Slashdot Mirror
F-Secure: Android Accounted For 97% of All Mobile Malware In 2013
An anonymous reader writes "Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent. Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013. More specifically, Android malware rose from 238 threats in 2012 to 804 new families and variants in 2013. Apart from Symbian, F-Secure found no new threats for other mobile platforms last year."
Linux is secure, right? Isn't Android Linux?
This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.
The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
think of why it exists: it gets google your eyeballs and your time. with that, they are wildly successful.
beyond that, they could give a flying fuck. seriously. they don't exist for user experience, safety, privacy (ha!) or quality. as long as its 'good enough' to keep eyeballs glued there, that's all they care about.
I can't wait for a true '3rd option' (not apple and not android) to come on the market. I don't enjoy or trust either of the two existing choices.
--
"It is now safe to switch off your computer."
Not surprised . When will I be able to run a full distro on one of them phones?
No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It sounds nice in the hacker world, but in the hands of the 'average Joe', an "Open Handset" is an invitation to have your bank account stolen.
Well sort of. If you restrict yourself to Google's Play store for software the rate was .1%. The rest, almost all of it in this case, came from other stores for Android software. Mostly Saudi Arabia and India.
So it would be nice if Android were more interested in security, but on the other hand it isn't the huge dramatic result that would warrant the headline.
Stay with Google Play and things are pretty safe.
Isn't the entire selling point of android that you can install software from wherever you like though? This study simply validates apples decision to more strictly control what software is allowed on their devices. For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Obviously, the malware is so well written that nobody has found it yet.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Nobody needs to write malware when you're accepting any cert from any server. You can do it all server side.
Someone had to do it.
At the very bottom of the list was Google Play itself, with the lowest percentage of malware in the gathered samples: 0.1 percent. F-Secure also noted that “the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.” While that’s great news for most Android users, it
Why would anybody shop for apps on their android phone/tablet like a crack addict looking for their next hit is beyond me. Are people really that naive?
"...but only 0.1% of those were on Google Play"
So that vast majority is practically all third-party installations (something which isn't even an option on iOS).
Isn't the entire selling point of android that you can install software from wherever you like though?
Well, one of several selling points.
This study simply validates apples decision to more strictly control what software is allowed on their devices.
97% of all murders happen in societies that don't put all their citizens in cages. Does that validate the idea that everyone should live in a cage?
For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.
What about 3rd party software that Apple doesn't allow on its app store from trusted parties? Like... most anything GPL? Should I really need a developer certificate to use a fully vetted repo maintained by the FSF or whatever?
What about, something like the humblebundle, where I can buy a license to a game for any platform its available on... except ios, even its available for ios because: Apple.
Or if steam wanted to include mobile games? Again: Not allowed on apple.
There's a lot of good things out there that Apple's lock in prevents. And no, a developer certificate, and an annual fee for the privilege of not using the apple store all the time is not a solution.
If you don't want to compromise the security of your device, don't do your app shopping in the equivalent of back alleys and asian night markets. And guess what, most android users don't. Nearly all north american android users stick to the default app store(s). And of those that don't, the vast majority of them are still fine -- they are using the humblebundle app in addition to google play for example to load their humble purchases.
Android malware really just affects that group of people who are trying to get pirate copies of paid apps and such on asian app stores... i mean how many warning bells should that set off?!!
And even on android its a small problem... if you have a million iphones and a million androids, and of them 3 iphones have malware, and 97 androids have malware, that's still 97% of malware is on android -- but its still a very minor problem, that only affects people who do REALLY stupid things.
why does an app ( from google play) which just produces fart sounds ( just like 80% of the other apps) want permissions to access my browser bookmarks , call information, data store and what not .
That is beyond my understanding
Since everyone says that only stupid people use iPhones
No. Everyone does not say that. In fact, a lot of Android users don't really care much one way or the other about iPhones.
Personally, I am disappointed in iOS but I certainly don't care about it enough to consider iOS/Android to be a glorious battle of the righteous. They're just two phone operating systems and I prefer Android. Can't we keep it that simple?
And even on android its a small problem... if you have a million iphones and a million androids, and of them 3 iphones have malware, and 97 androids have malware, that's still 97% of malware is on android -- but its still a very minor problem, that only affects people who do REALLY stupid things.
