprint, and finally, we will share some practical guidance for companies to consider when authorizing the employees to use their private devices for a professional purpose.  

No one is immune to advanced hacking technologies.

In 2019, Promon, a Norwegian company specialized in cybersecurity discovered a  vulnerability named StandHogg, that could technically affect all smartphones running on Android. They claimed that the malware can infect the Top 500 most popular apps in Google’s Play Store. What is even more concerning is that the vulnerability can be exploited on smartphones that are running with the factory default settings.

In other terms, everyone’s phone can be a potential victim. The risk associated with the exploitation of this vulnerability is that the sensitive data stored in your phone, like your bank account details combined with or your personal details, can be stolen. This is one of the many vulnerabilities that make big noise within the cyber world because the potential of compromise is huge.

In consequence, and as the technology continues to evolve, new vulnerabilities will surface from the new features added to the phone. To inverse the tendency, developers need to follow the security-by-design principles. 

Permissions above all. 

At this stage, you may think that these large scale vulnerabilities happen only once in a while, and you may consider yourself as a  “normal” smartphone user. In spite of the integrity of most Android users, the temptation to download the free version of an app from an illegitimate marketplace is often greater than paying the small amount on the official Play Store.

While the financial aspect of this compromise influences the decision you make,  the associated risk associated with such a download is often neglected or simply ignored. Why should you worry if this app is available for free? Or you may even think that if you don’t feel comfortable with the app you can still remove it. Well, not exactly. In fact, the harm occurs right at this time of the process.

From the moment you download the app and your smartphone starts to install it, you will be requested to grant access to the app in order to operate. Like most of us, the only thing that matters is to be able to start using the app as quickly as possible, so you select “next, next, next, ok, and validate” almost without reading. The process is very easy and straightforward. Now you have granted the required permissions to this rogue app and it has all the needed access required to compromise your device.

Depending on the malicious approach chosen by the hacker, this can be completely transparent to you or can have an immediate effect on your smartphone (e.g. latency caused by the resources used). In a nutshell, you should consider your smartphone as being potentially compromised from the moment you grant permission to an app coming from an unofficial source. 

Can I Trust the Google Play Store?

In general, Yes, but! There is ever a risk that an ill-intentioned developer was able to upload and publish an app having a backdoor (intentional vulnerability) that could be exploited. Google explains that scans are running on the Play Store to identify infected applications.

Additionally, we know that by default, an Android smartphone has a secure boot to verify that the OS of the device has not been modified. The stored data is encrypted and protected by a  code or a fingerprint reader. Although this is all true when the smartphone is new and just unboxed, the situation changes when you start setting up your phone.

BYOD in focus. I Trust My Employees. Should I Trust Their Device?

Many of us use their smartphone for private and professional purposes. In this case, the companies do make the compromise between the potential gain of productivity and the heightened risk exposure. To keep control of the data and ensure the employees are operating their devices in good faith, the security professionals have at least two approaches.

  • The first is to use a mobile device management solution that will deploy apps and security measures as defined by the controller. This approach is often rejected by employees for the fear of giving up their privacy.
  • The second approach is based on the deployment of apps on your smartphone that, during the installation, will confirm a certain number of security prerequisites. To maintain a robust system, the security professionals should not bend their standards toward users reluctant to conform to the agreed baseline configuration. 

To conclude, we explored the inherent risks from apps published in market places, the simple action that can result in causing you harm, and the trust that you can put in the Google Play Store. Finally, there is a dilemma: productivity vs. security. While security issue remains in question, it is definitely safe to mention that most standard Android devices are secure until unboxing, after which it is only a matter of time until they are compromised. You decide.