Everything You Know About Android Malware May be Wrong

| Analysis

The Android community is criticized for having apps that aren’t curated. People download apps that turn out to be harmful, and Google only pulls them after the fact. But is the situation out of control? Are the carriers worried yet? Is the small risk of malware a good trade to obtain the freedom of the Android market? I asked around.

On Tuesday, there was wide coverage of the Juniper Network’s blog entry about the Android mobile OS leading the way with malware. The blog, which appears to be drawn from an earlier report back in May points to a 472 percent rise in Android malware just since July of 2011. Hearing all this, Apple customers might draw the conclusion that the Android malware problem is a virtual pandemic. Or a monster waiting to consume them.

Forbidden PlanetSource: Forbidden Planet, Warner Bros, 1956

After all, all you need to become an Android developer is US$25 to register as a developer, and you can post any application you please. And so, with that Juniper data, Google’s relaxed approach, and the freedom of malware developers, is the the Android world really spinning out of control? Not yet, anyway, according to the analysts I spoke to.

A Broader Perspective

Curious, I talked to several expert technical authors who cover this field very closely: Michael Gartenberg, Sascha Segan and Dan Frommer. They had, as I suspected, interesting perspectives.

One of the most knowledgeable people about the mobile phone industry as a whole is Sascha Segan with PC Magazine. I asked Mr. Segan why, if things are really bad, why no website has spring up to do the job of curation for Android apps. He told me that even though the Android community is in a complete state of disarray, that really isn’t necessary. “The severe malware problem is mostly in China,” he said. “If ordinary U.S. users stick to the Android Market for apps and stay away from independent sites, there isn’t much of a problem. Google is actually doing okay in the U.S. with that.”

Moto RAZRMotorola RAZR (Source:  Motorola)

In addition, Mr. Segan explained, if the problem were a pandemic, the carriers would be under enormous pressure and would, in turn, put pressure on Google to do something. But right now, there’s no need for that in the U.S. When malware is found, Google removes it. Mr. Segan continued. “The much bigger problem right now, in the U.S., is the way legitimate apps spill information about you to advertisers.”

Mr. Segan also explained that what can really cause problems is when customers go outside of the Android Market and download from independent sites. At first, the carriers locked their Android smartphones to just Android’s app store, but customers complained. So now customers can download apps from anywhere. We talked about how the offset to that is that many Android phone users, just as with the iPhone, aren’t real technically deep and don’t generally wander off the beaten path. Only a small percentage of geeks do that. And if they get in trouble, they know who to blame.

Android MarketAndroid Market (Source: Google)

Next, I chatted on the phone with Michael Gartenberg, a technology analyst for Gartner. His take is that the malware situation in the Android world is far from a pandemic and that “customers don’t need to be afraid to install apps from Google’s Android Market. Of course, it’s easy for customers to ‘side load’ apps from other sources, but most customers don’t even know those exist.”

As Mr. Segan pointed out previously, there are bigger fish to fry. Mr. Gartenberg continued…“Perhaps the bigger problem is badly written apps, apps that burn up the network — and your battery. I’ve heard about apps that don’t respect the no data roaming flag. So you get back from a foreign travel and find thousands of dollars worth of charges.”

I asked Mr. Gartenberg about mobile anti-virus software. His take is that security companies are trying to alarm customers, and it remains to be seen how effective these tools are. I note that Intego already has published VirusBarrier for iOS. And McAfee has some security tools for Android.

He did add, however, that Android apps are sandboxed like iOS apps. “… but that there are sometimes options the user has to check off for permissions and often do so without reading.” That could be dangerous for the user.

Finally, I chatted with Dan Frommer, formerly with Business Insider. He now has his own tech news site, SplatF. Mr. Frommer had his own unique take on the situation. He feels that “Google has no intention of running a well organized app shop. The fix things promptly if there’s a problem, but Google’s philosophy is largely a negative reaction to Apple’s control. Amazon has actually taken a stronger stance on app curation with its own store.”

Then we got off onto the subject of if there’s any money to be made in this free for all by a curation group and a website. Mr. Frommer surmised that this might be practical, but the business model and public awareness might be a problem. Whether there’s enough money in all this right now may be problematic. A blacklist site might be easier and cheaper to maintain.

My Own Observations

In my own scans of the Internet and Twitter, as a news observer, I haven’t read many stories about a stampede to buy Android malware protection. That could be either customer ignorance, over confidence, or suspicion regarding the necessity. Or, as noted above, it isn’t a crisis yet in the U.S.

Finally, and perhaps more importantly in my own view, the carriers, who are first in line to get blamed, don’t need to care. For now. A few angry Verizon customers who got burned will get mad at their Android phone and switch to an AT&T iPhone. A few angry AT&T Android customers who are compromised will switch to a Verizon iPhone. The other vast majority probably don’t even know enough to worry. As a result, the carriers remain in churn equilibrium and don’t see a reason to spend any money, ruffle feathers or, as Mr. Frommer pointed out, seem to take unnecessary risk and responsibility with a curation process of their own.

