clock menu more-arrow no yes

Filed under:

Carriers and developers feed on growing Android security fears — but are they real?

New, 127 comments

Mobile platforms are now one of the primary ways people connect to the internet — and as such, noted security firms like Symantec and McAfee have a major financial stake in transitioning from the desktop to the smartphone.

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Android 4.0 welcome robot (STOCK)
Android 4.0 welcome robot (STOCK)

It's been a common refrain from both mobile security firms and Android detractors for much of the last year: Google's mobile OS supposedly has a security problem thanks to rapidly-growing influx of malware. However, while statistics like "Android Malware up 3,325 percent in seven months" (as Juniper Networks reported earlier this year) can frighten the average user, it's still debatable as to exactly how fearful Android owners should be about the possibility of an infection. Shortly after Juniper's report, Google itself said that it saw a 40 percent decline in the number of potentially malicious apps in it's Google Play Store in the second half of 2011. Regardless of any potential dangers, mobile platforms are now one of the primary ways people connect to the internet — and as such, noted security firms like Symantec and McAfee have a major financial stake in transitioning from the desktop to the smartphone.

McAfee has a major financial stake in transitioning to the smartphone

Recognizing that its future has to be in mobile, McAfee has enlisted the help of the true muscle of the US mobile marketplace: the carriers. About a year ago, McAfee partnered with Sprint to offer exclusive Android security apps to the carrier's customers for $20 or $30 per year, depending on the level of service you were interested in. But now McAfee has put together a deal with Verizon, the nation's biggest carrier, to offer a mobile security suite — and the two companies now have a vested interest in convincing consumers that the mobile malware threat is real.

In a press release announcing Verizon's new Mobile Security app for Android users, the carrier pulled no punches. "Many [consumers] do not realize that smartphones are susceptible to some of the same security and privacy threats that plague laptops and desktops," the release reads — just the kind of language that could help convince my parents or less tech-savvy friends to shell out the $1.99 monthly fee to protect their phones from the 13,000 unique pieces of mobile malware that McAfee claimed to find in its Q2 2012 "threat report."

Back in July, Verizon reported that half of its 94.2 million customers were using smartphones. While not all of those customers are using an Android smartphone, there's no doubt this is a large potential market who could pay either $1 (if the customer is also enrolled in Verizon's total equipment coverage insurance program) or $1.99 per month for the McAfee Mobile Security app. While the revenue from this service would pales in comparison to the $15.2 billion in revenue the carrier booked last quarter, it's still a pretty significant potential chunk of change for Verizon and McAfee to go after.

The Play Store is less restrictive than Apple or Microsoft's app stores... for better or worse

As for Google's take on the situation, the company declined to discuss issues around Android security in general, or Verizon and McAfee's partnership specifically. Still, apps like Verizon Mobile Security are a result of the openness that Google touts as a core value in Android. As far as Google is concerned, Verizon and McAfee have every right to sell a mobile security product in the Play Store — customers can vote with their downloads on whether the app is useful or not. There have been exceptions to this, of course, but the Play Store is generally recognized as a much less restrictive market than Apple or Microsoft's app stores... for better or worse.

While the Google Play Store may be more open to developers than Apple's App Store, that doesn't mean it's a lawless wilderness filled with malicious apps; unsurprisingly, Google take security very seriously. Its Bouncer security tool that was introduced last February automatically scans any app uploaded for known malware, viruses, trojans, and the like. Additionally, Google runs every app uploaded to the Play Store in a virtual environment to check for hidden misbehavior. These security measures make Android a relatively secure platform for the majority of users, says Mike Lennon, Managing Editor of SecurityWeek.

"We've definitely seen Android threats increase," says Lennon, "but for those downloading from the Google Play Store, they're much, much less likely to have problems than, say, users in China who are using alternative markets because they don't have access to the official source." That's put Google in the unfortunate position of having to defend Android's growing reputation of insecurity when the biggest problems for the platform appear to be coming from third-party storefronts where Google has zero control. There's also the fact that most users in Western markets, where these reports of Android malware are highly publicized, don't typically access these less-secure stores.

Mikko Hyppönen of F-Secure echoes this sentiment — he told us via email that average Android users don't need to be concerned with malware, "especially if you don't install Android applications from alternative markets." That said, Hyppönen still believes "Android users still have some real-world problems compared to iPhone or Windows Phone users, who currently have no malware problems at all."

"Android users still have some real-world problems."

While Bouncer does catch malware in Google Play, it's not foolproof — in early July, Symantec identified two malicious apps in the Play Store that racked up between 50,000 and 100,000 downloads. Symantec's researchers believe that the apps bypassed Bouncer by splitting the malicious code into several pieces that were delivered remotely. A few weeks later, security firm Trustwave publicly demonstrated some of Bouncer's security holes. Still, infections such as this are relatively rare — Lennon thinks that more users should be concerned with the privacy of their personal details rather than "outright malware."

"To me, it's not the outright cyber-criminal that is the real threat right now. You're more likely to come across questionable apps that invade a user's privacy," Lennon said. He went on to note Google's practice of putting the app's permissions right up front and said, "users should question what they see there. ‘Why does this game need to access my entire address book?', for example." Of course, that requires users to stop and read screens that most of the probably skip right past, either because they aren't concerned with the risk or don't understand the message.

Many times, mobile privacy breaches aren't a result of malice, but carelessness — take the example of Blue Toad, who had one million Apple UDIDs stolen a few weeks ago. The company stopped collecting UDID data months ago and the CEO said that he had "no idea the impact this would ultimately cause." At the end of the day, it appears the company was simply careless — small comfort to those whose device IDs were leaked.

As for whether Verizon and McAfee's new offering has any value, both Lennon and Hyppönen actually saw some utility in a carrier-supported solution. "I think they're playing up the FUD in the marketing somewhat," said Lennon, "but on the other hand, it's your wireless carrier — I'd think a lot of people would at least want the option." Hyppönen echoed that sentiment, saying "outsourcing security to your operator makes sense for most users. We geeks like to spend time securing our systems; most users don't." He went on to note that "end users trust the operator, and the operator is in a key position to provide security for them."

Lennon also mentioned that these apps "can do a lot more than just scan apps for malware." Indeed, Verizon's Mobile Security Premium package also offers the ability to remotely locate, lock, or wipe a lost phone — something Apple has long offered with Find My iPhone but Google has surprisingly not included yet in Android yet. In fact, one could argue that these remote management tools themselves are worth the $2 a month Verizon is asking — provided they work well, of course. The anti-malware tools could be secondary benefit for a lot of users.

Will your $1.99 actually make you any safer?

Still, despite McAfee and Verizon's strongly worded press release, the Android platform is still relatively safe and secure for the majority of users who stick to the Play Store for their app needs. While there's a chance that users may run into trouble, that chance exists across all computing platforms — both mobile and otherwise. And those exploring alternative markets and sideloading apps are hopefully savvy enough to understand the risks they take. Let the installer beware: sideloaders should heed the warnings of security firms and make sure what they install won't be more trouble than its worth, while Verizon customers should take a moment to consider whether they'll really be any safer for their $1.99 a month.