Image: Hacker imageSomething you’ll see pop up from time to time on various sites (even legit ones) who have automatic advertising campaigns is that your phone is infected and you have a virus. You don’t. Well, at least there’s no way that they randomly would know it.

Way way way TL;DR: no mobile viruses, don’t bother with AV, certainly don’t trust popups informing you you’re infected.

Inspired by a couple of conversations this week, the only virus I’ve ever gotten, and some posts in the Dev-Host post, here’s why your phone doesn’t have a virus and those attempting to sell you a phone antivirus via popup ad are probably scammers.

I’m betting this is preaching to the choir for most of you, but if not here you go.

The first part deals with popups telling you you’ve got a virus, notably the type of garbage ad one of our advertising network threw into our rotation a while back.

There’s no way they know if you’re infected

kingmoible-com[1]Let’s look at the first portion of this equation. In order for a website to know you have a virus they have to have scanned your phone. You can see a sample image to the left, that isn’t our advertising.

Historically there have been methods on desktops to determine if you’ve got an exploit loaded, but this is usually done on a page devoted to it.

When you’re connecting to a web server, they know the IP address to talk to, what browser you’re using, some OS information, and whether you have a cookie associated with their domain. That’s about it.

So let’s say they have your IP address. In order for them to determine your phone has a virus they have to find out what’s on your phone. How are they going to do this? No website you visit on Android or iOS has the ability to run code that scans your system. If they did you’d have a warning like “warning: we detected that /system/app/imavirus.apk is infected with the first real phone virus ever! Also lay off the porn”.

Given an IP of a phone connecting to a web server I manage I can tell you where that phone is generally located (e.g. Nashville, on Comcast) and if it’s connected via ISP or behind a router. I can tell you what browser you’re using and I’ve got a good chance of being able to determine your iOS or Android version and do some Javascript/HTML5 tricks.

If you’re connected directly, I can initiate a port scan on your phone. If you’ve got an open listening port I might be able to hit that port and see that you’ve got a piece of malware installed listening for commands (such as you’re inadvertently a part of a botnet). If you’re behind a WiFi router and you’ve gone ahead and turned UPnP on I might be able to tell the same.

In general though the only thing I could as a website see, if I placed an active script to port scan you, is if you have a listener, at which point you should start wondering why a website was so determined to do a port scan on you in the first place.

If you leave any website and get a popup saying you’ve got a virus, you don’t. If you think it’s a legitimate warning go and download a program claiming to be an antivirus from a reputable source, not a scam popup advertiser.

It’s not a virus, don’t buy it

A virus is an application that you get and pass on to others. Your phone coming into contact with their phone and they’re infected. You visit a site and you’re infected. You give them a file and you’ve given them a file with a virus. Etc. Most of what the media calls viruses are malware and trojans (malware does something bad like steal your contact info, trojans trick you into running them).

A virus is not something that downloads from a central location, pops up, requires you to install it, then you have to agree to let it have access to all your media, internet, contacts, etc.

I’m not claiming there aren’t malicious applications out there, but any service that claims you have a virus when you’ve jumped through the standard Android hoops to install this piece of software that’s now making your life miserable is a scammer.

While to the end user a virus and malware may look the same, no reputable company will claim that you have a virus when you have malware, a trojan, etc.

But what about…

Various Chinese USB “viruses”- were/are a set of commands that run on phones people have turned on USB debugging in developer mode, usually on older versions of Android that didn’t require pairing the phone to a computer for adb access. This was/is malware from infected public charging terminals. You have to disable security on your phone and plug it in.

If you’re not rooted the best it can hope for is to root you and install malware, or attempt to access your information by initiating a backup.

Even if you get this there’s no way you can spread it to another person without connecting your phone to theirs.

DroidDream – DroidDream was never a virus, it was a piece of malware injected into applications that were repackaged and uploaded to what was then called the Market (now Google Play). It used all known available Android exploits to root the phone and install itself as a system service. It still required you to download and install and couldn’t reproduce itself.

