New data from the search giant presented at the Virus Bulletin conference in Berlin shows that less than one per million (0.001%) downloads of Android app installations from Google Play are actually malicious and cause harm to smartphone and tablet users. This is released at the same time that a Trend Micro report shows that Android-based mobile malware and high-risk apps have reached the one million mark.
Much has been made of Google’s open-source approach to Android and the resulting security issues. Unlike Apple, which vertically integrates the hardware and software stack with strict parameters for use and development, Google throws open the Android OS for coding by third parties in a much less controlled fashion. Each handset-maker has the latitude to tweak the software for their devices, which is why the Samsung Galaxy experience is so different from, say, the Kindle Fire, even though both run on Android. Google also leaves it up to individual device-makers to decide their policy on “rooting” (the equivalent of jailbreaking), and has had little involvement when it comes to regulating any rogue app stores—of which there are many. As a result, innovation has accelerated—but malware authors have seen a fertile field to sow their seeds of data theft and illegal revenue generation; particularly since, according to IDC, Android had 79% of the smartphone market share as of the second quarter of 2013.
But Google’s Android security chief Adrian Ludwig, speaking at the conference, said that while there may be hundreds of thousands of Android malware samples in the wild, there has been no correlation by vendors with how frequently a malware app has actually been installed—thus exaggerating the threat level.
Ludwig also defended Google’s open innovation model: “A walled garden systems approach blocking predators and disease breaks down when rapid growth and evolution creates too much complexity. Android’s innovation from inside and outside Google are continuous, making it impossible to create such a walled garden by locking down Android at the device level.”
He continued with his biomedical analogy, noting that “The [Center for Disease Control] knows that it’s not realistic to try to eradicate all disease. Rather, it monitors disease with scientific rigor, providing preventative guidance and effective responses to harmful outbreaks.”
For instance, the Verify Apps swings into action when an app is downloaded, crunning it against a database of malware; it then warns the user if the app is potentially harmful. And, the warning system is apparently having its desired effect: only 0.12% of users chose to ignore the warnings and install potentially hazardous apps. Other defenses include runtime security checks and sandboxing.
“An application that a user installs from a link within a text message would be included in these statistics,” he explained, responding to an assertion that most Android malware is delivered and installed from a text message. “Some of the short one- to two-day increases in ratio of installs per million apps can be attributed to text messaging or email spam campaigns.”
Ludwig said that almost 40% of malicious apps are faux apps that claim to do one thing but are actually premium SMS scams. And 15% are spyware and theft apps, like keyloggers and ad tracking. Another 40% are rogue apps that are considered “potentially harmful” by Verify Apps, but aren’t necessarily malicious.
He said that his team analyzed data from more than 1.5 billion app installs to arrive at the data points.