Is Android becoming the Windows of mobile malware?

android virus

Juniper Networks is raising eyebrows in the mobile industry this morning with a new report claiming the incidence of malware targeting Android devices has risen by 472 percent since July of this year. Presumably, that number is augmented by “hundreds” of malware samples the company uncovered in a series of third-party Russian app stores. Juniper describes the Russian malware cache as just the “tip of the iceberg,” believing there may be thousands of more malware apps waiting to be discovered.

Although many security firms still characterize the threat of mobile malware as relatively low, it’s important to know that those firms are generally comparing the number of threats faced by Android and other mobile operating systems to the those faced by Windows — which is the absolute king of malware, assaulted by hundreds and even thousands of new trojans, worms, exploits, and variants every day. Saying a platform faces a low threat compared to Windows isn’t saying much at all.

But Juniper’s figures highlight the growing threat of mobile malware, particularly on Android. How do Juniper’s numbers hold up, what’s to blame for rising Android malware, and how can Android users protect themselves and their devices?

Juniper’s figures

Juniper Networks Android Malware infographic Nov 2011

According to Juniper Network, the amount of malware targeting Android has jumped by 472 percent since July, punctuated by very sharp increases in October and November. Juniper says they were seeing steady increases in the amount of Android malware they intercepted in July and August, which saw incidence rates increase by 10 and 18 percent, respectively. However, in September Juniper intercepted more than double the amount of Android malware it had in July (up 110 percent) and that figure jumped to either 111 or 171 percent from October 1 through November 10. (See Juniper’s infographic for more detail—the infographic claims a 111 percent increase most recently, But Juniper’s text says 171 percent.)

The figures echo similarly alarming percentages from other security vendors. This summer, Trend Micro claimed the incidence of Android malware had increased 1,410 percent from January to July 2011. It published an infographic, too.

Curiously, Juniper provides no hard figures to accompany its percentages, so it’s difficult to know what those percentages mean in absolute terms. It would be nice to compare the number of malware apps out there (and their interception rates) to the number of available Android apps or the number of apps distributed over the same period of time. After all, if a small town of 5,000 people had one serious traffic accident in 2010 and then two serious traffic accidents in 2011, the rate would be up by an alarming 100 percent! However, number of accidents in proportion to the number of drivers — let alone the number of hours driven in the town during the year — would still be very, very low. Juniper Networks does describe the cache of Russian malware it found as “hundreds” of apps, but it’s not clear if those are included in the firm’s 472 percent increase, and offers no other hard figures.

Symantec and Kaspersky similarly offer percentages for recent increases in Android malware, but seem to withhold hard figures — or, at least, I haven’t been able to find them. McAfee is slightly more helpful: In August it reported a 76 percent increase in malware targeting Android during the second quarter of 2011, and gave a specific number of threats it had identified: 44. Just this week, McAfee described the total number of malicious apps in the wild as “approximately 200“—and that’s across all platforms, including Symbian, Java ME, Windows Mobile, iOS, and others.

The number of apps available on the Android Market stands at about 350,000. Although the total number of threat apps is never truly known — even to security researchers — the alarmingly large percentage figures from Juniper and McAfee do seem to suffer from a bit of the small-town problem. Despite some high-profile malware removals from the Android Market (like DroidDream trojans earlier this year),  in absolute terms, Android malware still a very small portion of the broader Android software ecosystem.

Types of Android malware

There does seem to be basic agreement on the types of Android malware out there. The bulk acts as spyware and tries to steal personal data, including contacts, location, personally identifying information email, messages, and data stashed in log files and other areas of the device. Spyware can also potentially control an Android device, meaning it could place calls, send messages, restart apps, disable locks, control vibrate alerts, and (of course) access the Internet to send collected data to the malware authors — or download and install new malware packages.

Spyware represents a bit of a longer-term game for malware authors: They’re hoping they’ll get usable (and sellable) information by keeping an eye on users’ phones, and they’ll make their money selling collected email addresses (and potentially financial information) to spammers and cybercriminals.

One form of Android malware that has immediate payoff for malware authors is are SMS Trojans: apps that appear to do something fun or useful, but in the background send SMS messages to premium rate numbers — the same way many voting competitions, music and ringtone services, and other businesses collect money via text messages. Once those messages are sent, the malware authors have their money, and consumers don’t have much (or any) recourse. The bulk of Android malware apps Juniper says it found in Russian third-party Android markets are SMS Trojans.

Pointing fingers

So even if malware isn’t quite overrunning the ecosystem yet, where is all this malware coming from? Security firms seem to pretty squarely place the bulk of Android malware at the feet of cybercriminals who used to target Java ME and Symbian phones. As those platforms have declined, they’ve moved along to Android, which enables them to leverage some of their working knowledge of Java and is also, conveniently, now the world’s hottest-selling smartphone platform.

In terms of distribution, security firms all agree that third-party Android app stores run a higher risk of malware than trusted sources. A number of Android exploits have been distributed via third-party app stores in Russia and China — heck, one Chinese example of Android malware uses a public blog as its command-and-control center. The appeal of these app stores in their respective markets is obvious: They use local languages, and their selection of apps and new items is going to be much more in tune with local culture than the broader Android Market. Nonetheless, most of those app stores are completely unregulated and unmonitored: Almost anyone can upload anything, safe or not.

That doesn’t let Google’s Android Market off the hook. Although McAfee recommends Android Market specifically as a trusted source for safe Android apps, other security outfits aren’t so kind. Juniper in particular rips into Google’s management of the Android Market:

“These days, it seems all you need [to upload malware to Android Market] is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications,” Juniper wrote in its blog. “With no upfront review process, no one checking to see that your application does what it says, just the world’s largest majority of smartphone users skimming past your application’s description page with whatever description of the application the developer chooses to include.”

