F-Secure: Android Accounted For 97% of All Mobile Malware In 2013

An anonymous reader writes "Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent. Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013. More specifically, Android malware rose from 238 threats in 2012 to 804 new families and variants in 2013. Apart from Symbian, F-Secure found no new threats for other mobile platforms last year."

And 80% of mobiles

So let's not make a mountain out of a whorehill.

Re:And 80% of mobiles

[Plumpaquatsch]

So let's not make a mountain out of a whorehill.

So Android has 97% of all mobile software written for it? 80%? Is it at least the platform where most of the mobile software appears first?

welcome to the big time

[smash]

Linux is secure, right? Isn't Android Linux?

This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.

The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.

Re:welcome to the big time

[jedidiah]

What kind of crack are you on?

Unix and Linux have no malware to speak of and they are completley open platforms.

On the other hand, Android has problems with "signed code". Yes. That's right. Android has problems with it's "app store". This isn't your grandfather's Windows style malware.

This is the end user installing stuff that's compromised.

All trojans all the time.

Entirely different problem.

Re:welcome to the big time

[smash]

So, have you ever heard of a root kit? Linux has plenty of malware, and I have personally rebuilt compromised hosts. "Oh but that bug was in sendmail" or whatever you say. Cop out.

Re:welcome to the big time

[smash]

Also. You are arguing that trojans are NOT malware? Seriously? Of course they're fucking trojans. That's the point. The end user is in no way qualified to determine that software is NOT a trojan, and this is why them having root on a device with full ability to run any shitware trojan they like is never going to work. WE've had 30 years hammering this point home time and time again. It's not going to change.

Re:welcome to the big time

[Opportunist]

Security is the minimum of "how secure the system can be" and "how secure the user can be". Not the average of them. The minimum. The most secure system is worthless if a user allows any kind of code to run. Likewise is the best security professional without a chance when facing an inherently insecure system.

The only way to avoid this is to go the Apple way: Simply taking the choice out of the user's hand. You may only run what we deem ok.

There is no "right" or "wrong" in this. If you want to have control over your system, it is your responsibility to keep it secure. If you don't want to deal with it, hand it over to some entity that keeps you safe... or at least claims it does.

Re:welcome to the big time

[swillden]

Android has problems with it's "app store".

RTFA (I know, I know, new here and whatnot):

The title of the article is "F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play".

Essentially all of the Android malware comes from non-Google app stores, or sideloaded APKs. And with respect to the malware that does manage to make it into the Play Store, F-Secure says "the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.”

Re:welcome to the big time

[msauve]

It's just a matter of how big the target is. Right now, Android is the largest mobile platform, so that's where the malware is directed. It's a crime of opportunity, no different than Windows on the desktop.

It's not proof that Apple's iOS or MacOS or Windows mobile are intrinsically more secure, but that they're smaller targets. How much malware is there directed to FreeBSD or OpenBSD or vxWorks in comparison? Emphasis on comparison - sure, there's malware directed at anything which might be Internet facing, but the more esoteric stuff is more specifically targeted, like Stuxnet.

Re:welcome to the big time

[DNS-and-BIND]

It comes down to: would you rather have Security, or Freedom?

Re:welcome to the big time

The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.

Average Joe crashes their car too. So they should not drive either?

It's rather sad that you blame the end user for their ability to exercise their freedom on Android devices. Might as well say "North Korea is Best Korea!".

http://www.ktlit.com/wp-conten...

Re:welcome to the big time

[symbolset]

This is why I wanted to see the story posted. There is no significant risk as long as you use a trustworthy app store. I knew there were people to come to complain that Linux/Android was insecure and they needed a good correcting. Thanks.

Re:welcome to the big time

[symbolset]

If someone chooses to run apps from every random stranger on the Internet then theyshould not be surprised that some of those apps do things they didn't want them to do. That shouldn't even be called a Trojan - it needs it own name. 'Tardware is too insensitive. Maybe "surpriseware" or "Programmer's choice app". It seems the people who complain the most about Android security are the most "special".

Re:welcome to the big time

[symbolset]

If you can make a computer so simple even an idiot can use it, only an idiot will want to. I like Android's balance with Google play here. Stick with Google Play and you are good to go. Want to adventure? Enable side loading and have at it. Your choice. The complainers appear to be the sort who disable the safety features and then harm themselves, and blame Google for their own screwup.

Re:welcome to the big time

Wow lay off the drugs.

Linux has plenty of malware, in the form of entirely self-contained binary executables that rely on nothing. But this is a minority.

The majority of malware for linux servers is in a form that can also affect FreeBSD, Mac OS X, and any other OS that has PHP on. This is of course the "deeply obfuscated rootkit"

But that's not what this article is about. This article is about client-end malware, which is a PEBKAC. No matter how hard we try, the average child is smarter than the average adult when it comes to bypassing security protections designed for their own protection.

As long as Android remains "rootable" , it will be heavily affected by malware. I don't see this ever changing, Android is a lost cause, and nobody cares because the hardware people (eg Samsung) only care about selling hardware, they could care less what you do with it. Likewise the cell phone carriers also don't care what you do with it. Hell they practically encourage malware by not demanding that their devices stay up to date, and the end-user is the one who pays for it with exorbitant data charges.

Want to see malware on mobile devices go away? Don't make the devices so easy to jailbreak/root. The standard distribution on the devices should not have access to the networking hardware of the device unless signed. Like the physical networking parts (802.11 and LTE), should refuse to talk to the operating system without loading signed firmware. Unsigned software should not be permitted to access the networking stack without the device consulting a blacklist/whitelist.

That only solves part of the problem.

The other half of the problem is the same way people play pirated software. Again the main solution to this is by only permitting software downloaded from the App store, but can also be accomplished the same way stuff on *nix servers are verified. That being that the software fingerprint is checked against the "trusted source"

Don't allow untrusted software to run. That's a given. Unfortunately the average end user doesn't know the difference, and when their buddy bobby from across the street tells them there's all this free stuff on the unofficial android store, he neglects to mention how it's all stolen and malware laden.

Re:welcome to the big time

So if popularity is all ther eis to it, explain why apple hasn't been hit with anywhere near as much malware in the years between 2007 and 2010-2012 when they were the dominant smartphone platform? Answer: because popularity isn't the only factor.

Re:welcome to the big time

[WaffleMonster]

This is why I wanted to see the story posted. There is no significant risk as long as you use a trustworthy app store.

It is not possible to check every application to see if it is harmless or not. Nobody has those kinds of resources.

knew there were people to come to complain that Linux/Android was insecure and they needed a good correcting. Thanks.

I think it is 100% accurate to say Android is insecure by design in much the same way DOS era Windows file sharing is 100% insecure by design.

Android is intended for a mass market audience of people who know nothing about computers or software threats... Knowing this the designers decided the only access controls would be take it or leave it DEMANDS made by APPLICATIONS. This is why Android is insecure by design... it totally and utterly fails to protect the USER in the most basic rudimentary way possible.

Re:welcome to the big time

0.1 at that scale is actually a pretty big number.

Re:welcome to the big time

[mcl630]

On the other hand, Android has problems with "signed code". Yes. That's right. Android has problems with it's "app store". This isn't your grandfather's Windows style malware.

Read TFA:

"Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play"

Re:welcome to the big time

[symbolset]

It is not possible to check every application to see if it is harmless or not. Nobody has those kinds of resources.

You do know we're talking about Google, right? Why would Google not have those kinds of resources? They scan the Internet every day, upload an hour of video every second, filter spam for hundreds of millions - better than anybody, and they made Android so they have the inside track on detecting undesirable code.

I think it is 100% accurate to say Android is insecure by design in much the same way DOS era Windows file sharing is 100% insecure by design.

These two things are unrelated. Now you seem to be saying you're complaining about Android security because others complain about the security of your preferred system. That is not relevant. Also, it's a confession that your argument lacks merit. Maybe not the direction you wanted to go.

Android is intended for a mass market audience of people who know nothing about computers or software threats... Knowing this the designers decided the only access controls would be take it or leave it DEMANDS made by APPLICATIONS. This is why Android is insecure by design... it totally and utterly fails to protect the USER in the most basic rudimentary way possible.

Now we are talking about a totally different thing - apps which require excessive permissions. As in, the end user gets to decide how much access he is willing to give each application. This is not malware at all and off topic for the discussion, but let's cover it. This is restraining applications that want to be more than the end user wants them to be, giving the end user full disclosure when an update seeks to do things it didn't do before. You make it sound like a bad thing, when in fact it's an enhancement above the other methods of application security provided by the system that empowers the user to be more restrictive than any algorithm could appropriately be. You make it sound like a bad thing. It's not.

Re:welcome to the big time

Because they were barely a smartphone platform.

Early iPhones couldn't even copy/paste, remember?

Re:welcome to the big time

Did you really just ask why there is more malware now than there was in years past? Really?

Answer: times change; explosion in mobile device popularity; explosion in internet commerce popularity; mobile platforms have only recently been considered a serious target for criminal activity. Also: walled garden; Apple's history of bricking rooted devices. Also also: Apple was never "the dominant smartphone platform"; please see Symbian, RIM, and currently Android. Supplemental: you're a moron.

