For millions of people, the first thing to do when they get their new smartphone or tablet is to visit the device's app store and begin downloading games, magazines, utilities and sports apps.
Apps are fun, useful and a bit addictive. They can also be dangerous. Malicious apps, especially those for Android devices, are a growing problem for smartphone and tablet users. (Apple devices are protected as long as they're not " jailbroken " to run unauthorized apps.)
"We've seen malware designed to secretly track users' physical locations via GPS, make phone calls, send text messages, exploit ad networks and even gather potentially sensitive data," said Jeffrey Wilhelm, a senior analyst at anti-virus software giant Symantec. "That said, the fact of the matter is that mobile malware will likely only continue to be of interest to cybercriminals if they can figure out a way to monetize it. At this point in time, they are still very much in the exploratory phase of figuring out how to do that."
According to Wilhelm and Symantec, cybercriminals are using mobile malware to make money with premium-rate number billing scams, spyware, search engine poisoning, pay-per-click scams, pay-per-install schemes, adware and the theft of mobile transaction authentication numbers (mTANs).
The problem is, Wilhelm said, that detecting a malicious app is much easier said than done. "Unfortunately, there is no foolproof way of determining if an app in a market is legitimate or not."
How to increase your odds
Is there anything you can do to make sure the app you are downloading isn't going to poison your phone or tablet? First of all, stick to known companies and trusted sources.
"Only install applications from the official market/store for your platform," said Chester Wisniewski, a senior security advisor with the British anti-virus maker Sophos. "Not all applications on your marketplace may be safe, but off-vendor markets are much riskier."
Before downloading an app, check out the name of the app developer. If it's a name you aren't familiar with, do a quick Web search for either the developer's name or the name of the app. Anything questionable about the developer or the application should come up.
Going to a known developer won't totally prevent the download of a dangerous app, but Wilhelm said it could help a user decide whether or not to investigate the legitimacy of an app further.
"If a user is attempting to download an app from a well-known company, but the app doesn't have that company's name listed as its creator, that should probably stir suspicion," Wilhelm added. "For example, Symantec recently identified a new mobile malware threat, dubbed Android.Fakeneflic, which attempts to exploit users of the popular Netflix app for Android.
"The malware masquerades as the legitimate Netflix app, but is actually a textbook case of an information-stealing Trojan that targets users' Netflix account information. A user attempting to download this malicious app might be able to determine that the creator is not actually Netflix, but someone else. In this case, that should raise a red flag."
Pay close attention to user reviews. Other users will tell you if there were problems with an app, including potential malware. And if you find that an app you downloaded was malicious, Wilhelm recommends adding your own review at the app's marketplace.
"That would probably help other users avoid falling victim as well. Another good thing to do would be to alert the owner of the app marketplace where the malicious app was downloaded from," Wilhelm said.
It's also wise to be aware of the type of permissions the app seeks before downloading. Android displays them all when it prompts you to authorize app installation.
"If you are loading a video game and it asking you for permission to access your address book or to send SMS messages, you should be suspicious and cancel the installation," Wisniewski said.
Finally, the best protection from malicious apps is also the first app you should download — a mobile security solution that scans every app on download and tells you whether it is safe.