Android malware headlines: Less of the 79%, more of the 44%

Posted on August 28, 2013 - 15:18 by ccondon

You've probably seen the Android malware headlines saturating security news recently. We certainly have. If you’ve managed to escape them, here’s a quick summary: The U.S. Department of Homeland Security and the FBI issued an internal bulletin last month on “threats to mobile devices using the Android operating system.” The bulletin contained a chart illustrating findings that 79% of mobile malware targets Android—a number that the media (tech and otherwise) quickly picked up and used as a centerpiece for the headline frenzy that followed.

That number, however, is meaningless without context.

Malware authors go where the money is. They target the most popular platforms not because they’re the least “secure,” but because a bigger user base gives them a higher chance of success and, therefore, wider profit margins. Android is simply the most popular mobile OS, just as WordPress is the most popular content management system and Windows has long been the dominant operating system for PCs. This is as basic as it gets, though you wouldn’t necessarily know it from the news coverage.

Worth noting:

  • The 79% figure corresponds exactly with Android’s 2Q13 market share. The original text of the DHS-FBI bulletin states flat out that the threat to Android-based devices is largely due to Android’s market share and open source architecture.
  • The bulletin warns explicitly that 44% of Android users are running outdated versions of the OS that contain “security vulnerabilities that were fixed in later versions.”
  • The bulletin neither recommends against using Android-based devices nor dwells on the percentage of threats targeting Android, though it does emphasize the importance of updating software—a point with which StopBadware agrees wholeheartedly, irrespective of software or device type.

For our part, we find the 44% figure much more noteworthy and alarming than the percentage of mobile malware designed for Android. So our advice to Android users, whether they're government employees or not, is this: Update. That goes for all users, mobile and otherwise. Security software is also a great idea for any device, as is general awareness that cybercriminals want your data and your money however they can get them. No headlines there—though perhaps there should be.

A different story about Android malware

The security world is abuzz about the recent malware apps discovered in—and removed from—the Android Market earlier this week. Ars Technica published an article with a headline that captures the general tone of the industry: "Malware in Android Market highlights Google's vulnerability." The gist is that because Android is generative (i.e., open to people installing or programming whatever they want) and the Android Market is less centrally controlled than, say, the Apple App Store, it's inevitable that malware will become a big problem.

Yet this story could—and probably should—be told very differently. Here's an alternate headline: "Android community, Google respond quickly to limit damage from new malware." There are tens of millions of Android smartphones out there, yet reports indicate that only around 50,000 users downloaded the malware apps in question before they got pulled from the Market. That's a pretty small number, and it's not clear how many of those were susceptible to the malicious aspects of the malware.

I'm in no way suggesting that malware isn't a threat to Android users. Rather, I'm pointing out that there are mechanisms, both formal and informal, for limiting the spread and impact of malware in the ecosystem. Some, such as the centrality of the Market to many users' smartphone experience, combined with Google's willingness to pull the plug quickly if malware is discovered in the Market, position Android differently from the oft-targeted Windows.

That said, the ecosystem needs to develop more mechanisms to protect users from bad apps. The early ideas from John Palfrey and Jonathan Zittrain that led to the formation of StopBadware five years ago might provide some clues. Perhaps there's a way to generate some sort of collective reputation or automated telemetry system that can help users make more informed decisions about their apps. Or perhaps there are other tools, systems, or policies that will help. The time is now, before we replicate too many of the problems that have plagued open systems in the past, to identify solutions that keep users safe while preserving the generativity of platforms like Android.

Openness versus consumer protection? Android, iPhone, and transparency

Posted on January 30, 2009 - 16:22 by egeorge

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google's Android application market. It's unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it - Google's own testing showed no malicious behavior - but the application disappeared from the Android Market anyway.
Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain's "Future of the Internet" blog, writes:
[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.
Contrast the Apple iTunes App Store, which pre-screens applications. It's unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out - including, controversially, competitors to some applications designed by Apple.
Elisabeth continues:
Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)
Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness - and can help foster a more secure internet for us all. 
Disclosure: Google is one of StopBadware's sponsors.