> There have been isolated cases of spyware programs that run on the Android platform, an open-source mobile operating system created by Google. But the fake media player application, which Kaspersky dubbed “Trojan-SMS.AndroidOS.FakePlayer.a,” is the first one believed to specifically target Android, Kaspersky said.
>
> “Kaspersky Lab recommends that users pay close attention to the services that an application requests access to when it is being installed,” the company said. “That includes access to premium rate services that charge to send SMSes and make calls.”
>
> The application is simply called “Movie Player,” according to Lookout, a company that makes mobile phone security and management software. The malware does apparently warn users they may be charged for SMSes if they install it. The SMSes costs “several dollars,” Lookout’s [blog](http://blog.mylookout.com/2010/08/security-alert-first-android-sms-trojan-found-in-the-wild/) said.
>
> Lookout suggested that Android users check the permissions of the media player applications and revoke any that mention charging for SMSes. The malware may not spread far, however, for a couple of reasons.
>
> “So far this has only affected Android smartphone users in Russia and only works on Russian networks,” Lookout said. “As far as we know, there is no indication that this app is in the Android Market.”
>
> Google said in a statement that users see a screen after downloading an application that explains what information and system resources that application can access, such as their phone number or the SMS function.
>
> “Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time,” Google said. “We consistently advise users to only install apps they trust. In particular, users should exercise caution when installing applications outside of Android Market.”
via [macworld.com](http://www.macworld.com/article/153318/2010/08/android_malware.html?lsrc=rss_main)
This is the point where most of my readers will expect me to blast Android and praise the iPhone. But to be honest, I’m much more concerned at the increase of malicious software targeting mobile devices in general lately. No platform is completely safe from this stuff.
Apple just released a patch for the iOS (iPad and iPhone/iPod Touch versions) that fixes a gaping hole in mobile Safari that made jailbreaking the device as simple as visiting a web page. (I suggest if you have an iPhone, iPad, or iPod Touch that you install that update immediately.) While some will report this patch as Apple “locking down” people who want to install their own hacks, it would be simply irresponsible for Apple not to plug that hole. What one site uses for a jailbreak, others with more malicious intentions could have used to steal credit card information, run up phone bills, spam contact lists—you name it.
We put our entire lives on our smart phones. It’s an intensely personal device. Which makes it all the more valuable to a thief, or in this case, a hacker. We as users are going to have to take steps to ensure that we protect ourselves as much as possible, which means paying careful attention to what we download, install, etc.
And, yes, I personally believe that Apple’s policy of secure signing ALL software on the iPhone is a bit safer in general than Google’s “install anything you want, even if it’s not from our store” philosophy. But that doesn’t mean iPhone users should be completely oblivious to the possibility of someone slipping something past Apple’s approval system. It’s nice to know that Apple could probably track down anyone who puts malware on the App store, and could not only remove the offending app from the store, but from everyone’s iPhone with the push of a button. But that’s a small consolation once your bank account has already been compromised.
I dread the day when installing virus protection becomes the norm on a mobile device. Most of the time virus scan software does little more than drain battery life and eat processor cycles and can only protect you from known quantities, anyway. I really hope we can avoid that sort of nonsense with better and better built-in security. In the meantime, we’ll all have to practice some common sense if we want to avoid getting hit by these kinds of attacks.
