Android warnings and worrying alerts are nothing new with owners of these Google-powered devices regularly told to be wary. Now, there’s some new advice from experts, and it’s wise to take note if you want to keep your phone fully protected. The team at Malwarebytes says attacks on Android phones continue to grow with cyber crooks constantly on the lookout for new ways to steal data and install fake apps on the devices of unsuspecting users.
Even those downloading what appear to be official applications could be caught out especially as Android offers the ability to sideload software from the web. That’s a popular function, but sadly, it’s fraught with danger. With the internet constantly flooded with rogue software disguised as things such as TikTok, Spotify, and WhatsApp it’s easy to see how some are caught out.
Once installed, these so-called phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens. As soon those details are in the hands of hackers, they can then be used to access accounts.
Gaining this login data via fake login windows isn’t new; online thieves have been using emails to try and trick people for some time.
However, things have taken a more sinister turn as it appears some Android phishing apps can now pierce one of the strongest security practices in use today: multifactor authentication.
“Multifactor authentication is a security measure offered by most major online platforms including banks, retirement systems, social media companies, email providers, and more,” explained Malwarebytes. “With multifactor authentication, a username and password are no longer enough to sign into an account. “Instead, the platform will send a separate “code,” typically a six-digit number, that the user must also enter to complete the login process. This code is often sent as a text message directly to the user, who has registered their phone number with the platform.”
Last year, Malwarebytes says it found 5,200 apps that could steal these codes either by cracking directly into certain text messages or by stealing information from a device’s “Notifications” bar, which can deliver timely summaries or prompts for many apps.
It’s a worrying development, but there are still ways to stay safe, including installing mobile security and being careful what apps are installed on devices.
If you are concerned by this new threat, here are 5 ways—via Malwarebytes—to stay safe.
• Use mobile security software that detects and stops Android phishing apps from ever being installed on your Android device.
• Before downloading any apps, you should look at the number of reviews. A low number of reviews may signal a decoy app.
• Most people will only ever need to download Android apps directly from the Google Play Store. Be wary of other app stores or marketplaces, and never download a mobile app directly from a website.
• Use a password manager to create and manage unique passwords for every single account. That way, if one password is stolen, it cannot be abused to open other online accounts.
• Use multifactor authentication on your most sensitive accounts, including your financial, email, social media, healthcare, and government platforms (such as any accounts you use to file taxes).
