Jeff Gelles: Mobile devices usually safer from malware

Pick up a smartphone or tablet, and you're picking up a small powerful computer. But does that mean it's just as vulnerable as your laptop to malware?

Could your phone start taking orders from a botnet, or record your calls and send audio files to an attacker? Could your tablet start signing you up for useless subscriptions, or shipping your private data to cybercrooks in Siberia?

Thankfully, the answer to all those questions is probably no - though with an asterisk pointing to the phrase, "It depends on how you use the device." All those things are possible, but they're highly unlikely if you're reasonably cautious and know the risks.

Fears of phone-based malware were stoked in March by word of malware on smartphones based on Google's Android operating system. Fanning the flames are recent reports of dramatic jumps in Android malware from security firms such as Juniper Networks, which said in a blog post that Android malware had increased 472 percent since July.

McAfee, another security company, sounded a similar warning in its latest threat report. "Since January, we've seen a hockey-stick type of growth in Android malware that poses a serious threat to owners of smartphones and tablets," Lianne Caetano, McAfee's director of mobility marketing, told me this week.

Are the fears exaggerated by companies that stand to profit by selling anti-malware apps to worried smartphone and tablet users - not just of Androids, but also of devices using Apple's iOS and RIM's BlackBerry platforms?

That's what Chris DiBona, Google's open-source and public-sector engineering manager, said in a recent post on Google+ that derided antivirus companies as "charlatans and scammers."

"If you work for a company selling virus protection for Android, RIM or iOS you should be ashamed of yourself," DiBona wrote.

I'm not an expert, so I don't want to sound overly sanguine about threats from malware writers who are undoubtedly trying to wreak as much havoc as they can. That's what they do, often with the goal of stealing your money or using your information to rob and cheat others.

Some threats plainly sound scary. McAfee cites two, identified as "NickiSpy.A" and "GoldenEagle.A," that record Android users' conversations and forward them to an attacker. "Attackers can't be sure that the first one or two calls have the information they seek, so these malware remain on the devices for extended periods without being detected," McAfee says.

But there are also good reasons not to fret, according to Google and outside experts. Here are a few, along with tips on how to stay safe:

Security-conscious design. When Google developed Android for an alliance of handset makers eager to compete with Apple's iPhone, it chose an "open source" approach. But open source doesn't mean insecure, as software such as the widely used Firefox browser demonstrated.

Google says two design features are key to Android's security. One is "sandboxing," which means that an app must play in the portion of the operating system it was intended for. The other is "permissions," which means it must ask before it can stray. So if a new music app seems oddly interested, say, in your phone's location history, you'll be warned that something may be amiss.

Maintenance is also crucial, and in that, smartphones and tablets have an advantage over computers: Google can routinely address flaws in the Android platform as they are discovered, without a user's having to take any steps.

A safe place for apps. Despite the widely reported incident in March, when Google announced it had removed "a number of malicious applications published to Android Market," Google insists its app store is a safe place to do business.

Google says it regularly scans Android Market apps for malware, suspends suspect developers, and can remotely wipe apps if anything malicious slips through.

Your biggest protection may come from numbers. If you pick highly rated, widely used apps, you should be safe. The evidence so far is that most Android malware hits users who look elsewhere for apps. Unlike the iPhone, Android devices can load apps from anywhere - including from predictable risky sites such as those pushing pornography.

"Most of the mobile malware out there requires the user to go find it and install it," says Brian Krebs, who blogs at the site "You have to affirmatively download and install these apps, and in some cases give them special permission."

Krebs says "social engineering" - a fancy term for trickery - is the key to most mobile malware, as it is with most malware today. A mysterious text message with a link is just as risky as an e-mail with a link.

"If you're careful about what you install on your phone, you're going to be fine," Krebs says. "I haven't seen a threat that convinces me otherwise."

Contact columnist Jeff Gelles at 215-854-2776 or