Re:welcome to the big time

[tech10171968]

Have you never asked yourself why Android is getting all of these attacks, but you rarely (if ever) hear anything about Debian/Ubuntu/Red Hat/Arch/Slackware/whatever distro suffering the same fate? Are they not Linux OS's, too? In fact, I think it's Dalvik that's getting exploited rather than the kernel itself; I could be wrong but that's pretty much the biggest difference I see between the vanilla-variety distro and Android. I will admit that your point about running strange code from untrusted sources is 100% correct - that's going to eventually bite you in the ass regardless of the OS you're running.

TL;DR - If we're talking attack vectors then it might be helpful to remember that GNU/Linux != Dalvik/Linux

Re:welcome to the big time

If you rebuilt a compromised host due to somebody leveraging a bug in sendmail, then the admin is/was a moron. Processes should not be run with root privileges, and any public-facing system should be configured in such a way as to limit the damage that can be caused by compromised service accounts. See: PEBKAC; ID10T error.

Re:welcome to the big time

[tlhIngan]

Essentially all of the Android malware comes from non-Google app stores, or sideloaded APKs. And with respect to the malware that does manage to make it into the Play Store, F-Secure says "the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.â

Except well, for some markets, like say, China, the only app stores available are third party ones with questionable trust values.

And that checkbox is useless because there are perfectly valid reasons why you want to install apps not from Google Play - Amazon App Store, and Humble Bundle, for instance. Legit app stores, but by using them you have to disable one of the most powerful protections Android has.

Of course, the real reason Android is exploited more is easy - it's so damn easy to install well, pirated apps. Why spend $5 on some high end game when you can download it from free from AppCake and other sites? And given how many people grab trojaned installers and keygens on Windows, people assume that cracked and pirated apps are "clean" and blindly install them.

Sure you can pirate apps on iOS, but you need to jailbreak or find someone to do enterprise signing for you. Though with Apple buying TestFlight (one of the largest ways to "beta" test or test-sign apps) I guess Apple might crack down on users who use it just to sign cracked apps. Either way, it's a step up in difficulty. Though, for some peculiar reason or other, no one has tried to trojan a cracked app for iOS. There are iOS worms that exploit the fact that people blindly install OpenSSH and don't change the pasword, but cracked apps on iOS oddly haven't been trojaned. There's certainly no reason why they can't, but given how long iOS piracy has been around, it seems unusual.

Re: welcome to the big time

So what you are saying is: an idiot can use a spoon. Therefore only idiots use spoons...

Flawed logic much?

Re: welcome to the big time

Security will also imply freedom -- freedom not to worry, and to use your time on more 'interesting' things.
.

Re:welcome to the big time

I knew there were people to come to complain that Linux/Android was insecure

It is insecure and there is a huge list of vulnerabilities.
Drive-by malware
EZ2Use exploit of another drive-by vulnerability
Here is a list of 30 other serious vulnerabilities many of which do not require authentication and provide remote access.

And that is before you even take a look at all the trojan malware out there that breaks from the application sandbox to take control of the system.

So instead of just pretending it is secure and sticking your head ignorantly in the sand why don't you wake up and actually take notice. Stop being a denier just because you love the platform, it's just a computing platform you don't have to defend it like it's a person.

Re:welcome to the big time

[exomondo]

It comes down to: would you rather have Security, or Freedom?

They aren't absolutes. You never have 100% security or 100% freedom and most people would rather a device that can only access a particular app store (Apple's or Google's) as the tradeoff is a much lower security risk (see TFA which states that only 0.1% of the malware is in Google Play). It isn't a case of "you use an iPhone and they took away your freedom!", that's just rubbish fear-mongering, nothing was taken away at all, you have just chosen a device that has certain particular limitations. For some reason (actually it's clearly because they are pushing an agenda) some in the freedom camp like to portray this as your freedom being taken away, but it clearly isn't.

Saying that you shouldn't choose a device that has software limitations doesn't sound nearly as nefarious as "the corporations are stealing your freedom" so I get the reason for the FUD but I really wish it would stop and then perhaps such people would be taken seriously.

Re:welcome to the big time

[jones_supa]

If you can make a computer so simple even an idiot can use it, only an idiot will want to.

How do you know that? I use many things that even an idiot can use, and still find them useful even when I'm not a complete idiot myself.*

*) Some people may disagree.

Re:welcome to the big time

[Plumpaquatsch]

What kind of crack are you on?

Unix and Linux have no malware to speak of and they are completley open platforms.

AKA the Voldemort solution to malware. If we don't mention it, it doesn't exist.

Re:welcome to the big time

[Plumpaquatsch]

If you rebuilt a compromised host due to somebody leveraging a bug in sendmail, then the admin is/was a moron. Processes should not be run with root privileges, and any public-facing system should be configured in such a way as to limit the damage that can be caused by compromised service accounts. See: PEBKAC; ID10T error.

Yeah, good thing there aren't any privilege escalation bugs in the Linux kernel. Ever.

Re:welcome to the big time

[smash]

You completely missed my point. The entire point is that relying on the end user, who has no access to to the source code to verify the operation of the app they are about to install, and no way to verify whether or not the code that was published has been altered, to verify whether or not they want to run it is inherently flawed.

Its easy enough to run anything you want on iOS - get your own cert, and compile/sign it yourself. Doing that DOESN'T open you up to any and all possibly dodgy code running on your device.

Re:welcome to the big time

[smash]

No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.

Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to audit source code for every app they install is unrealistic.

In the case of loading an app onto an android device from a third party, it's a crap shoot. You are basically guessing that the particular installer you are running is not a trojan. You may be basing that on app reputation, etc. but have no real clue whether or not it has been time-bombed, for example. You're guessing, flying blind.

It's pure luck and lack of true malicious developers on the platform that the android malware situation right now is not a LOT worse. And it's nothing to do with exploiting the JVM, kernel or whatever - it's purely due to the end users of consumer devices not being interested in becoming security experts. They are (rightly so) not interested in it.

Signed-code only, whilst being restrictive in what you can run takes that burden off the user. If the user truly wants to run something that the vendor will not sign, in the case of iOS it is simple enough to get a developer subscription and compile it from source yourself.

Re:welcome to the big time

[smash]

Ahh bringing logic to a slashdot argument. Prepare for the down-mods.

Re:welcome to the big time

Stick with Google Play and you are good to go.

Well, 99.9% of the time ...

Re: welcome to the big time

How would you know? Apple AV?

Re:welcome to the big time

[Beardo+the+Bearded]

And that checkbox is useless because there are perfectly valid reasons why you want to install apps not from Google Play - Amazon App Store, and Humble Bundle, for instance. Legit app stores, but by using them you have to disable one of the most powerful protections Android has.

Don't forget AdBlock. You have to allow every library on earth to install AdBlock for Android.

I don't understand why we have to allow every ppa one at a time to install unverified code on Linux, but for Android the choice is "play in the sandbox" or "everyone on earth is allowed on your phone... er, their phone."

Re:welcome to the big time

[mlts]

Nail, head hit. There are two choices:

1: Buy a device that disallows access to the user for anything except inputting a credit card number and buying apps through only specific channels. Access to the hardware will never happen. Take iOS: A user can't footshoot themselves, but neither can they use their device other than the way Tim or the late Steve wants them to. Want to run a Wi-Fi signal scanner or some specialty software... heck, even a Bitcoin wallet? You can play the jailbreak game, but with Apple controlling both the hardware and software down to the CPU, there will be a point where JB-ing just isn't possible or doable in any usable form... or if it is, it gets detected and the phone disabled via an e-Fuse like mechanism.

2: Buy a device that can allow one to click some "accept" buttons and allow themselves to shoot themselves in the foot. Yes, malware can be an issue with this since full control of the device can be obtained by the user.

We had this same war in the early 1990s when TV set top boxes were poised to bring us an Internet analog, but open computers won out. Do we want to lose this victory and go back to only allowing corporate board members having the ability to dictate what we can and cannot do with -our- devices... the ones that we paid for?

I prefer option #2, and some type of speed bump, so the user can leave the walled garden, but they are alerted to the fact so they know damn well know they cannot just walk into Mordor. Right now, the Nexus line does a good job of this, because one has to do several deliberate actions to get root or developer access... something that can't just be done by accident.

Re:welcome to the big time

[geekmux]

Also. You are arguing that trojans are NOT malware? Seriously? Of course they're fucking trojans. That's the point. The end user is in no way qualified to determine that software is NOT a trojan, and this is why them having root on a device with full ability to run any shitware trojan they like is never going to work. WE've had 30 years hammering this point home time and time again. It's not going to change.

People have unprotected sex with strangers they just met 3 hours ago. This isn't some kind of virtual virus that would crash their damn phone, this is a risk of an actual virus that can take their life.

And yet STDs run rampant in our society. HPV is worse than we ever imagined.

Until you can change the mentality towards actual virus infections, don't expect people to act any smarter about virtual ones. People demand these features on their phones. It will only change when the majority are tired of it. That time will come. The majority of people didn't bother to run anti-virus 20 years ago too. Things change as people become wiser to the threatscape. Most people are simply ignorant though, and won't do jack shit until it affects them directly.

Re:welcome to the big time

[tlhIngan]

2: Buy a device that can allow one to click some "accept" buttons and allow themselves to shoot themselves in the foot. Yes, malware can be an issue with this since full control of the device can be obtained by the user.

