F-Secure: Android Accounted For 97% of All Mobile Malware In 2013

An anonymous reader writes "Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent. Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013. More specifically, Android malware rose from 238 threats in 2012 to 804 new families and variants in 2013. Apart from Symbian, F-Secure found no new threats for other mobile platforms last year."

welcome to the big time

[smash]

Linux is secure, right? Isn't Android Linux?

This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.

The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.

Re:welcome to the big time

[smash]

Also. You are arguing that trojans are NOT malware? Seriously? Of course they're fucking trojans. That's the point. The end user is in no way qualified to determine that software is NOT a trojan, and this is why them having root on a device with full ability to run any shitware trojan they like is never going to work. WE've had 30 years hammering this point home time and time again. It's not going to change.

Re:welcome to the big time

[swillden]

Android has problems with it's "app store".

RTFA (I know, I know, new here and whatnot):

The title of the article is "F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play".

Essentially all of the Android malware comes from non-Google app stores, or sideloaded APKs. And with respect to the malware that does manage to make it into the Play Store, F-Secure says "the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.”

Re:welcome to the big time

[msauve]

It's just a matter of how big the target is. Right now, Android is the largest mobile platform, so that's where the malware is directed. It's a crime of opportunity, no different than Windows on the desktop.

It's not proof that Apple's iOS or MacOS or Windows mobile are intrinsically more secure, but that they're smaller targets. How much malware is there directed to FreeBSD or OpenBSD or vxWorks in comparison? Emphasis on comparison - sure, there's malware directed at anything which might be Internet facing, but the more esoteric stuff is more specifically targeted, like Stuxnet.

Re:welcome to the big time

[DNS-and-BIND]

It comes down to: would you rather have Security, or Freedom?

Re:welcome to the big time

[symbolset]

If you can make a computer so simple even an idiot can use it, only an idiot will want to. I like Android's balance with Google play here. Stick with Google Play and you are good to go. Want to adventure? Enable side loading and have at it. Your choice. The complainers appear to be the sort who disable the safety features and then harm themselves, and blame Google for their own screwup.

Re:welcome to the big time

[mcl630]

On the other hand, Android has problems with "signed code". Yes. That's right. Android has problems with it's "app store". This isn't your grandfather's Windows style malware.

Read TFA:

"Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play"

Re:welcome to the big time

[symbolset]

It is not possible to check every application to see if it is harmless or not. Nobody has those kinds of resources.

You do know we're talking about Google, right? Why would Google not have those kinds of resources? They scan the Internet every day, upload an hour of video every second, filter spam for hundreds of millions - better than anybody, and they made Android so they have the inside track on detecting undesirable code.

I think it is 100% accurate to say Android is insecure by design in much the same way DOS era Windows file sharing is 100% insecure by design.

These two things are unrelated. Now you seem to be saying you're complaining about Android security because others complain about the security of your preferred system. That is not relevant. Also, it's a confession that your argument lacks merit. Maybe not the direction you wanted to go.

Android is intended for a mass market audience of people who know nothing about computers or software threats... Knowing this the designers decided the only access controls would be take it or leave it DEMANDS made by APPLICATIONS. This is why Android is insecure by design... it totally and utterly fails to protect the USER in the most basic rudimentary way possible.

Now we are talking about a totally different thing - apps which require excessive permissions. As in, the end user gets to decide how much access he is willing to give each application. This is not malware at all and off topic for the discussion, but let's cover it. This is restraining applications that want to be more than the end user wants them to be, giving the end user full disclosure when an update seeks to do things it didn't do before. You make it sound like a bad thing, when in fact it's an enhancement above the other methods of application security provided by the system that empowers the user to be more restrictive than any algorithm could appropriately be. You make it sound like a bad thing. It's not.

Re:welcome to the big time

[Plumpaquatsch]

If you rebuilt a compromised host due to somebody leveraging a bug in sendmail, then the admin is/was a moron. Processes should not be run with root privileges, and any public-facing system should be configured in such a way as to limit the damage that can be caused by compromised service accounts. See: PEBKAC; ID10T error.

Yeah, good thing there aren't any privilege escalation bugs in the Linux kernel. Ever.

Re:welcome to the big time

[smash]

You completely missed my point. The entire point is that relying on the end user, who has no access to to the source code to verify the operation of the app they are about to install, and no way to verify whether or not the code that was published has been altered, to verify whether or not they want to run it is inherently flawed.