I think you missed the part of the original posting where the 3% of the non-Android malware referred to Symbian. There were no instances of malware on iOS.
So you think the statistic means that any malware publisher will be 97% successful in penetrating any phone running android that they target?
Where were('nt) you educated?
explain the lack of similar quantities of malware for iOS between 2007 and 2012?
Because of Apple's "walled garden". The only way to get apps for iOS is from Apple's store, and Apple tries to keep the malware out.
Apple always charges $100 to put an app in the store, so malware has to make at least $100 before it is discovered or the person who put the malware on the store loses money.
The "walled garden" does have advantages.
Personally, I like having a device where I can install anything I want... but I pretty much just get stuff from the Google Play store. If I need an SSH app, and I see one with over 30,000 votes rating it 4 or 5 stars, I'm pretty sure it won't be malware when I download it.
And according to TFA, almost all of the malware was side-loaded. Almost none of the malware came from the Google Play store. Thus, Android gives me the advantage of the walled garden, while still being more free than iOS.
P.S. The reason I went with Android rather than iOS was Apple's policy of no interpreters and no emulators. I wanted Python and games emulators. Apple has since then unbent a bit, but Android has always allowed you to install whatever sorts of apps you prefer.
Thus I am able to install interpreters and emulators, without rooting my phone, and getting them from the Google Play store. Why wouldn't I want this?
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Apple already took all your available cash?
Anything which comes out of pure commercial interests will eventually perish .. due to bad / "spreadsheet led" decisions . The whole mobile thing going around these days is built around commercial interests unlike the "Linux" thing we had going some years (decades) ago which was primarily academic with some commercial participation . I miss that "old" purist feel . :(
There is no number one here
I dunno, there are now some Jar-Jar mascots
I've got better things to do tonight than die.
So both yours and your kids 2 year old phones are running the previous major version release of their respective operating system (as Android 3.x was never released for phones). What was your point again?
"You run OS X?"
Yeah, your brother's sister's hairdresser had all this malware -- and of course all those security firms who present dire warnings every week in order to drum up business.
Did "You" actually have malware that effectively exploited your machine? Or are you just here to add balance because you've "heard" rumors? What was the name of this malware -- what did it do? How did it exploit the system?
There are problems and benefits of all kinds of systems -- but what we don't need is people throwing around FUD -- leave that to the experts at Forbes or some computer magazine.
>>"ad space available -- low rates!!!"
Is it $100 each time, or is that $100 for the development kit?
>>"ad space available -- low rates!!!"
Surely the software wasn't that bad without malicious intent.
To the "anonymous reader" who posted the main article : If you link to TFA, at least post the less misleading title it used:
Makes a world of difference. And yes, shame on you.
It's possible to download Android apk's at developers sites as well as other places,
be nice to scan them for malware before transferring/installing them to the Android.
An example is AdAway which I assume is safe from malware, you can't download this from play.google.com
https://f-droid.org/repository...
I've Googled this query and have gotten no results, figure I'd hit on a geek :}
Well sort of. If you restrict yourself to Google's Play store for software the rate was .1%. The rest, almost all of it in this case, came from other stores for Android software. Mostly Saudi Arabia and India. So it would be nice if Android were more interested in security, but on the other hand it isn't the huge dramatic result that would warrant the headline. Stay with Google Play and things are pretty safe.
Trusting security to app store screeners is not a viable solution. Either devices are designed to tolerate the most malicious software possible by default or they end up accounting for 97% of all mobile malware.
Even if there were no platform security vulnerabilities and the system worked 100% as intended I would not expect much to change. The core problem with Android is applications dictate privileges to the user in a take it or leave it manner rather than users having any ability to make decisions based on their interests. Fixing this problem, giving users the power undermines Google revenue streams.
As others have said, the walled gardens are *EXTREMELY* safe. iOS App Store and Google Play are both *VERY* safe.
Jailbroken iPhones are targets, but most people concerned with open platforms are on Android - and sadly Google has gotten people used to "going off-reservation" for some apps. (Is Kindle Market available to install direct from Google Play yet? Or do you still need to root and side-load?)
Symbian is effectively dead (the former leader of malware,) and Palm is all but buried at this point. Not sure about CrackBerry's ecosystem. Microsoft's is basically as safe as Apple's.