Google famously does not review submissions to the Android Market, or require code-signing by a trust authority, although developers must at least code-sign with self-signed certificates. Although Google will remove malicious apps once they’re discovered, realistically that can’t happen until the apps have victimized users.

Staying safe

Android users can take some basic steps to keep their devices and their data safe. Good tips include:

  • Disable the “unknown sources” option for installing apps in the Android device’s Applications Settings menu. This will help prevent users from inadvertently installing software when, say, accidentally following a malware link in an SMS message, spam, or social networking site. It will also keep the device out of most third-party Android app stores, which seem to be a prime distribution vector for Android malware. However, this may not be an option if users need to sideload custom Android apps for, say, business or work purposes.
  • Research apps before downloading or buying them. Try to stick with apps that have broad third-party recommendations and come from reputable publishers. Check both an app’s and publisher’s ratings.
  • Carefully check app’s permissions. When you install an app, Android will present a list of hardware and software components that the app wants to access, including things like location data, a device’s camera, the Internet, storage, system tools, MMS/SMS, and making phone calls. If the requested permissions don’t seem reasonable, don’t allow the app to install. For instance, a game probably doesn’t have any need to access your contacts, and a photo organizer doesn’t need to send SMS messages.

Makers of security and antivirus software will, of course, recommend users download, install (and, hopefully, purchase) antivirus software for Android. However, the jury seems to be out on how useful security and antivirus apps are for Android — at least at the moment. A new study from AV-Test (PDF) finds that almost all free Android malware apps don’t offer significant protection against existing Android malware. Paid Android security packages from F-Secure and Kaspersky fared better, but only managed to detect about half the installed threats tested by AV-Test, although they did very well with blocking malware installation.

The most important thing is probably to be aware that there is malware for Android, and let common sense be your guide. If an app seems to good to be true, it might just be carrying a hidden payload that’s after your money and personal information.

Wearables

To be blunt, the Vuzix Blade smartglasses just don’t cut it

We tried out the Vuzix Blade to find out if it’s worth shelling out $1,000 for smartglasses. Are these augmented reality, Android-powered glasses really ready for primetime or just an expensive gimmick that no one really needs?
Mobile

Google insists it’s doing what it can to purge Play Store of malicious apps

Google's efforts to provide a secure and safe Play Store for Android users resulted in the company rejecting 55 percent more app submissions in 2018 compared to a year earlier. But the challenge is ongoing.
Computing

These are the 6 best free antivirus apps to help protect your MacBook

Malware protection is more important than ever, even if you eschew Windows in favor of Apple's desktop platform. Thankfully, protecting your machine is as easy as choosing from the best free antivirus apps for Mac suites.
Mobile

You can now get Google Fi SIM cards straight from Best Buy

Google's wireless service known as Project Fi, now goes by the name of Google Fi. The company also announced the service is now compatible with a majority of Android phones, as well as iPhones. Here's everything you need to know about…
Mobile

The Moto G4 Plus is finally getting the update to Android Oreo

We've reached out to every major Android hardware manufacturer and asked them when they will update their devices to the latest version of Google's mobile operating system, Android 8.0 Oreo.
Mobile

Need a date for Valentine's Day? Cozy up with the best dating apps of 2019

Everyone knows online dating can be stressful, time-consuming, and downright awful. Check out our top picks for the best dating apps, so you can streamline the process and find the right date, whatever you're looking for.
Product Review

Nokia’s 3.1 Plus is an affordable phone that’s crippled by its camera

The Nokia 3.1 Plus is HMD Global’s first smartphone to be sold by a U.S. carrier in-store. It’s only available on Cricket Wireless right now, which underlines its focus on affordability. Should you buy a phone this affordable?
Mobile

Love music? For audiophiles, the LG G8 ThinQ may be the best phone ever made

LG is expected to release a successor to the LG G7 ThinQ, possibly called the LG G8 ThinQ, this year and rumors about it are already spreading. Here's everything we know about it so far.
Mobile

Smartwatch sales soared in 2018, with Apple leading the charge

The NPD Group, a market research organization, has reported smartwatch sales soared in 2018. Apple is leading the charge, but it's clear there's still room in the market for competitors, as Samsung and Fitbit also did well.
Mobile

Love Playmoji pack adds animated Valentine’s stickers to your Pixel photos

Valentine's Day is here, and to celebrate, Google has added the "Love Playmoji" pack to the Playground feature on its Google Pixel camera. The new feature will add cute AR-driven extras to your Pixel photos.
Mobile

Xiaomi Mi 9 will be one of the first phones with monster Snapdragon 855 chip

Xiaomi's next major smartphone release will be the Mi 9, and the company hasn't held back in giving us a good look at the phone, revealing the design, the camera, and a stunning color.
Wearables

Galaxy Watch Active isn't official yet, but you can see it in Samsung's own app

Samsung may be about to resurrect its Sport line of smartwatches under a new name: The Galaxy Watch Sport Active. Leaks and rumors are building our picture of the device at the moment.
Mobile

Stop buying old tablets, says Samsung, buy the new Galaxy Tab S5e instead

Samsung has launched the Galaxy Tab S5e -- the E is for Essential -- a reasonably priced tablet that includes many of the features we like from the Tab A 10.5, and the Tab S4. Here's what you need to know.
Mobile

Bag yourself a bargain with the best budget tablets under $200

The battle for your budget tablet affections is really ramping up. Which tablet, costing less than $200, should be commanding your attention? We take a look at some different options for the budget-conscious.