We had this same war in the early 1990s when TV set top boxes were poised to bring us an Internet analog, but open computers won out. Do we want to lose this victory and go back to only allowing corporate board members having the ability to dictate what we can and cannot do with -our- devices... the ones that we paid for?

I prefer option #2, and some type of speed bump, so the user can leave the walled garden, but they are alerted to the fact so they know damn well know they cannot just walk into Mordor. Right now, the Nexus line does a good job of this, because one has to do several deliberate actions to get root or developer access... something that can't just be done by accident.

Except you're ignoring the Dancing Pigs (or rabbits, or porn, or whatever) problem.

Because #2 is easily accomplished by jailbreaking on iOS as well, and even back when it was an involved procedure of over 100 steps, you could easily get Joe Average to do it if you could motivate them. (Pirated apps, "sexy cheerleaders see pic!" apps, etc). In fact, the first iOS worm came about because a ton of people were jailbreaking and part of the process involved installing OpenSSH. And they were leaving the password at default.

These people jailbreaking weren't motivated by "openness" to get them to jailbreak, they wanted to do something - perhaps some cool app or something, so they blindly followed all the steps, including downloading and installing an SSH client on Windows, so they could have the cool app.

It turns out that Android permission lists, steps to allow non-market binaries, etc., are no match. I mean, you can trust Amazon.com to not screw you over, or Humble Bundle. I mean, there's nothing wrong with leaving that unchecked, after all, Amazon and Humble Bundle need it, so it's safe, right?

And there you go - roadblocks are levelled. Joe User, in an attempt to get Amazon's free app of the day, or spending $5 on an Android game bundle, will now disable the very protection that keeps him safe. All his friends need to do is show him some cool app and send it to him and he'll blindly install it. (I'm actually surprised this hasn't really happened yet - remember all those Windows worms that inspected your contact list and sent themselves to everyone on them? It only takes a little brainpower to see how malware could easily do the same over SMS or something).

Re:welcome to the big time

[mlts]

The dancing rabbits problem will be a constant plague, unfortunately. It is a choice of lesser evils... allow users to have full access to their device and even with all the warnings, give them the ability to auto-footshoot, or take everything away and have everything happening on a device be at the whim of whatever corporate marketing drones are in charge.

This is the same problem with desktop machines. Do we want full control of our machines, or do we want to cede all authority to a third party who promises to keep us safe at night?

I do agree that Android's permission model needs a shot in the arm. In addition to the all/nothing permissions shown before installation, the device should prompt a user to allow/deny permission to something on first use, be it contacts, the phone itself, photos, the SD card, the microphone, the speaker, etc. Of course, even this runs into issues because too many prompts are like the firewall programs of the early 2000s or Vista's UAC, where the user just starts tapping "Allow". However, it would definitely shore up a weakness in Android.

Re:welcome to the big time

[WaffleMonster]

You do know we're talking about Google, right? Why would Google not have those kinds of resources?

Nobody does, humanity lacks the tools necessary to accomplish this feat in general purpose software.

They scan the Internet every day, upload an hour of video every second, filter spam for hundreds of millions - better than anybody, and they made Android so they have the inside track on detecting undesirable code.

Then why has Google not used this mythical capability to plug all the security leaks in their own Android operating system? A quick search shows hundreds of documented failures.

http://web.nvd.nist.gov/

Even my Google search results - the core competency that makes google google still contain as much useless garbage spam as ever.

These two things are unrelated.

Try explaining this to victims of a premium SMS scam.

Now you seem to be saying you're complaining about Android security because others complain about the security of your preferred system.

I think all of the major mobile platforms profit from selling out and treating the user like shit. I dislike them all.

That is not relevant. Also, it's a confession that your argument lacks merit. Maybe not the direction you wanted to go.

Why is it not relevant? What part of my argument lacks merit?

Now we are talking about a totally different thing - apps which require excessive permissions. As in, the end user gets to decide how much access he is willing to give each application. This is not malware at all and off topic for the discussion, but let's cover it.

Since when is Malware only defined as malware as long as it executes as root? An app that uploads all of my contacts to a criminal organization or participates in a premium dialing/SMS scam WITHOUT any root privileges **IS** malware to me and anyone effected by it.

The distinction of TFA is what is irrelevant. All that matters is what is actually happening in the real world not technical distinctions which most users do not understand.

This is restraining applications that want to be more than the end user wants them to be, giving the end user full disclosure when an update seeks to do things it didn't do before. You make it sound like a bad thing,

It is a proven failure. You can "inform" users and feel well they were warned and it is out of your hands all you want. "Full disclosure" as a security model is the same thing as clicking "I Accept" on the EULA without reading it. Users don't have a real choice to control what an application does they have a binary decision .. an ultimatum either you let me do this or you don't get shit. This model in the real world is a failure.

when in fact it's an enhancement above the other methods of application security provided by the system that empowers the user to be more restrictive than any algorithm could appropriately be. You make it sound like a bad thing. It's not.

All that is needed are user controlled options when installing an app the OS should ask you to pick from a menu of permissions or create a custom profile for that app. It should NOT present the user with an ultimatum.

I install a flashlight app and it does not get any I/O access to any network, touch the filesystem, access my GPS location..etc. The operating system should go as far as having the capability to lie convincingly to the application if requested by the user.

The "bad thing" occurs when the OS vendor has a vested interest in the app environment and ad revenues. Protecting the user is subjugated to making App vendors happy.

Re:welcome to the big time

How else was I supposed to root my kindle?

Re:welcome to the big time

Yep... nothing like the logic of insisting upon a hypothetical exploitation scenario with a screwy config, unpatched application software, and an unpatched kernel, while arguing against the concept of the responsible admin being a moron.

*looks at name*

Oh, yeah... you're the guy who just makes up his own facts, berating others for presuming to tell the truth. Logic, I suppose, is not as objective an idea as I thought.

Re:welcome to the big time

[BasilBrush]

Right, people won't change. That's the argument for curated app stores. Have qualified people look at the software first to weed out the malware. And in the worst case where malware slips past, and makes it into the store, once one person finds it and reports it, it's removed from download to everyone.

It's no coincidence that 97% of mobile malware in the last year was on Android, and there was zero on iOS.

Apple have solved this problem. Google can't now - the cat's already out of the bag for Android.

Re:welcome to the big time

[BasilBrush]

It is not possible to check every application to see if it is harmless or not. Nobody has those kinds of resources.

And yet the report says that there was zero malware discovered on iOS last year. It seems Apple know something you don't.

Re:welcome to the big time

[DarthVain]

Having just turned off security briefly to install flash for a specific application I can tell you that in order to do it, you have to go into security and select the ability to do so. When you do it pops up a message that basically says "By doing this if you totally screw up your device you know it is totally your fault right, and don't come to us all whiny about it. You sure you want to proceed?"

If you aren't comfortable with that, click no.

That said, it isn't something that I would get into a habit of doing. I will stick with Play. Hell there are applications in Play that can't barely not be called Malware, but at least they tell you about it first, even if you might ignore all the permissions the application is asking for.

Re:welcome to the big time

[vandamme]

>>It is not possible to check every application to see if it is harmless or not. Nobody has those kinds of resources.

Well, Canonical does. Google can't afford it?

android was never meant to be highly secure

[TheGratefulNet]

think of why it exists: it gets google your eyeballs and your time. with that, they are wildly successful.

beyond that, they could give a flying fuck. seriously. they don't exist for user experience, safety, privacy (ha!) or quality. as long as its 'good enough' to keep eyeballs glued there, that's all they care about.

I can't wait for a true '3rd option' (not apple and not android) to come on the market. I don't enjoy or trust either of the two existing choices.

Re:android was never meant to be highly secure

[rsborg]

I can't wait for a true '3rd option' (not apple and not android) to come on the market. I don't enjoy or trust either of the two existing choices.

What, WindowsPhone isn't good enough to qualify as that "3rd option"? Seriously, you can still get a blackberry, WinPhone or just a plain ol dumb phone that tethers really well (my TMO plan has free tethering) and run an iPod touch or equivalent.

Re:android was never meant to be highly secure

[smash]

There's.... Windows :D

Ironically, I would wager Windows mobile is probably the most secure of the mobile platforms at the moment.

Re: android was never meant to be highly secure

>I can't wait for a true '3rd option' (not apple and not android)

With any luck, that option will be Jolla's Sailfish.

Re:android was never meant to be highly secure

[skids]

True, leaving the device powered off permanently in its shrinkwrap on a store shelf does make it rather secure.

Re:android was never meant to be highly secure

[rmdingler]

I'm wondering if he personally contacted all eleven users.

Re:android was never meant to be highly secure

50 million users, dumb basement dwelling mouthbreathing dweeb, atleast update your bullshit. That's way more than desktop Linux.

http://www.ubergizmo.com/2014/...

Re:android was never meant to be highly secure

[Vermifax]

What dumb phone provides tethering?

Re:android was never meant to be highly secure

50 million users,

I have one of those Nokia 625s. It was given to me by a company I do some work for. Apparently they're the free option on the phone company's cheapest business plan, where the old dumbphone candy-bar Nokias used to be.

That's where their market is, not competing with real smartphones.

Re:android was never meant to be highly secure

[Zontar+The+Mindless]

Who pays for the "privilege" of doing something the device is already entirely capable of doing? I sure as hell don't.

Re:android was never meant to be highly secure

[fsck-beta]

Thank goodness not everyone lives in a country where tethering costs money.