Its easy enough to run anything you want on iOS - get your own cert, and compile/sign it yourself. Doing that DOESN'T open you up to any and all possibly dodgy code running on your device.

Re:welcome to the big time

[smash]

No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.

Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to audit source code for every app they install is unrealistic.

In the case of loading an app onto an android device from a third party, it's a crap shoot. You are basically guessing that the particular installer you are running is not a trojan. You may be basing that on app reputation, etc. but have no real clue whether or not it has been time-bombed, for example. You're guessing, flying blind.

It's pure luck and lack of true malicious developers on the platform that the android malware situation right now is not a LOT worse. And it's nothing to do with exploiting the JVM, kernel or whatever - it's purely due to the end users of consumer devices not being interested in becoming security experts. They are (rightly so) not interested in it.

Signed-code only, whilst being restrictive in what you can run takes that burden off the user. If the user truly wants to run something that the vendor will not sign, in the case of iOS it is simple enough to get a developer subscription and compile it from source yourself.

Re:android was never meant to be highly secure

[rsborg]

I can't wait for a true '3rd option' (not apple and not android) to come on the market. I don't enjoy or trust either of the two existing choices.

What, WindowsPhone isn't good enough to qualify as that "3rd option"? Seriously, you can still get a blackberry, WinPhone or just a plain ol dumb phone that tethers really well (my TMO plan has free tethering) and run an iPod touch or equivalent.

Re:Is this like that old study of Linux malware?

[smash]

No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.

Google Made a Core Mistake with "OPEN"

[BoRegardless]

It sounds nice in the hacker world, but in the hands of the 'average Joe', an "Open Handset" is an invitation to have your bank account stolen.

Re:Is this like that old study of Linux malware?

[esldude]

Well sort of. If you restrict yourself to Google's Play store for software the rate was .1%. The rest, almost all of it in this case, came from other stores for Android software. Mostly Saudi Arabia and India. So it would be nice if Android were more interested in security, but on the other hand it isn't the huge dramatic result that would warrant the headline. Stay with Google Play and things are pretty safe.

Re:We're number one!

[smash]

Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Re:android was never meant to be highly secure

[skids]

True, leaving the device powered off permanently in its shrinkwrap on a store shelf does make it rather secure.

Re:We're number one!

[roc97007]

Obviously, the malware is so well written that nobody has found it yet.

Moral of the story:

[Johnny+Loves+Linux]

Don't install apps from back alleyways:

At the very bottom of the list was Google Play itself, with the lowest percentage of malware in the gathered samples: 0.1 percent. F-Secure also noted that “the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.” While that’s great news for most Android users, it

Why would anybody shop for apps on their android phone/tablet like a crack addict looking for their next hit is beyond me. Are people really that naive?

Left out a key piece of the original headline

[Kelson]

"...but only 0.1% of those were on Google Play"

So that vast majority is practically all third-party installations (something which isn't even an option on iOS).

Re:Left out a key piece of the original headline

[Shados]

The ability is off by default, you have to go pretty deep in the options to turn it on, when you do turn it on, you get all sorts of warning telling you to watch out. And if you do turn it on and do something stupid, you may get malware

That's leagues better than not having the option at all (or to have to use what basically amount to root exploits to enable it), as well as better than having the option on by default for everyone.

There's some collateral damage (the cheap bozos who wants to save 5 bucks and get owned in the process), but its worth it.

Re:Left out a key piece of the original headline

[danbob999]

...(something which isn't even an option on iOS).

Wait. You just acknowledge that the VAST majority of malware comes from sideloaded apps and then make a snide comment about iOS because sideloading malware-laden apps isn't an option.

REALLY??

Only on Slashdot is the inability to load malware-riddled apps on your phone viewed as a negative...

Because it is negative. Just like a car limited to 30 km/h is negative, even if it prevents accidents. You know, with a real car you have the option of staying under 30 km/h if you want to. And with Android you have the walled garden option if you want to. Just don't activate the sideload option. If you are too stupid to activate it and you get malware, you have earned it.

Re:Left out a key piece of the original headline

[mdielmann]

Yes, on Slashdot, the majority of users promote the idea of unfettered access to their systems, coupled with education so you know what to do with it. Seems pretty consistent to me.

My kids have android tablets, I pointed out the feature to them, told them not to use it unless they had a good reason to, and to talk to me first. As their education improves, I expect them to ask me less. So far, the only sideloaded app they have is flash player. It's from the adobe site so I don't think it counts as malware - except for being flash. I expect it to be uninstalled once better tools become available to replace it.

