So apps are secure, because everyone gets them from the store, right? Um, no. That’s kind of the case for Apple’s platform, where you have to go out of your way to find malware, but with the Android shipments outnumbering iOS device shipments 6 to 1, the real fun for bad guys and researchers happens in the Androidland.
- Third-party stores – you’d be surprised to find out that besides Play there are 500 app stores out there, of varying degrees of shadiness and security practices
- “Review” forums and blogs – e.g., even a legit-looking site Androidpolice.com, who really should know better, instead of getting people into habit of only using Play, encourages them to directly download APKs from a weird-looking Androidfilehost.com “mirror”
- Sending download links via SMS spam
- Email spam – “email from dad” that passed all Gmail filters and let me download a malicious app binary on the phone
- Twitter – as a bad guy, you get some followers, then start spraying links like download skype for mobile, and you got yourself a nice little install base for your scammy app
- Ads on web and mobile, links on websites that redirect you to an app binary download
- More bizarre ways like infecting via Bluetooth apparently
Just by watching and scraping some of these you can build yourself a sizable library of some pretty nasty stuff. Just watching the Twitter feed for some of those scams is pretty fascinating.