Re:android was never meant to be highly secure

[Dahan]

What dumb phone provides tethering?

I haven't been paying attention to the current crop of dumb phones, but back when I was using them, it was pretty much a standard feature. E.g., Nokia 8290 had a v.32 modem and an IR port, and IR was pretty common on laptops of the day. Point the two at each other, and you can start a PPP connection to your dialup ISP. Then when GPRS data became popular, I had a Siemens M46, which didn't have an IR port, but if you got the data cable, you could plug it into a serial port and tether by setting up a PPP connection that dialed a special phone number (*99# or something like that). And my last dumb phone was a Motorola V195, which showed up as a serial port when you plugged in the USB cable, and again, you could tether by setting up a PPP connection. Actually, I think you could also tether over Bluetooth DUN, although I may be thinking of another phone.

Re:android was never meant to be highly secure

[Zontar+The+Mindless]

I am aghast at the notion that there's a country where it does cost money. It's simply unconscionable.

Is this like that old study of Linux malware?

Let me guess... they counted the same malware once for each make and model of phone it affected?

Re:Is this like that old study of Linux malware?

[smash]

No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.

Re:Is this like that old study of Linux malware?

[esldude]

Well sort of. If you restrict yourself to Google's Play store for software the rate was .1%. The rest, almost all of it in this case, came from other stores for Android software. Mostly Saudi Arabia and India. So it would be nice if Android were more interested in security, but on the other hand it isn't the huge dramatic result that would warrant the headline. Stay with Google Play and things are pretty safe.

Re:Is this like that old study of Linux malware?

[smash]

Isn't the entire selling point of android that you can install software from wherever you like though? This study simply validates apples decision to more strictly control what software is allowed on their devices. For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.

Re:Is this like that old study of Linux malware?

[vux984]

Isn't the entire selling point of android that you can install software from wherever you like though?

Well, one of several selling points.

This study simply validates apples decision to more strictly control what software is allowed on their devices.

97% of all murders happen in societies that don't put all their citizens in cages. Does that validate the idea that everyone should live in a cage?

For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.

What about 3rd party software that Apple doesn't allow on its app store from trusted parties? Like... most anything GPL? Should I really need a developer certificate to use a fully vetted repo maintained by the FSF or whatever?

What about, something like the humblebundle, where I can buy a license to a game for any platform its available on... except ios, even its available for ios because: Apple.

Or if steam wanted to include mobile games? Again: Not allowed on apple.

There's a lot of good things out there that Apple's lock in prevents. And no, a developer certificate, and an annual fee for the privilege of not using the apple store all the time is not a solution.

If you don't want to compromise the security of your device, don't do your app shopping in the equivalent of back alleys and asian night markets. And guess what, most android users don't. Nearly all north american android users stick to the default app store(s). And of those that don't, the vast majority of them are still fine -- they are using the humblebundle app in addition to google play for example to load their humble purchases.

Android malware really just affects that group of people who are trying to get pirate copies of paid apps and such on asian app stores... i mean how many warning bells should that set off?!!

And even on android its a small problem... if you have a million iphones and a million androids, and of them 3 iphones have malware, and 97 androids have malware, that's still 97% of malware is on android -- but its still a very minor problem, that only affects people who do REALLY stupid things.

Re:Is this like that old study of Linux malware?

"Entire selling point"? I'd like to look at marketing brochures where you read that.

It is a selling point, but given the breadth of current Android user base and breadth of feature sets of current Android devices, I don't think it's anywhere near "entire selling point".

PS: By the way, did you know that the switch to enable third party software installs is off by default? The only difference is you don't need to ask kind masters from Cupertino to give you generous permission to control your own device.

Re:Is this like that old study of Linux malware?

[blargster]

And even on android its a small problem... if you have a million iphones and a million androids, and of them 3 iphones have malware, and 97 androids have malware, that's still 97% of malware is on android -- but its still a very minor problem, that only affects people who do REALLY stupid things.

I think you missed the part of the original posting where the 3% of the non-Android malware referred to Symbian. There were no instances of malware on iOS.

Re: Is this like that old study of Linux malware?

Visited a web site on Android the other day and found a new APK in my downloads related to some fake antivirus app. I suspect a lot of people end up installing these drive bys and get stung.

Re:Is this like that old study of Linux malware?

Yes, you should get a developer certificate, download the source and compile/sign it yourself.

Re:Is this like that old study of Linux malware?

[WaffleMonster]

Well sort of. If you restrict yourself to Google's Play store for software the rate was .1%. The rest, almost all of it in this case, came from other stores for Android software. Mostly Saudi Arabia and India. So it would be nice if Android were more interested in security, but on the other hand it isn't the huge dramatic result that would warrant the headline. Stay with Google Play and things are pretty safe.

Trusting security to app store screeners is not a viable solution. Either devices are designed to tolerate the most malicious software possible by default or they end up accounting for 97% of all mobile malware.

Even if there were no platform security vulnerabilities and the system worked 100% as intended I would not expect much to change. The core problem with Android is applications dictate privileges to the user in a take it or leave it manner rather than users having any ability to make decisions based on their interests. Fixing this problem, giving users the power undermines Google revenue streams.

Re:Is this like that old study of Linux malware?

When you buy a humblebundle that has iOS (or if you buy... from pretty much anyone something on iOS outside the app store) you are sent a redemption key. Nothing evil or different has changed.

As for FSF/GPL. That's a political organization akin to NSA/GunRights. By using such software you are making a political statement that freedumb trumps safety(tm), the vast majority of people around the world don't know freedumb from safety(tm) and that is why we don't let dumb people buy guns. Yet we invite dumb people to jailbreak their devices. It's a good thing that a cell phone can't kill people any easier when jailbroken. At least not yet.

By killing people of course I'm talking about setting the batteries to explode or inducing the charger to electrocute someone who handles it.

Re:Is this like that old study of Linux malware?

97% of all murders happen in societies that don't put all their citizens in cages. Does that validate the idea that everyone should live in a cage?

Please don't give the GP any ideas, he/she/it is liable to try getting such an idea before a goverment agency.

Back on topic:
Android / Linux is like any other OS, it can be compromised if some user decides (knowingly or unknowingly) to run a rootkit. Saying that appstore X should protect the user from themselves is just shifting the blame away from where it belongs.
Really the issue is the user / owner, like the GP said. Taking away control of the system from the user / owner however, is not the answer.
If anything that makes the user / owner even more exposed to malware, because the vendor is not required to keep the system updated. Most users can't update their systems, either because they lack programming skills or for those that do they encounter legal issues, encrypted bootloaders, signed software requirements, poorly designed systems, etc.

Users and owners are not required to properly secure their systems nor even know how to use them safely. They ignore best practices, never read the prompts that come up, reuse the same passwords over and over again, not give a crap about what they do with their personal data or who has access to it. Heck most assume that if the device is sitting on the desktop with no windows open, then the system is not doing ANYTHING. (No memory management / I/O checks / Process scheduling / etc.) It's the equivalent of allowing a two-year-old to drive a car. If they were held liable for their lack of ability this issue would get resolved VERY quickly.

Users are not the only ones to blame however. Developers are constantly pressured to make software and products that "just work". This means that security is kept at a minimum, because a user / owner will expect that like a toaster (thanks Jobs....), all they have to do is plug it in. If that is not the case, the user / owner assumes it's broken / defective and will want their money back. With the whole Internet of Things crap on the horizon, it's only going to get worse. Personally I think it will take Megaman Battle Network levels of bullshit just to get the public to realize that the idea of putting EVERYTHING online for convenience has it's consequences.

Realistically the only way to resolve this issue is to better educate the public and get them to take security seriously. It is a challange because they currently have been trained not to care, but it can be done if we are persistant.

Vendors and developers must take charge in this and force security on the public. They must make it so that the public must secure their devices for them to work, and that they lack an unsecure alternative for the public to run back to. (For those who say what about all of the older hardware that won't get updated, a lot of the current stuff is designed to fall apart anyway, and the biggest threat is the general public that buys a new device every time the old one has an issue.) They could push it as a response to the NSA spying in the US. (Bonus if you live outside the US, it also counts as an anti-US agenda if you are into that kind of thing.))

Another thing that must be done is that vendors and developers must update their software / products when a bug is found. Not try to cover it up, and not say that the fix is a new product. If they won't do this, then vendors and developers should be required to allow to the user / owner to update the software themselves. For those who lack the skill to do so, we need a way for those people to be able to get updated software easily, and for them to know how to do so. (Yes that includes actually getting them to do it.)

This is a resolvable issue, but it won't get resolved until the public has the will and the capibility to do so.

Re: Is this like that old study of Linux malware?

So have I, in much the same way I've visited a webpage on my PC and my browser has asked whether I want to save the file. Granted, the file probably shouldn't be downloaded automatically, but what the hell are people doing running the APK, and then accepting the permissions, most likely giving access to contacts, SMSs & phone calls.

There's a guy who rents desk space in our office - self employed, so uses his own PC, but we provide support (as well as bespoke software etc) - who will merrily download and install whatever he sees on the internet and in emails*, no matter how many times I've explained to him. Now I just flatten his PC (and take my time to do so), unless he's backed up personal stuff on it, it's gone, plus he loses at least day of business due to his stupidity. In fact this is now our state policy.