Does it really matter if it’s a virus or malware?

Yes.

Malware is like that last slice of pizza you’ve got in your fridge. You don’t have to eat it. If you don’t eat it it will not enter your body. If you do eat it, you’re not giving it to your friends, although you might give them information on how to get and eat it without your knowledge.

A virus is like the flu. You get it, people you’re in contact get it. That doesn’t happen in sandboxed processes.

To you these may have the same effects, to your friends, co-workers, etc., it’s vastly different. From a company trying to sell you a product, if they’re not actually an antivirus and claiming they are, they’re a fraud. Like being sold a BMW and being delivered a KIA.

Could there be real threatening mobile viruses?

Yes. Both Android and iOS use a thing called sandboxing. This keeps program A from touching program B. Generally to get A & B to exchange data you have to write the programs to talk together as they’re pretty well separated.

A rooted device doesn’t have these restrictions however. This is why manufacturers work so hard to keep you from one-click rooting your phone.

If you can root the phone without jumping through hoops, then so could any malicious application. As much as I hate the hoops we have to jump through on the HTC side, there’re some good reasons behind the vanishing of one-click exploits.

There’s also the chance that you could be seeing cross-platform viruses soon enough, where a phone or a computer has an application and when paired with another device it injects code via exploits to the other machine.

Usually after there’s a proof of concept there’s a new Android or iOS version or patch that defeats that idea.

Are root users more at risk?

Yes and no. Yes in that a phone that’s rooted is more at risk in general, and no as most root users are using a superuser control program and they’d have to grant this unknown application or service superuser access.

What are you selling, son?

Good question. Mostly my goal is to get people to stop believing they have a virus when these scam popups pop up and get rid of these apps that rely on testimonials like “been running it for 5 years and never got a virus once!” yeah, there were no viruses, and you got your contact information stolen due to some bouncing chicken game you installed that you gave permission to access your contacts.

Don’t install pirated apps, don’t download things with 10,000 reviews all from the same day that make nearly no sense (you can purchase reviews in most app markets) and read the permissions anything’s requesting before you install it. Why does Bouncy Chizziken need access to my email and contacts?

Most of the antivirus applications out there for phones are mislabeled malware scanners, and malware is something that Google has done a pretty bang-up job of policing the past few years with their Bouncer software. AV companies throw in an additional privacy guard or backup service to sweeten the deal and identify applications that may want the access you granted them when you installed the ding dang program.

But most advertised antivirus applications are actually malware. That mobile popup that says you’ve got a virus, malware. Stop, you could be infected with a virus? Malware.

Real antivirus?

Yes, there are real antivirus companies that got into the mobile game. Their main goal is malware identification and locating repackaged apps along with some privacy guards thrown into the mix.

If you think you’ve got a virus, go to your app store, look up mobile security, and locate something with a couple million reviews (they’ll be listed first). Install, run. You’re probably not going to find a virus but you’re not going to get scammed by a company potentially installing malware/ransomware.

Something to remember even if you’re installing a real antivirus is the permissions you’re giving them. Here’s a screenshot of the page long permissions that Avast requires just to function.

Avast permissions

Make sure you trust the antivirus company before you give them complete access to your phone. Just because they’ve got antivirus in their name doesn’t mean they’re not giving you a free product by selling information about you.

Read that privacy policy.

When Skynet awakens…

When an actual virus hits and spreads phone to phone to computer to whatever,  locking up all of the world and causing chaos, chances are pretty high your antivirus isn’t going to stop it, the ISPs, cell carriers, Google and Apple will have to.

Or I’m wrong.

I’ve been running PC, iOS Android and various flavors of linux longer than I can recall and never had a virus except in the MS-DOS days, when fittingly enough considering publication date, I got the Stoned virus from a computer at school.