So, it occurs to me to ask: is the apparent absolute security of the Apple and iOS world worth the trade-off against absolute freedom in the Android world? At the rate of 550,000 Android activations per day and 200 million activations to date, it seems there are plenty of people willing to take the risk for their total freedom. Or, maybe, they just like the Android phones.

You can go with this, or you can go with that.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

12 Comments Leave Your Own

Lee Dronick

So, it occurs to me to ask: is the apparent absolute security of the Apple and iOS world worth the trade-off against absolute freedom in the Android world? At the rate of 550,000 Android activations per day and 200 million activations to date, it seems there are plenty of people willing to take the risk for their total freedom. Or, maybe, they just like the Android phones.

There is probably more than just a few reasons. Price, salesperson’s recommendation, anti-Apple sentiment? Recently my sister was going to buy my niece an iPhone, but the Verizon guy talked her into an Android device.

You can go with this, or you can go with that.

Bosco (Brad Hutchings)

Funny, that’s pretty much what I’ve been telling people here for almost 2 years. Apple has pretty much been conducting security theater with its heavily curated approach.

John, you might not call what Android does with apps “sandboxing”, but on the continuum from wide open desktop execution to however ideal and secure you think the iOS execution model is, running Java byte code in Dalvik is 98+% toward the latter.

As the competition between Android and iOS emerged, I always thought that Apple seemed to be guided by “keeping its 30%” rather than actually making mobile products that suited most segments of the market. In retrospect, that seems doubly true (good or bad). The latest evidence, BTW, is the success of Financial Times’ HTML delivery for its content.

@Lee: The Verizon guy recommending an Android phone isn’t necessarily anti-Apple bias. In the $150 and above range on contract in an LTE market, that Android phone is arguably a better phone unless the customer has a whole bunch of legacy Apple content (e.g. apps).

amergin

Nice article. This is the first time I’ve thought seriously about looking in to the android market as a developer.

mactoid

Until that memorable summer afternoon in 2007 when I bought my first iPhone, I had been a committed Palm OS user.  I started with a Pilot 1000, then upgraded every couple of years, until my last device, a T|X.  My experience with the Palm OS has made me an ardent supporter of the Apple screening process.  While viruses/trojan horses weren’t an issue back then, poorly designed and nonfunctional software was. Nearly every-time I’d download a new piece of software (or even update an old one), my entire device would crash and I’d have to begin the tedious process of trying to figure out what program wasn’t playing nice with the others. It was bad enough on my PDA; on my phone, it would suck.

So, for those people who buy an Android phone so they can download any program they want, I say “Vaya con Dios”.  As for me, I appreciate Apple screening the programs and making sure they do what they say they do, they don’t do things that are hidden, and don’t contain malware.

Bosco (Brad Hutchings)

Google engineer Chris DiBona has some strong comments covering the three major mobile platforms. Short story: viruses are B.S.

mhikl

It?s all elementary, my dear Watson, after the fact. Better to skip the possibility of the fact rearing its ugly head.

It?s more in the ecosystem, assured updates, selection of apps, quality build, bragging rights, and sandbox insurance. Profits assist the company in all these endeavours (sadly lacking with the riff-raff), so here there will be no sticking one?s nose up to reliable surety.

Forgot to mention, longevity.

mhikl

And the plethora of iPhone cases and other neat gotta haves.

adam22030

He did add, however, that Android apps are not sandboxed like iOS apps.

Really? I would love Mr. Gartenberg to explain how Andoroid apps are not sandboxed.

John Martellaro

adam22030: I got an e-mail from an Android developer who pointed out that Android apps are, in fact, sandboxed. It might have been a miscommunication.

KS2 Problema

Thanks for this even-handed appraisal of the risks facing Android users—and the ginned up pop media hysteria distorting folks’ perception of the dangers, real and contrived.

mediumguy

As far as curation goes, it seems to me that there is no real evidence that Apple’s curated approach offers any great security than the Android Market. Unless Apple has hundreds (or, given the number of apps submitted for approval, thousands or tens of thousands) of security experts scouring the source code of submitted apps - and I believe that they only examine compiled apps not the code - then, they are not going to find anything that is hidden with even a modicum of care. It’s hard enough to find security holes in code even when you know what you are looking for and, if the malicious behaviour was only set to activate under certain conditions - time-related, connection to certain domains, any number of possibilities really - then the behaviour of any given app would appear fine until well after approval was given.

joel

Microsoft offers free phones http://techworldtimes.com/microsoft-offers-free-phones-training-webos-devs

Log-in to comment