If we discover malware on your PC, which we determine was installed by you and takes more than 15 minutes to remove, the machine will be flattened. All business data and emails are already backed up, onus is on you to backup personal data

That guy is the person who will end up installing malware on his phone, not because he's too stupid not to**, but because he has no interest in learning how not to fuck up the tools he uses to earn money.

* He had the gall to tell me that I should email the office warning them about spam emails containing attachments. In ten years he's the only person who's received an email "from the bank", read it and still managed to determine it was from the bank, downloaded the zip file, opened the zip file, run the executable file and installed the ransomware.

** He's pretty fucking stupid though.

Re:Is this like that old study of Linux malware?

Trusting security to app store screeners is not a viable solution.

But but "IOS: It just works and has no malware." .. And NO FREEDOM (to watch flash, customize, sideload apps, etc). Unless you pay for developer license, and unless you jailbreak it. And then you're right there with android.

Meanwhile has anyone figured out a fix for IOS 7 update disabling rear facing cameras? Besides paying $270 for replacement if you're out of warranty.

Re:Is this like that old study of Linux malware?

[vux984]

hen you buy a humblebundle that has iOS (or if you buy... from pretty much anyone something on iOS outside the app store) you are sent a redemption key. Nothing evil or different has changed.

This is factually incorrect. Apple does not allow you to sell a product for the apple store outside of the apple store, and then provide a redemption key.

The humblebundle does not do this, and would not be allowed to do this.

As for FSF/GPL. That's a political organization akin to NSA/GunRights.

Nutter.

Re:Is this like that old study of Linux malware?

That's absolutely hilarious. You think an OS must "tolerate" the most malicious software possible?

So how do you propose the eradicate malwares that take your phone / contact list and encrypt it to hold it hostage? Keep in mind that you can't ask the typical stupid user because they'll clickspam their way through "next" or "yes" because they have no fucking clue what they're clicking on as they don't bother reading (even if it allowed individual permission restrictions)

Oh what's that? You can't think of anything because a large number of legit apps *NEED* this information? (Alternate dialer / voip app, share-to-friends in a game, etc)

Re:Is this like that old study of Linux malware?

Antivirus software makers are not allowed to scan apps, and cannot detect any malware / spyware on i things.

95% of the store could be riddled with malware and nobody would know better.

Re:Is this like that old study of Linux malware?

Technically, it's 0% -- not .1%. Even the article notes that malware is pulled in a "timely manner" (i.e. immediately).

saw that coming

[invictusvoyd]

Not surprised . When will I be able to run a full distro on one of them phones?

Open but not open enough.

Google's abandonment of API's once they are moved into Google Play would have to have no small part in this.

Google Made a Core Mistake with "OPEN"

[BoRegardless]

It sounds nice in the hacker world, but in the hands of the 'average Joe', an "Open Handset" is an invitation to have your bank account stolen.

Re:Google Made a Core Mistake with "OPEN"

Number of Android phones I've seen customized by the end user because they're open source: 0

Re:Google Made a Core Mistake with "OPEN"

You obviously haven't looked very hard, or more likely, not recognised it when you have seen it.

Never seen a CyanogenModed phone?

Re:Google Made a Core Mistake with "OPEN"

welcome to management, here's a nice gold watch.

Re:Google Made a Core Mistake with "OPEN"

[EvilSS]

welcome to management, here's a nice gold watch.

You're obviously an impostor, otherwise you would know that the watches are made from platinum, dolphin leather, and powered by the tears of the poor.

Re:Google Made a Core Mistake with "OPEN"

That's not a problem with open, but with "I want it all, easy and without these nasty 'Do you really want to do this' boxes and I don't like to think about my actions. I am an adult !!!111!!!11eleven!". Way too many people fall for too good to be true offers or don't even read the fine print.

We're number one!

[roc97007]

But seriously, malware tends to target the top player in the market (by numbers). Nothing really to see here.

Re:We're number one!

true. I also find it hard to believe they found "nothing to see" over there.

Re:We're number one!

[smash]

Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Re:We're number one!

[roc97007]

Obviously, the malware is so well written that nobody has found it yet.

Re:We're number one!

[skids]

Nobody needs to write malware when you're accepting any cert from any server. You can do it all server side.

Re:We're number one!

[rmdingler]

Just like the very best counterfeit money.

The Craftsman/Craftstress behind either shenanigan will not be needing to work, then, unless they get nicked.

Re:We're number one!

Targeting is one thing but being 97% successful is something else. I mean Android is a fucking sieve apparently.

Re:We're number one!

[Waffle+Iron]

Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?

It's for the same reason that the murder rate inside Disney World is very low.

Re:We're number one!

[Bing+Tsher+E]

So you think the statistic means that any malware publisher will be 97% successful in penetrating any phone running android that they target?

Where were('nt) you educated?

Re:We're number one!

[steveha]

explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Because of Apple's "walled garden". The only way to get apps for iOS is from Apple's store, and Apple tries to keep the malware out.

Apple always charges $100 to put an app in the store, so malware has to make at least $100 before it is discovered or the person who put the malware on the store loses money.

The "walled garden" does have advantages.

Personally, I like having a device where I can install anything I want... but I pretty much just get stuff from the Google Play store. If I need an SSH app, and I see one with over 30,000 votes rating it 4 or 5 stars, I'm pretty sure it won't be malware when I download it.

And according to TFA, almost all of the malware was side-loaded. Almost none of the malware came from the Google Play store. Thus, Android gives me the advantage of the walled garden, while still being more free than iOS.

P.S. The reason I went with Android rather than iOS was Apple's policy of no interpreters and no emulators. I wanted Python and games emulators. Apple has since then unbent a bit, but Android has always allowed you to install whatever sorts of apps you prefer.

Thus I am able to install interpreters and emulators, without rooting my phone, and getting them from the Google Play store. Why wouldn't I want this?

Re:We're number one!

Apple already took all your available cash?

Re:We're number one!

[invictusvoyd]

Anything which comes out of pure commercial interests will eventually perish .. due to bad / "spreadsheet led" decisions . The whole mobile thing going around these days is built around commercial interests unlike the "Linux" thing we had going some years (decades) ago which was primarily academic with some commercial participation . I miss that "old" purist feel .
There is no number one here :(

Re:We're number one!

[Hamsterdan]

I dunno, there are now some Jar-Jar mascots

Re:We're number one!

[Vitriol+Angst]

"You run OS X?"

Yeah, your brother's sister's hairdresser had all this malware -- and of course all those security firms who present dire warnings every week in order to drum up business.

Did "You" actually have malware that effectively exploited your machine? Or are you just here to add balance because you've "heard" rumors? What was the name of this malware -- what did it do? How did it exploit the system?

There are problems and benefits of all kinds of systems -- but what we don't need is people throwing around FUD -- leave that to the experts at Forbes or some computer magazine.

Re:We're number one!

[Vitriol+Angst]

Is it $100 each time, or is that $100 for the development kit?

Re: We're number one!

"Anything which comes out of pure commercial interests will eventually perish ... "

Yeah... like banks, automobiles, and credit cards

Re:We're number one!

Anything which comes out of pure commercial interests will eventually perish .. due to bad / "spreadsheet led" decisions .

Like agriculture? Or Prostitution? or The shipping industry. or Mining?

Yes I see your point.

Re:We're number one!

I did, when you posted this same question as AC upthread:

Did you really just ask why there is more malware now than there was in years past? Really?

Answer: times change; explosion in mobile device popularity; explosion in internet commerce popularity; mobile platforms have only recently been considered a serious target for criminal activity. Also: walled garden; Apple's history of bricking rooted devices. Also also: Apple was never "the dominant smartphone platform"; please see Symbian, RIM, and currently Android. Supplemental: you're a moron.

Re:We're number one!

[vallette]

You're wrong. Apple charges $99 per year for a developer's license which allows you to post as many apps to the App Store as you'd like (provided they're approved). Xcode, the IDE, is free. So no, an app doesn't have to make $100 to break even and I'd guess that the $99 price of entry to post as many apps as you'd like wouldn't deter a malware author any more then is discourages the casual developer that provides their app for free.

Re:We're number one!

Like agriculture? Or Prostitution? or The shipping industry. or Mining?

Agriculture came out of population explosion in the cities.It was the only option to avoid famine

Prostitution .. Well god made Adam , then he made eve and then she whored it out or something .. still not entirely commercial ..

Shipping came from a raft .. not commercial ..

Mining is best done on other planets .. for those who have never seen a mining site .. it looks like hell.

Re:We're number one!

No it doesn't, if you try to put Malware up your license will be revoked, you will then have to pay another $99 for each piece of malware you publish, it is therefore a very expensive exercise to get malware put in the store.

Re:We're number one!

If I need an SSH app, and I see one with over 30,000 votes rating it 4 or 5 stars, I'm pretty sure it won't be malware when I download it.

Because we've never heard of things like vote rigging (facebook, slashdot poll, google play, ios appstore comments, amazon, etc).
Thinking Santa is real has to be nice.

Re:We're number one!

[smash]

It's $100 for a number of support incidents and a developer certificate which enables you to use the free development tools to upload your code to a real device.

Re:We're number one!

[smash]

Did you really just ask why there is more malware now than there was in years past? Really?

Yes.

Answer: times change; explosion in mobile device popularity; explosion in internet commerce popularity; mobile platforms have only recently been considered a serious target for criminal activity.