Re:Left out a key piece of the original headline

[Charliemopps]

THREATS are not attacks. It's not possible to install sideloads on iOS, that doesn't make it more secure, that makes it suck. It's like saying your house is better because you don't have doors. Fine, it's harder for people to get in. I can lock my doors or I can choose not to, that's up to me. But you don't even have an option. This is the same bullshit walled garden crap that Apples been spewing since the 80s.

Re:Left out a key piece of the original headline

[Shados]

While that's obviously a problem, it isn't what the article is about, and is not at all what i was replying to.

Re:Is this like that old study of Linux malware?

[vux984]

Isn't the entire selling point of android that you can install software from wherever you like though?

Well, one of several selling points.

This study simply validates apples decision to more strictly control what software is allowed on their devices.

97% of all murders happen in societies that don't put all their citizens in cages. Does that validate the idea that everyone should live in a cage?

For those users who do need to install anything they like, they can still do it without compromising the security of their device by getting a developer certificate.

What about 3rd party software that Apple doesn't allow on its app store from trusted parties? Like... most anything GPL? Should I really need a developer certificate to use a fully vetted repo maintained by the FSF or whatever?

What about, something like the humblebundle, where I can buy a license to a game for any platform its available on... except ios, even its available for ios because: Apple.

Or if steam wanted to include mobile games? Again: Not allowed on apple.

There's a lot of good things out there that Apple's lock in prevents. And no, a developer certificate, and an annual fee for the privilege of not using the apple store all the time is not a solution.

If you don't want to compromise the security of your device, don't do your app shopping in the equivalent of back alleys and asian night markets. And guess what, most android users don't. Nearly all north american android users stick to the default app store(s). And of those that don't, the vast majority of them are still fine -- they are using the humblebundle app in addition to google play for example to load their humble purchases.

Android malware really just affects that group of people who are trying to get pirate copies of paid apps and such on asian app stores... i mean how many warning bells should that set off?!!

And even on android its a small problem... if you have a million iphones and a million androids, and of them 3 iphones have malware, and 97 androids have malware, that's still 97% of malware is on android -- but its still a very minor problem, that only affects people who do REALLY stupid things.

Re:Not a problem on Android

[Bing+Tsher+E]

Since everyone says that only stupid people use iPhones

No. Everyone does not say that. In fact, a lot of Android users don't really care much one way or the other about iPhones.

Personally, I am disappointed in iOS but I certainly don't care about it enough to consider iOS/Android to be a glorious battle of the righteous. They're just two phone operating systems and I prefer Android. Can't we keep it that simple?

Re:google play ..

[Max+Threshold]

So they can serve you ads.

Re:We're number one!

[steveha]

explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Because of Apple's "walled garden". The only way to get apps for iOS is from Apple's store, and Apple tries to keep the malware out.

Apple always charges $100 to put an app in the store, so malware has to make at least $100 before it is discovered or the person who put the malware on the store loses money.

The "walled garden" does have advantages.

Personally, I like having a device where I can install anything I want... but I pretty much just get stuff from the Google Play store. If I need an SSH app, and I see one with over 30,000 votes rating it 4 or 5 stars, I'm pretty sure it won't be malware when I download it.

And according to TFA, almost all of the malware was side-loaded. Almost none of the malware came from the Google Play store. Thus, Android gives me the advantage of the walled garden, while still being more free than iOS.

P.S. The reason I went with Android rather than iOS was Apple's policy of no interpreters and no emulators. I wanted Python and games emulators. Apple has since then unbent a bit, but Android has always allowed you to install whatever sorts of apps you prefer.

Thus I am able to install interpreters and emulators, without rooting my phone, and getting them from the Google Play store. Why wouldn't I want this?

Clickbait post, shame on /.

[Camael]

To the "anonymous reader" who posted the main article : If you link to TFA, at least post the less misleading title it used:

"F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play"

Makes a world of difference. And yes, shame on you.

Re:Clickbait post, shame on /.

[jones_supa]

0.1 % is not much, bu still stomething. It would be better if Google Play only allowed free software where the user could read the source code prior to installing, that way knowing that the software wa snot malicious; unlike non-free software which we know is malicious.

Do you realize that an app can realistically be tens of thousands lines of code? Good luck going through and fully understanding that before installing an app.

A better approach might be to have much more strict policies towards unnecessary permissions the apps are asking. If a fancy sound board app needs permissions to read your call data and have full access to Internet, Google should disapprove the application from the Play Store.