Not a whole lot of new lessons to be learned from this, but basic reinforcement of old ones:

• It's easy to get users, even high-profile at-risk users, to install arbitrary applications. Since there's little to be gained from litigating this basic fact, we have to work around it. We recommend at-risk users stick to relatively recent iPhones, not because Android phones can't be made to be asymptotically as secure, but simply because it's more difficult (technically and logistically) to set up a deployment process that gets an application installed on an iPhone that can do as much as these backdoored Android apps can.

• The biggest threat facing users on general-purpose computers (Windows or Mac) is email attachments. The most profitable desktop infection vector here seems to have been Word macros. There's no point in litigating whether people should or shouldn't use Word documents; they're going to do that. So we have to work around that. Our recommendation is that users be trained not to view attachments on general-purpose computers by clicking on them. Two options: view attachments on iOS devices, where the viewers are less privileged and less full-featured, or always opening them using Google's office tools.

To me, the big lesson of the past few years working with non-technical users targeted by attackers is: general purpose computers simply aren't secure, and can't (for normal users) be made secure. Get people out of computer apps and onto phone or web apps.