That's your inference, that is not backed up by any real world data. The iOS market is large and was previously larger than the android market. In terms of web usage stats, iOS leaves android for dead. So one would think that the platform most actually used would likely pose a significant target. Yet in the past 12 months there were ZERO incidents of malware reported for iOS. Zero.

Yes, the real answer is due to the "Walled garden" (which is easy enough to work around if you get your own developer cert to sign the code you want to run).

The android approach of allowing the user to just turn off all security by enabling "run code from anywhere" has been proven for the past 3-4 decades to not work. The amount of malware available for android out there is continuing to prove that to be the case.

Also, we're not just talking about smartphones - tablets also, along with ipods. The total of all those devices (i.e., the potential malware install base) would be far larger than the install base of RIM or Symbian.

And by lowering yourself to petty name calling, you've just lost any sort of credibility you may have had.

Re:We're number one!

[smash]

Also: i don't post AC.

Re:We're number one!

That's your inference, that is not backed up by any real world data.

It is my inference, but it is also backed up by real world data. Anyone who hasn't been in a coma for the past twenty years can attest to this; it's a subject of much conversation, actually, and is utterly absurd for you to deny.

The iOS market is large and was previously larger than the android market.

In raw numbers, it's large; statistically, it's a minor player. Only fools and liars mix raw numbers and stats in the same argument. Which are you?

In terms of web usage stats, iOS leaves android for dead.

See? Back to statistics. Care to explain what all that malware is doing on devices that power 80% of the market, if they aren't using bandwidth? What's that? Your stats are cherry-picked bunk? Really?

Yet in the past 12 months there were ZERO incidents of malware reported for iOS. Zero.

Derp: http://www.theguardian.com/technology/2014/feb/12/feeling-smug-that-your-iphone-cant-be-hacked-not-so-fast. That's the very first link in a Google search for "ios malware."

The android approach of allowing the user to just turn off all security by enabling "run code from anywhere" has been proven for the past 3-4 decades to not work. The amount of malware available for android out there is continuing to prove that to be the case.

Proven how? And to what end? How does the approach "not work?" The wild success of Windows and Android, two of the top platforms in the world, which just happen to have this feature, seem to discount this. Going out on a limb, I'd say "that's your inference, that is not backed up by any real world data."

Also, we're not just talking about smartphones - tablets also, along with ipods. The total of all those devices (i.e., the potential malware install base) would be far larger than the install base of RIM or Symbian.

Now, yes? In the periods when those devices were, by far, the top dogs in mobile computing (which, coincidentally, was the entire point of mentioning those two companies; your dismissal of that is a straw man), that's simply not true.

And by lowering yourself to petty name calling, you've just lost any sort of credibility you may have had.

Says the guy who blathered out a post chock-full of fallacies, falsehoods, and loaded statements. I don't think I'll lose any sleep over having called you a moron, pal.

Re:We're number one!

Because we've never heard of things like vote rigging (facebook, slashdot poll, google play, ios appstore comments, amazon, etc).
Thinking Santa is real has to be nice.

I'm laughing at you now. Thanks for that; it improved my mood a lot! :-D

If you think that the malware authors are able to game the Google Play store to the tune of 30,000 votes, and nobody will notice and Google won't do anything about it... do you also believe that aliens built the Pyramids? Or that PHP doesn't suck?

Re:We're number one!

[BasilBrush]

It's for the same reason that the murder rate inside Disney World is very low.

Security. Yes, that's it exactly.

Re:We're number one!

[BasilBrush]

Of course if any malware is discovered, that developer account is closed, with no refund, and no chance of reopening with the same credit card/mail address etc. And the possibility of a police investigation.

So yes, the is more of a discouragement than for the ordinary developer.

Android allows users to install apps, news at 11

This is really only news if they managed to get apps into a reputable app store, in particular Google Play. If they got malware into some chinese android piracy site, that's not news.

Hey look, the second half of the headline, suspiciously omitted covers this: "but only 0.1% of those were on Google Play"

Whichever marketing droid for $AndroidCompetitor who got this slanted summary onto slashdot has earned his money.

This feels like a distraction...

We've just leaned that an iOS bug has left it wide open for how many years? OSX too...and the patch/hole was just released/announced last week?

Re:This feels like a distraction...

The bug didn't make iOS "wide open" even by a stretch, and it's not years, it's about months - the bug was introduced in iOS 7 and OS X 10.9. It's not present in iOS 6 or OS X 10.8.x.

Re:This feels like a distraction...

The bug didn't make iOS "wide open" even by a stretch, and it's not years, it's about months - the bug was introduced in iOS 7 and OS X 10.9. It's not present in iOS 6 or OS X 10.8.x.

It was present in the latest versions of iOS 6. This was why Apple released iOS 6.1.6. That said, it is telling that a phone released 4.5 years ago still got a security update - while many Android phones ship on obsolete versions and never gets any updates. And even in the best case, updates stops after a year or two.

Simply solution

[jgotts]

By default most Android phones (which today means made by Samsung) will not install anything from outside the Google Play store, and in the case of only Samsung phones outside the Google Play store and the Samsung store. Most users do not adjust this setting, so virtually nobody is susceptible to this malware. F-Secure is making mountains out of molehills.

If you don't use a Samsung Android phone, I commend your spirit of adventure. It's not worth the hassle for me. There's where you start becoming susceptible to this type of malware, among other problems.

But don't catch me saying that Samsung phones are the best. They're just what everybody else is using and helping debug so I don't have to.

Re:Simply solution

[fsck-beta]

If you don't use a Samsung Android phone, I commend your spirit of adventure. It's not worth the hassle for me.

Really? This attitude basically negates all that is wonderful about Android.

Moral of the story:

[Johnny+Loves+Linux]

Don't install apps from back alleyways:

At the very bottom of the list was Google Play itself, with the lowest percentage of malware in the gathered samples: 0.1 percent. F-Secure also noted that “the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.” While that’s great news for most Android users, it

Why would anybody shop for apps on their android phone/tablet like a crack addict looking for their next hit is beyond me. Are people really that naive?

Re:Moral of the story:

[liwee]

Don't install apps from back alleyways: ... Are people really that naive?

Not really sure naive is the problem. The habits from using windows is carried over I think. Android is in some ways similar to Windows where you can literally install anything from everywhere. Not saying that Windows does not get malware but Windows at least do get periodic system updates and most people install some sort of anti-virus / anti-malware solution. Both of these seem to be missing in many Android phones.

Re:Moral of the story:

[joeflies]

That may be true in the US, but i've heard from friends overseas that other markets prefer their own stores, like a Chinese phone will have a custom rom and local app store, of which the legitimacy of the apps may come into question.

Re:Moral of the story:

First, anyone who loves Linux is a cock-sucking faggot. Second, there are places in the world where Google Play is simply not available on Android Phones. So, fuck you.

Re:Moral of the story:

I think the same thing when I look at torrent sites.

Android isn't Linux.

Android isn't Linux, it's a Linux distribution. It runs on a Linux kernel and is as much Linux as Debian, Ubuntu and Fedora. But it's not Linux.
The problem isn't really the OS. The problem is the rights the users and publishers are given. If anyone can side-load an app it's easy to get malware since there's no one but the user to verify the source.
I don't believe that restrictions work. People will just root or jailbrake and smaller businesses will have a harder time getting their apps out since they will have to be reviewed before they can get on a device running that OS.
The only proper solution is informing and teaching the end user about how to avoid malicious software.

Re:Android isn't Linux.

[smash]

You clearly missed the sarcasm in the first lines of my post.

Not a problem on Android

Since everyone says that only stupid people use iPhones, all Android users should have the tech expertise to navigate the malware minefield right? /s

Re:Not a problem on Android

lol. So true. I thought Android was for hardcore techies and yet they're apparently the most naive and clueless users out there.

Re:Not a problem on Android

[Bing+Tsher+E]

Since everyone says that only stupid people use iPhones

No. Everyone does not say that. In fact, a lot of Android users don't really care much one way or the other about iPhones.

Personally, I am disappointed in iOS but I certainly don't care about it enough to consider iOS/Android to be a glorious battle of the righteous. They're just two phone operating systems and I prefer Android. Can't we keep it that simple?

Re:Not a problem on Android

If you use an iPhone, I can see how people might get that impression.

Your red herring has a fatal flaw: 80% market share. When you have most of the people, you will unavoidably get most of the stupid people. Just goes with the territory of being a runaway success. See: Windows.

Also, it helps to have a completely open platform, the apps for which aren't wholly dictated by the OEM... *cough* WALLED GARDEN *cough*... You know, when Apple thinks its users are too stupid to make their own decisions, you really don't have any room to bitch when others come to the same conclusion.

Re:Not a problem on Android

Because the definition of "hardcore techie" has pretty much been reduced to "kid who can install pirated games".

Re:Not a problem on Android

[smash]

Don't forget to include iPads and iPods in your market share calculations, because that is the true potential iOS malware install base.

Re:Not a problem on Android

That's why the statistic is called "mobile devices." Or, were you unaware that Android also powers the lion's share of tablets?

This is why I use windows phone

No one uses it so no one cares to exploit.
See, Microsoft is deliberately making their OS crap so there will be less mallware for it.

That kills the developer market.

