Yesterday, Symantec reported that it had identified 29 malware-loaded apps that "caught the attention of a large number of users who installed them," and that the malware has potentially affected millions of people by transmitting their contact information to a mysterious third-party server. This report, like others that have cropped up in the past year, suggest that Google has a growing security problem with mobile malware, at least according to independent security firms like Symantec, McAfee, Juniper Networks, and others that have been eyeing Android as a juicy market for their protective software.
Commonly cited statistics released by these companies and others are backing up a growing folk wisdom about Android's lack of security that's often associated with its open-door app approval process. Some of these statistics say that sightings of malware have risen 472 percent in the past year, or nasty code by 37 percent, or that users are 3 percent more likely to encounter it. But what is the real risk to the platform for users? The reality is that it's probably not as bad as some firms would have you believe.
The reality is that Android malware is probably not as bad as some firms would have you believe
Symantec reported Android's latest malware woes yesterday, claiming that it has identified 29 apps that are designed to mimic popular games in Japan, but instead covertly transmit personal data from the phone to an external server. Symantec researcher Joji Hamada says in a blog post that the company has confirmed that the apps are malicious, and Security Week reports that Google has removed the apps from Google Play. Symantec says that the apps have been downloaded somewhere between 70,000 and 300,000 times, and that since the malware lifts contact information from phones, "potentially millions of people may be affected." But while the apps certainly appear suspect, it's not clear exactly why they are considered malware simply for transmitting personal data — as Symantec points out in the same blog post, the malicious apps all require user permission to access contact data, and transmission of personal data after gaining user access should therefore fall into the realm of expected behavior.
Symantec has used the term malware loosely before: back in January, it raised the alarm against "Android.Counterclank," a piece of "malicious code" that it found in 13 apps in the official Android store that were able to "receive commands to carry out certain actions, as well as steal information from the device." Symantec reported that this malware had affected somewhere between one and five million devices — an eyebrow-raising figure. But others like security firm Lookout disputed Symantec's classification, claiming that Counterclank isn't malware per se, but rather an "aggressive" ad SDK used to help apps monetize. Symantec then quietly stopped referring to Counterclank as malware, and instead characterized it as simply annoying.
The use of the word "malware" is questionable in cases where there's no foul play intended
Other firms have given dire statistics about the platform in general. Perhaps one of the most extreme is Juniper Networks, that claims Android malware samples grew by 3,325 percent in the final seven months of 2011 — a relatively useless statistic without underlying data on malware, which Juniper doesn't provide. Similarly to Symantec, Juniper includes spyware in its stats for malware, and defines spyware as "an application that has the ability to capture and transfer data without providing an explicit means for the user to identify the application's actions" — which could potentially be just about any Android app that happens to request more information than it needs, regardless of intent. And while unnecessary data transfer certainly seems to raise privacy concerns, the use of the word "malware" is questionable in such cases where there's no foul play intended.
Derek Halliday, a security product manager at Lookout, says that it's important to look at more than specific instances of malware, and that "it is alarmist to claim that malware has increased by hundreds of thousands of percentages." Lookout provides different numbers, claiming that it identified around 400 instances of Android malware, and that in the last four months of 2011 it found that number had more than doubled to 1,000 infected apps. Jamz Yaneza, a threat research manager at Trend Micro, also takes issue with percentage-based claims, but echoes other firms in claiming that there's an upward trend of malware for smartphones and tablets. And there's also a regional issue at hand: Yaneza says that malware is "much worse" in China than it is in the US, and that most malware is not coming out of the official Google Play store — a critical distinction.
Google declined to comment on the issue of Android malware, but late last year Google open-source programs manager Chris DiBona responded to mounting claims of malware problems, saying that the anti-virus companies were acting as "charlatans and scammers" that play on fears to sell software, and that "no major cell phone has a 'virus' problem in the traditional sense." But he agreed with security firms on the popular logic of platform popularity: as a platform gets bigger, it gets more attention from consumers, and eventually becomes a bigger target for mischief.
Some apps have caused issues for Android users, but Google has moved swiftly to correct them
Despite DiBona's semantic contention about viruses, some apps have caused issues for Android users, though Google has moved swiftly to correct them. The most notable instance in recent months is the RuFraud attack, which tricks users into agreeing to SMS charges by mimicking well-known apps like Angry Birds and Cut the Rope. This prompted Google to remove a total of 27 malicious apps from its app market, which Lookout estimates was downloaded over 14,000 times before being removed. And in February, Google unveiled Bouncer, an automated system that Google says it has used for some time to scan and run newly-uploaded apps and investigate developer accounts. While the company has not given any detailed statistics on Android malware, it says that it saw a 40 percent decrease in the number of potentially malicious downloads from the Android market — which would appear to be the opposite of what some security firms are saying, or at least indicate that most of the malware resides outside of the Google Play network. Lookout says that Google has also been "extremely responsive and cooperative" when notified of malware on its network.
As usual, the moral of the story here for users is to use common sense — check the apps you download for their permission requirements, and don't allow apps to use permissions beyond what they really need. Lookout says that "no single operating system or platform is 100 percent safe from security threats," but it's clear that there are realms within each platform's ecosystem, like the iOS App Store and the Google Play store, that are more secure than others. As for apps outside of the Google Play store, the situation is about the same as it would be for iOS, Windows Phone, or BlackBerry: download at your own risk. Just don't let it keep you up at night.