#RSAC: Android: Malware? What Malware?

Written by

Apparently there is no Android malware. (Well, that’s OK then.)

Or as The Register’s Darren Pauli puts it:

"Malware doesn't exist on Android, Google says, but Potentially Harmful Applications™ do."

He’s referring, of course, to a presentation by Google’s ‘Lead Android engineer’ Adrian Ludwig at RSA 2015, where it was apparently explained that Trojans are (like fraud and abuse) a sub-category of ‘Potentially Harmful Applications’, since Android doesn’t use the term malware internally, and that Ludwig wishes they didn’t use the term spyware either.

I’m not at (or going to) RSA, so I can’t vouch for the accuracy of this interpretation. I have seen the PDF version of the presentation, but those statements aren’t present there (though it does refer to ‘PHAs’ more than it does to malware, and the company was referring to ‘potentially harmful downloads’ at least as far back as 2011). But re-engineering common security definitions to take the sting out of them is, after all, nothing new. Consider, for instance, the first in-the-wild Word macro virus, WM/Concept: remember how Microsoft at first referred to it as a ‘Prank Macro’? That didn’t, however, make it less viral. And calling malware (malicious software) such as a Trojan ‘potentially harmful’ doesn’t make it less malicious, unless someone is trying to sell us on the concept of ‘accidental Trojans’ again.

I don’t dismiss the idea of something that tries to do something useful and/or desirable but inadvertently damaging: in nearly three decades of computing, I’ve seen lots of software – including some anti-virus updates – that might meet that definition. And in fact, I specifically (if briefly) addressed that possibility in the chapter on Trojans that I wrote for ‘Maximum Security’ (3rd and 4th editions). But that doesn’t begin to cover the sheer volume of applications categorized as malware by the security industry. According to a recent article in Infosecurity magazine by Tara Seals:

The Pulse Secure Mobile Threat Center found that nearly one million (931,620) unique malicious applications were produced last year [and] logged 1,268 known families of Android malware…

Pulse Secure’s 2014 Mobile Threat Report is stated by the company itself to be based on:

…data and research of more than 2.5 million mobile applications … [illustrating that] in 2014, nearly one million (931,620) unique malicious applications were produced, or rather a 391 percent increase from 2013 alone. Android devices continue to be the main target of malware and was 97 percent of all mobile malware developed. 

Some will say that the security companies have as much reason to exaggerate the volumes of out-and-out Android malware as Google has to minimize its impact. But at least the tone of Ludwig’s presentation is far removed from the anti-antivirus ranting of Chris di Bona, who seemed to feel that because true viruses are even rarer on Android than they are nowadays on Windows, that means a complete absence of malware.

"...virus companies are playing on your fears to try to sell you bs [sic] protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.

[…]

…No major cell phone has a 'virus' problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels."

Nevertheless, while Ludwig cites a number of ‘myths’, the statistics he presents don’t exactly address those myths, even if those ‘myths’ were really an accurate representation of the concerns of the security industry or, come to that, of Android users. For example:

  • Most devices aren’t protected.
  • Malware is increasing.
  • (All) malware can compromise everything.

Really? Who believes that all malware can compromise everything? And is malware less malicious if it only compromises one thing (for instance, the credentials you use to access your bank account)? Clearly, there is a conflict in perceptions between Google and the security industry.

The Pulse report’s approach – counting individual threats and families – is fairly typical of the security industry. Google, on the other hand, tends to measure impact by percentage points: for instance, Ludwig points out that ‘Ransomware is less than 0.03% of installs’, which sounds pretty trivial until you remember that according to Strategy Analytics, in 2014 ‘Android has become the first ever smartphone operating system to ship more than one billion units in a single year.’ That could add up to quite a few ransomware installs on last year’s units alone, even if you assume that Google has managed to count every instance of installed ransomware. Which doesn’t seem all that likely, though the Ludwig presentation does note that more than one billion devices are ‘verified’ by Android Safety Net.

According to Engadget, Sundar Pichai reported in June 2014 that the company had one billion active users at that point: the same article states that:

As of May 15th of last year, Android had reached 48 billion app downloads. 

According to Ludwig:

  • Less than 1% of devices have a PHA installed
  • Ransomware is less than 0.03% of installs
  • Commercial spyware is less than 0.02% of installs

Well, pick your own statistics, or treat them all equally sceptically (as I tend to). Just bear in mind that these figures could still represent huge numbers. On the other hand, that doesn’t mean you should be panicking about your exposure to malware (Sorry, PHAs.) If you take advantage of all the Google security services flagged by Ludwig and listed below, and apply liberal dollops of common sense to your attack surface, you’ll find it very much reduced.

  • Google Play (rather than unregulated sources of apps)
  • Safebrowsing for Chrome
  • Verify Apps
  • Android Safety Net
  • Device Manager

Certainly (and despite my misgivings about the way the statistics are presented) there are interesting insights in Ludwig’s presentation into Google’s strenuous efforts to make the platform more secure.

David Harley

What’s hot on Infosecurity Magazine?