Everything You Know About Android Malware May be Wrong

The Android community is criticized for having apps that aren’t curated. People download apps that turn out to be harmful, and Google only pulls them after the fact. But is the situation out of control? Are the carriers worried yet? Is the small risk of malware a good trade to obtain the freedom of the Android market? I asked around.

On Tuesday, there was wide coverage of the Juniper Network’s blog entry about the Android mobile OS leading the way with malware. The blog, which appears to be drawn from an earlier report back in May points to a 472 percent rise in Android malware just since July of 2011. Hearing all this, Apple customers might draw the conclusion that the Android malware problem is a virtual pandemic. Or a monster waiting to consume them.

Forbidden PlanetSource: Forbidden Planet, Warner Bros, 1956

After all, all you need to become an Android developer is US$25 to register as a developer, and you can post any application you please. And so, with that Juniper data, Google’s relaxed approach, and the freedom of malware developers, is the the Android world really spinning out of control? Not yet, anyway, according to the analysts I spoke to.

A Broader Perspective

Curious, I talked to several expert technical authors who cover this field very closely: Michael Gartenberg, Sascha Segan and Dan Frommer. They had, as I suspected, interesting perspectives.

One of the most knowledgeable people about the mobile phone industry as a whole is Sascha Segan with PC Magazine. I asked Mr. Segan why, if things are really bad, why no website has spring up to do the job of curation for Android apps. He told me that even though the Android community is in a complete state of disarray, that really isn’t necessary. “The severe malware problem is mostly in China,” he said. “If ordinary U.S. users stick to the Android Market for apps and stay away from independent sites, there isn’t much of a problem. Google is actually doing okay in the U.S. with that.”

Moto RAZRMotorola RAZR (Source:  Motorola)

In addition, Mr. Segan explained, if the problem were a pandemic, the carriers would be under enormous pressure and would, in turn, put pressure on Google to do something. But right now, there’s no need for that in the U.S. When malware is found, Google removes it. Mr. Segan continued. “The much bigger problem right now, in the U.S., is the way legitimate apps spill information about you to advertisers.”

Mr. Segan also explained that what can really cause problems is when customers go outside of the Android Market and download from independent sites. At first, the carriers locked their Android smartphones to just Android’s app store, but customers complained. So now customers can download apps from anywhere. We talked about how the offset to that is that many Android phone users, just as with the iPhone, aren’t real technically deep and don’t generally wander off the beaten path. Only a small percentage of geeks do that. And if they get in trouble, they know who to blame.

Android MarketAndroid Market (Source: Google)

Next, I chatted on the phone with Michael Gartenberg, a technology analyst for Gartner. His take is that the malware situation in the Android world is far from a pandemic and that “customers don’t need to be afraid to install apps from Google’s Android Market. Of course, it’s easy for customers to ‘side load’ apps from other sources, but most customers don’t even know those exist.”

As Mr. Segan pointed out previously, there are bigger fish to fry. Mr. Gartenberg continued…“Perhaps the bigger problem is badly written apps, apps that burn up the network — and your battery. I’ve heard about apps that don’t respect the no data roaming flag. So you get back from a foreign travel and find thousands of dollars worth of charges.”

I asked Mr. Gartenberg about mobile anti-virus software. His take is that security companies are trying to alarm customers, and it remains to be seen how effective these tools are. I note that Intego already has published VirusBarrier for iOS. And McAfee has some security tools for Android.

He did add, however, that Android apps are sandboxed like iOS apps. “… but that there are sometimes options the user has to check off for permissions and often do so without reading.” That could be dangerous for the user.

Finally, I chatted with Dan Frommer, formerly with Business Insider. He now has his own tech news site, SplatF. Mr. Frommer had his own unique take on the situation. He feels that “Google has no intention of running a well organized app shop. The fix things promptly if there’s a problem, but Google’s philosophy is largely a negative reaction to Apple’s control. Amazon has actually taken a stronger stance on app curation with its own store.”

Then we got off onto the subject of if there’s any money to be made in this free for all by a curation group and a website. Mr. Frommer surmised that this might be practical, but the business model and public awareness might be a problem. Whether there’s enough money in all this right now may be problematic. A blacklist site might be easier and cheaper to maintain.

My Own Observations

In my own scans of the Internet and Twitter, as a news observer, I haven’t read many stories about a stampede to buy Android malware protection. That could be either customer ignorance, over confidence, or suspicion regarding the necessity. Or, as noted above, it isn’t a crisis yet in the U.S.

Finally, and perhaps more importantly in my own view, the carriers, who are first in line to get blamed, don’t need to care. For now. A few angry Verizon customers who got burned will get mad at their Android phone and switch to an AT&T iPhone. A few angry AT&T Android customers who are compromised will switch to a Verizon iPhone. The other vast majority probably don’t even know enough to worry. As a result, the carriers remain in churn equilibrium and don’t see a reason to spend any money, ruffle feathers or, as Mr. Frommer pointed out, seem to take unnecessary risk and responsibility with a curation process of their own.

So, it occurs to me to ask: is the apparent absolute security of the Apple and iOS world worth the trade-off against absolute freedom in the Android world? At the rate of 550,000 Android activations per day and 200 million activations to date, it seems there are plenty of people willing to take the risk for their total freedom. Or, maybe, they just like the Android phones.

You can go with this, or you can go with that.