I remember the hoops I had to go through to run a JavaME program on my own damn Sprint phone. At least Sprint would let you. But it was enough of a pain that I simply gave up on the platform. If you don't have the developers you don't have the apps.

Left out a key piece of the original headline

[Kelson]

"...but only 0.1% of those were on Google Play"

So that vast majority is practically all third-party installations (something which isn't even an option on iOS).

Re:Left out a key piece of the original headline

[Shados]

The ability is off by default, you have to go pretty deep in the options to turn it on, when you do turn it on, you get all sorts of warning telling you to watch out. And if you do turn it on and do something stupid, you may get malware

That's leagues better than not having the option at all (or to have to use what basically amount to root exploits to enable it), as well as better than having the option on by default for everyone.

There's some collateral damage (the cheap bozos who wants to save 5 bucks and get owned in the process), but its worth it.

Re:Left out a key piece of the original headline

Logic fail much?

You're saying, basically, "VAST majority of vehicular manslaughter accidents happen outside, but only on Slashdot is the inability to leave your basement and walk in the crosshairs of all those madmen and their wheeled machines of death viewed as negative..."

Re:Left out a key piece of the original headline

[aybiss]

Only on Slashdot is the inability to load malware-riddled apps on your phone viewed as a negative...

You must be new here.

Re:Left out a key piece of the original headline

[danbob999]

...(something which isn't even an option on iOS).

Wait. You just acknowledge that the VAST majority of malware comes from sideloaded apps and then make a snide comment about iOS because sideloading malware-laden apps isn't an option.

REALLY??

Only on Slashdot is the inability to load malware-riddled apps on your phone viewed as a negative...

Because it is negative. Just like a car limited to 30 km/h is negative, even if it prevents accidents. You know, with a real car you have the option of staying under 30 km/h if you want to. And with Android you have the walled garden option if you want to. Just don't activate the sideload option. If you are too stupid to activate it and you get malware, you have earned it.

Re:Left out a key piece of the original headline

[mdielmann]

Yes, on Slashdot, the majority of users promote the idea of unfettered access to their systems, coupled with education so you know what to do with it. Seems pretty consistent to me.

My kids have android tablets, I pointed out the feature to them, told them not to use it unless they had a good reason to, and to talk to me first. As their education improves, I expect them to ask me less. So far, the only sideloaded app they have is flash player. It's from the adobe site so I don't think it counts as malware - except for being flash. I expect it to be uninstalled once better tools become available to replace it.

Re:Left out a key piece of the original headline

[Charliemopps]

THREATS are not attacks. It's not possible to install sideloads on iOS, that doesn't make it more secure, that makes it suck. It's like saying your house is better because you don't have doors. Fine, it's harder for people to get in. I can lock my doors or I can choose not to, that's up to me. But you don't even have an option. This is the same bullshit walled garden crap that Apples been spewing since the 80s.

Re:Left out a key piece of the original headline

>something which isn't even an option on iOS
https://cydia.saurik.com/

Re:Left out a key piece of the original headline

Only on Slashdot is the inability to load malware-riddled apps on your phone viewed as a negative...

Yeah, how dare you be able to run apps not sanctioned by a huge company in their corporate app store!

Because, there could never be any use for something like Adblock Plus or Xposed!

Re:Left out a key piece of the original headline

[WaffleMonster]

The ability is off by default, you have to go pretty deep in the options to turn it on, when you do turn it on, you get all sorts of warning telling you to watch out. And if you do turn it on and do something stupid, you may get malware

Alright so Joe Smith goes and installs an app requiring access to SMS, dialer, contact lists, phone number, network stack and file system. Most apps ask for everything as a matter of course and no user has any idea why. Seems like more than enough access to fuck over Joe Smith to me... what about you?

http://xkcd.com/1200/

Re:Left out a key piece of the original headline

[Shados]

While that's obviously a problem, it isn't what the article is about, and is not at all what i was replying to.

Fearmongering ...

Fearmongering is central to the business model of all the "antivirus" scam artists.

google play ..

[invictusvoyd]

why does an app ( from google play) which just produces fart sounds ( just like 80% of the other apps) want permissions to access my browser bookmarks , call information, data store and what not .

That is beyond my understanding

Re:google play ..

why does an app ( from google play) which just produces fart sounds ( just like 80% of the other apps)

80% of the apps in google play just produce fart sounds? I must be missing something here.

Re:google play ..

[Max+Threshold]

So they can serve you ads.

Re:google play ..

oh! There's also angry birds and temple run clones .. which ocaasionally produce fart sounds

Re:google play ..

Browser bookmarks and call data for ads?

Re:google play ..

[freezin+fat+guy]

why does an app ( from google play) which just produces fart sounds ( just like 80% of the other apps) want permissions to access my browser bookmarks , call information, data store and what not .

Yes, it seems like every single app now needs full control of our lives. I'm not happy about granting such sweeping powers where they are clearly unnecessary.

Except the apps from f-droid, for some dumb reason open source apps tend not to overreach on permissions and snooping.

Oh, but I guess now we can assume those are 33% malware since it's not the play store.

Re:Makes sense

[jrumney]

So both yours and your kids 2 year old phones are running the previous major version release of their respective operating system (as Android 3.x was never released for phones). What was your point again?

Does Apple Maps count?

[dohzer]

Surely the software wasn't that bad without malicious intent.

Re:Does Apple Maps count?

[MildlyTangy]

Surely the software wasn't that bad without malicious intent.

You underestimate the power of deadlines Luke.

Clickbait post, shame on /.

[Camael]

To the "anonymous reader" who posted the main article : If you link to TFA, at least post the less misleading title it used:

"F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play"

Makes a world of difference. And yes, shame on you.

Re:Clickbait post, shame on /.

0.1 % is not much, bu still stomething. It would be better if Google Play only allowed free software where the user could read the source code prior to installing, that way knowing that the software wa snot malicious; unlike non-free software which we know is malicious.

Re:Clickbait post, shame on /.

[NoZart]

I don't think that Hipster Joe and Facebook Sue can comprehend source code

Re:Clickbait post, shame on /.

Actually no it doesn't, since we are always told about how open android is because you can avoid the proprietary google apps. If doing so means you are exposed to 96.9% of the malware then steering clear of google and using a free and open platform as opposed to a closed proprietary one is certainly not what people are going to do.

You can't have it both ways, the closed off walled garden Android is about as secure as the closed off walled garden iOS but once you actually use that openness that the android fans crow about you end up in the land of malware so from a practical perspective users will stick to walled gardens.

Re:Clickbait post, shame on /.

[jones_supa]

0.1 % is not much, bu still stomething. It would be better if Google Play only allowed free software where the user could read the source code prior to installing, that way knowing that the software wa snot malicious; unlike non-free software which we know is malicious.

Do you realize that an app can realistically be tens of thousands lines of code? Good luck going through and fully understanding that before installing an app.

A better approach might be to have much more strict policies towards unnecessary permissions the apps are asking. If a fancy sound board app needs permissions to read your call data and have full access to Internet, Google should disapprove the application from the Play Store.

Re:Clickbait post, shame on /.

[jones_supa]

So stop spreading FUD you idiot. I would accuse you of being a shill but given that it's free software you're just a butthurt religious zealot.

The angry blurb at the end of some AC comments is really a classic. I should start collecting these.

Re:Clickbait post, shame on /.

[Plumpaquatsch]

Good thing there are no drive-by vulnerabilities for Android - http://mobile.slashdot.org/story/14/02/20/2242245/drive-by-android-malware-exploits-unpatchable-vulnerability

Re:Clickbait post, shame on /.

Apple iOS App Store is quite good:
Cheerleader Response: "Apple is evil.. they block random apps and they control you like evil overlords.. Android is like sooo much better.. you can add thousands of stores and download whatever you want if google doesnt approve your app. Its so open... omg i'm experiencing a GNU F/OSS orgasm.."

Malware on Android Devices:
Cheerleader Response: "Wtf.. there is no malware on the play store.. who told you to use the other stores? you get what you deserve .. suckers.. haha !"

Re:Clickbait post, shame on /.

[mlts]

I still think Google needs two tiers. One tier in the store brutally curated with a very long agreement that a software vendor must agree to, and Google can refuse to approve anything it chooses to.

The second tier is as it is now -- upload anything, and obvious malware is tossed with the dev banned.

Then on devices, there is a checkbox similar to allowing sideloading to allow access to the more open tier.

This way, Joe Facebook by default is well protected from malware because they are tossed in a walled garden, but with an exit door that will scream a siren for five seconds before opening, so it is a deliberate act.

Of course, this does -nothing- for the stores in China where most malware lurks, but Google can point to where it has sway, malware is held at bay.

Re:Clickbait post, shame on /.

[fuzzy2k]

The angry blurb at the end of some AC comments is really a classic. I should start collecting these.

Isn't that why we have /.? Did I miss something?

Is there a android malware scanner for the PC

[Trax3001BBS]

It's possible to download Android apk's at developers sites as well as other places,
be nice to scan them for malware before transferring/installing them to the Android.

An example is AdAway which I assume is safe from malware, you can't download this from play.google.com
https://f-droid.org/repository...

I've Googled this query and have gotten no results, figure I'd hit on a geek :}

Re:Is there a android malware scanner for the PC

Most of the big-name AV companies have a free(ish) client for Android, but it just runs hashes against lists of known-bad executables. Nothing I've seen does actual content scans against a signature DB, presumably due to the resource demands.