That leaves Android as the only reasonable target for malware. Sort of like how in the '80s, Macintosh was the primary target for viruses, as it was the most likely to be networked - then as Windows got internet-connected, it became the prime target.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
You're wrong. Apple charges $99 per year for a developer's license which allows you to post as many apps to the App Store as you'd like (provided they're approved). Xcode, the IDE, is free. So no, an app doesn't have to make $100 to break even and I'd guess that the $99 price of entry to post as many apps as you'd like wouldn't deter a malware author any more then is discourages the casual developer that provides their app for free.
http://www.f-secure.com/static...
The content of interest here starts on page 22.
It'd be nice if TFA actually included a link. Or even cited the fucking source of the graphics they lifted.
what other Mobile OS? apart from iOS which has a much strickter policy on what goes into their store and is mostly paid.. Also how much malware is actually from software from the play-store and how much by sideloading (which isn't even possible on iOS without jailbreaking)
So let's not make a mountain out of a whorehill.
So Android has 97% of all mobile software written for it? 80%? Is it at least the platform where most of the mobile software appears first?
Of course news about a fake are Fake News.
That isn't to say there are some very obvious things that Android lacks which would help protect people from their own stupidity. Fine grained security permissions that can applied regardless of what the app says it needs upfront. All untrusted apps should have the most stringent set of permissions applied to them. If someone wants to go in and disable the permissions then they can do so, but defaulting to safe would prevent a lot of harm even before it could happen.
You clearly missed the sarcasm in the first lines of my post.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It's $100 for a number of support incidents and a developer certificate which enables you to use the free development tools to upload your code to a real device.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Yes.
That's your inference, that is not backed up by any real world data. The iOS market is large and was previously larger than the android market. In terms of web usage stats, iOS leaves android for dead. So one would think that the platform most actually used would likely pose a significant target. Yet in the past 12 months there were ZERO incidents of malware reported for iOS. Zero.
Yes, the real answer is due to the "Walled garden" (which is easy enough to work around if you get your own developer cert to sign the code you want to run).
The android approach of allowing the user to just turn off all security by enabling "run code from anywhere" has been proven for the past 3-4 decades to not work. The amount of malware available for android out there is continuing to prove that to be the case.
Also, we're not just talking about smartphones - tablets also, along with ipods. The total of all those devices (i.e., the potential malware install base) would be far larger than the install base of RIM or Symbian.
And by lowering yourself to petty name calling, you've just lost any sort of credibility you may have had.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Also: i don't post AC.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Don't forget to include iPads and iPods in your market share calculations, because that is the true potential iOS malware install base.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Since none of this malware can get onto the devices without explicit user action, this F-Secure Threat Report is totally bogus ..
If you don't use a Samsung Android phone, I commend your spirit of adventure. It's not worth the hassle for me.
Really? This attitude basically negates all that is wonderful about Android.
hen you buy a humblebundle that has iOS (or if you buy... from pretty much anyone something on iOS outside the app store) you are sent a redemption key. Nothing evil or different has changed.
This is factually incorrect. Apple does not allow you to sell a product for the apple store outside of the apple store, and then provide a redemption key.
The humblebundle does not do this, and would not be allowed to do this.
As for FSF/GPL. That's a political organization akin to NSA/GunRights.
Nutter.
It's for the same reason that the murder rate inside Disney World is very low.
Security. Yes, that's it exactly.
Of course if any malware is discovered, that developer account is closed, with no refund, and no chance of reopening with the same credit card/mail address etc. And the possibility of a police investigation.
So yes, the is more of a discouragement than for the ordinary developer.
...the old Windows meme submerging the fact that Windows really was a piece of swiss cheese.
Most of the stuff on
Maybe I'm conflating several notions from your post, but I get the distinct feeling you liken Apple products as being in a cage. I can tell you it's more like being in Club Med with hot cocktail waitresses and sunny days with the chain link fence holding back hordes of lepers.
This entire decade, all I've heard was how fully vetted open source gave you freedom and security at the same time. Write all the code you want and run it everywhere. Safely. Freely.
The GnuTLS Library bug tells me it's all been BS. To that end, why should I trust any random developer's software, certificate or not? Isn't everyone in the open source community supposed to be looking at the code? Actually looking at it? You just can't trust anything these days.
Most of the stuff on