Re:Is there a android malware scanner for the PC

[Trax3001BBS]

Most of the big-name AV companies have a free(ish) client for Android, but it just runs hashes against lists of known-bad executables. Nothing I've seen does actual content scans against a signature DB, presumably due to the resource demands.

Sigh... Thank you.

0.1% of 804?

if 0.1% out of the 804 were on the play store.. Then there was only one app that made it on the play store..

The only "open" platform left...

[Anonymous+Freak]

As others have said, the walled gardens are *EXTREMELY* safe. iOS App Store and Google Play are both *VERY* safe.

Jailbroken iPhones are targets, but most people concerned with open platforms are on Android - and sadly Google has gotten people used to "going off-reservation" for some apps. (Is Kindle Market available to install direct from Google Play yet? Or do you still need to root and side-load?)

Symbian is effectively dead (the former leader of malware,) and Palm is all but buried at this point. Not sure about CrackBerry's ecosystem. Microsoft's is basically as safe as Apple's.

That leaves Android as the only reasonable target for malware. Sort of like how in the '80s, Macintosh was the primary target for viruses, as it was the most likely to be networked - then as Windows got internet-connected, it became the prime target.

The actual report

[Guppy06]

http://www.f-secure.com/static...

The content of interest here starts on page 22.

It'd be nice if TFA actually included a link. Or even cited the fucking source of the graphics they lifted.

In other news...

Android is the most popular mobile OS. Sounds like it not how secure you are, but how obscure you are. That is the only real security.

what other?

[SuperDre]

what other Mobile OS? apart from iOS which has a much strickter policy on what goes into their store and is mostly paid.. Also how much malware is actually from software from the play-store and how much by sideloading (which isn't even possible on iOS without jailbreaking)

Not surprising

[DrXym]

Android gives people freedom of choice and some people exercise that freedom by doing really dumb things. Dumb things like downloading warez and then clicking through all the permissions. Or installing "sexy girl screensaver" which wants permission to send SMS messages. In addition there are various forks and branches of Android which point to different app stores where the quality of application vetting ranges from minimal to non existent.

That isn't to say there are some very obvious things that Android lacks which would help protect people from their own stupidity. Fine grained security permissions that can applied regardless of what the app says it needs upfront. All untrusted apps should have the most stringent set of permissions applied to them. If someone wants to go in and disable the permissions then they can do so, but defaulting to safe would prevent a lot of harm even before it could happen.

FUCK THIS BETA SHIT!!!

Seriously!

Android malware threat ..

[DTentilhao]

Since none of this malware can get onto the devices without explicit user action, this F-Secure Threat Report is totally bogus ..

sarcasm:

but, but, Steve Jobs parked in handicap spaces... and there is like one proof-of-concept virus that surfaced lately and that's, like, a proof that iOs is like super bad and unsecure. And even though Google is the first company to have collaborated with the NSA (anyone still wondering how Google got so big so fast?) and with oppressive regime to help them catch dissident one of the founder said "don't do evil" is their moto so like, they will never do evil, they said it.

BUT using Androïd makes me feel like I am some sort of computing genius and, like, I'm SUPER original because I don't use iOs, I'm, like, a rebel or something, let me get my Guy Fawkes mask you'll see. /sarcasm ;)

I've heard this before...

[Divebus]

...the old Windows meme submerging the fact that Windows really was a piece of swiss cheese.

Open Source?

[Divebus]

Maybe I'm conflating several notions from your post, but I get the distinct feeling you liken Apple products as being in a cage. I can tell you it's more like being in Club Med with hot cocktail waitresses and sunny days with the chain link fence holding back hordes of lepers.

This entire decade, all I've heard was how fully vetted open source gave you freedom and security at the same time. Write all the code you want and run it everywhere. Safely. Freely.

The GnuTLS Library bug tells me it's all been BS. To that end, why should I trust any random developer's software, certificate or not? Isn't everyone in the open source community supposed to be looking at the code? Actually looking at it? You just can't trust anything these days.

Re:Open Source?

[vux984]

I can tell you it's more like being in Club Med with hot cocktail waitresses and sunny days with the chain link fence holding back hordes of lepers.

I have a macbook pro, and my previous phone was an iphone. I know exactly what its like. OSX isn't bad at all, ios *is* a cage; and its all fun and games until you run into something apple doesn't want you to have. Then it gets ugly.

The GnuTLS Library bug tells me it's all been BS

It should tell you the process works.

To that end, why should I trust any random developer's software, certificate or not? Isn't everyone in the open source community supposed to be looking at the code? Actually looking at it? You just can't trust anything these days

Now you are conflating a bug with malware.Know of any malware in a mainstream repo? Didn't think so. Can you find a bug in a mainstream repo... of course you can. Some of them are even serious... no different from any other proprietary code. Like Apples or anyone elses.

At least with OSS when a security bug is found by the community, its documented and fixed. You might or might not get that from anyone else. So call it 'BS' but you seem to suggest 'ignorance' would be more blissful.

Re:Open Source?

[Divebus]

Fair enough... but nobody "found" the GnuTLS bug until the effects of it became apparent. Then the Open Source community started looking for it. That's what runs counter to the claim of "many eyes on the code makes security". Nobody was really looking and nobody noticed that some random cert could be reported as trusted for almost ten years. It's just a truth even I've advertised about Linux until I find the truth has been shattered.

Ignorance isn't blissful at all and this very thing is the weakness of closed code - not many eyes looking and things get fixed retroactively after the effects are revealed. However, Apple realizes the great majority of users don't know a thing about computers except they're appliances which need to work reliably. Apple knows they're not allowing the Dancing Pigs into the iOS spectrum and with that comes restrictions which will frustrate some people. They don't advertise anything different from that. So far, they've made 800 million iOS customers really happy at the expense of maybe 100,000 code monkeys.

My bigger problem with Android is who the mother ship is; Google, which has turned into a spy agency in their own right. They've brilliantly created a portable vehicle to map and catalog your every move and view. Their business model is to destroy your privacy and sell what they learn about you to marketers, the scum of the earth, without restraint or remorse. Apple, on the other hand, is well known to frustrate efforts by marketers to gain access to your private data. Frankly, I don't like computers or cars all that much and don't code or race anymore, but I have to use them. Since I have to use them, I'm going to use something I like a lot and not have to worry about too much.

Cheers.

Re:Open Source?

[vux984]

Apple knows they're not allowing the Dancing Pigs into the iOS spectrum and with that comes restrictions which will frustrate some people. They don't advertise anything different from that. So far, they've made 800 million iOS customers really happy at the expense of maybe 100,000 code monkeys.

The point remains that Apple could have allow the option of leaving the walled garden, and 800 million people would still be just as safe as long as they didn't leave, and they wouldn't leave.

Android allows you to leave the walled garden, and the VAST MAJORITY stay inside by choice, or if they step outside its just to add a 2nd trustworthy walled garden. (e.g. humblebundle, the official samsung app store, etc)

My bigger problem with Android is who the mother ship is; Google, which has turned into a spy agency in their own right. They've brilliantly created a portable vehicle to map and catalog your every move and view. Their business model is to destroy your privacy and sell what they learn about you to marketers, the scum of the earth, without restraint or remorse. Apple, on the other hand, is well known to frustrate efforts by marketers to gain access to your private data.

But is no less becoming a spy agency in its own right. The fact that they don't sell the info to marketers as directly is beside the point. Although "in-app-advertising" is rapidly becoming a 'big deal' for them too. They control the browser (with very poor security privacy features, they control the maps, they control the store, they aren't much 'better' then google.

These days I think Microsoft is the least evil of the group, and that's saying something, and perhaps that's only because they don't have the marketshare in mobile to leverage the evil.

Since I have to use them, I'm going to use something I like a lot and not have to worry about too much.

And that's fine. But choosing a samsung and the official store is as safe as using an iphone.

If apple was only concerned about security Apple instead of profit lockin they could even officially sanction 3rd party stores like Steam, the HumbleBundle, FSF repos, Amazon, whatever, etc.

In the real world, we have a choice of stores to shop at, and we can leave the security of shopping at stores and buy on ebay and craigslist or from a guy on a blanket on the side of the road.

If you don't want to get ripped off deal with a reputable store. People by and large understand that, and that model works on the internet too.

We don't NEED to be forced to all shop at X and only X to ensure we don't get ripped off.

This report is Stupid on it face.

So 91% of all mallware was for Android systems last year - woohooo. Maybe that is because 81% of all phones are running Android platforms. If you were a hacker trying to infect a phone system - would you target the 19% that are not running Android - or the 81% that are?

This is the same STUPID argument that Apple made for years about they not having any issues with hackers, versus the Windows systems that were constantly attacked. Never occured to them that paltry share of the market they represented in PC sales, just wasn't worth the trouble by the hackers. It never was that they couldn't be hacked or have malware - they simple were to irrrelevent to be targeted.

If you track the increase in Android as the OS for smart phones, you see a coresponding rise in the number of malware that are targeting it. This is not rocket science - it is supply and demand. As the supply of phones that do not use Android falls, the likelyhood that a hacker will write mallware for those systems plumets.

But I bet old F-Secure is more than willing to sell you a piece of software to protect you. They are drumming up fear to increase sales.