F-Secure: Android Accounted For 97% of All Mobile Malware In 2013

An anonymous reader writes "Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent. Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013. More specifically, Android malware rose from 238 threats in 2012 to 804 new families and variants in 2013. Apart from Symbian, F-Secure found no new threats for other mobile platforms last year."

welcome to the big time

[smash]

Linux is secure, right? Isn't Android Linux?

This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.

The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.

Re:welcome to the big time

[swillden]

Android has problems with it's "app store".

RTFA (I know, I know, new here and whatnot):

The title of the article is "F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play".

Essentially all of the Android malware comes from non-Google app stores, or sideloaded APKs. And with respect to the malware that does manage to make it into the Play Store, F-Secure says "the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.”

Re:welcome to the big time

[symbolset]

If you can make a computer so simple even an idiot can use it, only an idiot will want to. I like Android's balance with Google play here. Stick with Google Play and you are good to go. Want to adventure? Enable side loading and have at it. Your choice. The complainers appear to be the sort who disable the safety features and then harm themselves, and blame Google for their own screwup.

Re:welcome to the big time

[symbolset]

It is not possible to check every application to see if it is harmless or not. Nobody has those kinds of resources.

You do know we're talking about Google, right? Why would Google not have those kinds of resources? They scan the Internet every day, upload an hour of video every second, filter spam for hundreds of millions - better than anybody, and they made Android so they have the inside track on detecting undesirable code.

I think it is 100% accurate to say Android is insecure by design in much the same way DOS era Windows file sharing is 100% insecure by design.

These two things are unrelated. Now you seem to be saying you're complaining about Android security because others complain about the security of your preferred system. That is not relevant. Also, it's a confession that your argument lacks merit. Maybe not the direction you wanted to go.

Android is intended for a mass market audience of people who know nothing about computers or software threats... Knowing this the designers decided the only access controls would be take it or leave it DEMANDS made by APPLICATIONS. This is why Android is insecure by design... it totally and utterly fails to protect the USER in the most basic rudimentary way possible.

Now we are talking about a totally different thing - apps which require excessive permissions. As in, the end user gets to decide how much access he is willing to give each application. This is not malware at all and off topic for the discussion, but let's cover it. This is restraining applications that want to be more than the end user wants them to be, giving the end user full disclosure when an update seeks to do things it didn't do before. You make it sound like a bad thing, when in fact it's an enhancement above the other methods of application security provided by the system that empowers the user to be more restrictive than any algorithm could appropriately be. You make it sound like a bad thing. It's not.

Re:welcome to the big time

[Plumpaquatsch]

If you rebuilt a compromised host due to somebody leveraging a bug in sendmail, then the admin is/was a moron. Processes should not be run with root privileges, and any public-facing system should be configured in such a way as to limit the damage that can be caused by compromised service accounts. See: PEBKAC; ID10T error.

Yeah, good thing there aren't any privilege escalation bugs in the Linux kernel. Ever.

Re:Is this like that old study of Linux malware?

[smash]

No. Android security is currently just that bad. For several reasons, not least of which is likely due to the massive number of handsets that are abandoned software-update wise upon release.

Google Made a Core Mistake with "OPEN"

[BoRegardless]

It sounds nice in the hacker world, but in the hands of the 'average Joe', an "Open Handset" is an invitation to have your bank account stolen.

Re:We're number one!

[smash]

Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Re:android was never meant to be highly secure

[skids]

True, leaving the device powered off permanently in its shrinkwrap on a store shelf does make it rather secure.

Re:We're number one!

[roc97007]

Obviously, the malware is so well written that nobody has found it yet.

Moral of the story:

[Johnny+Loves+Linux]

Don't install apps from back alleyways:

At the very bottom of the list was Google Play itself, with the lowest percentage of malware in the gathered samples: 0.1 percent. F-Secure also noted that “the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.” While that’s great news for most Android users, it

Why would anybody shop for apps on their android phone/tablet like a crack addict looking for their next hit is beyond me. Are people really that naive?

Left out a key piece of the original headline

[Kelson]

"...but only 0.1% of those were on Google Play"

So that vast majority is practically all third-party installations (something which isn't even an option on iOS).

Re:Left out a key piece of the original headline

[Shados]

The ability is off by default, you have to go pretty deep in the options to turn it on, when you do turn it on, you get all sorts of warning telling you to watch out. And if you do turn it on and do something stupid, you may get malware

That's leagues better than not having the option at all (or to have to use what basically amount to root exploits to enable it), as well as better than having the option on by default for everyone.

There's some collateral damage (the cheap bozos who wants to save 5 bucks and get owned in the process), but its worth it.

Re:Left out a key piece of the original headline

[danbob999]

...(something which isn't even an option on iOS).

Wait. You just acknowledge that the VAST majority of malware comes from sideloaded apps and then make a snide comment about iOS because sideloading malware-laden apps isn't an option.

REALLY??

Only on Slashdot is the inability to load malware-riddled apps on your phone viewed as a negative...

Because it is negative. Just like a car limited to 30 km/h is negative, even if it prevents accidents. You know, with a real car you have the option of staying under 30 km/h if you want to. And with Android you have the walled garden option if you want to. Just don't activate the sideload option. If you are too stupid to activate it and you get malware, you have earned it.

Re:We're number one!

[steveha]

explain the lack of similar quantities of malware for iOS between 2007 and 2012?

Because of Apple's "walled garden". The only way to get apps for iOS is from Apple's store, and Apple tries to keep the malware out.

Apple always charges $100 to put an app in the store, so malware has to make at least $100 before it is discovered or the person who put the malware on the store loses money.

The "walled garden" does have advantages.

Personally, I like having a device where I can install anything I want... but I pretty much just get stuff from the Google Play store. If I need an SSH app, and I see one with over 30,000 votes rating it 4 or 5 stars, I'm pretty sure it won't be malware when I download it.

And according to TFA, almost all of the malware was side-loaded. Almost none of the malware came from the Google Play store. Thus, Android gives me the advantage of the walled garden, while still being more free than iOS.

P.S. The reason I went with Android rather than iOS was Apple's policy of no interpreters and no emulators. I wanted Python and games emulators. Apple has since then unbent a bit, but Android has always allowed you to install whatever sorts of apps you prefer.

Thus I am able to install interpreters and emulators, without rooting my phone, and getting them from the Google Play store. Why wouldn't I want this?

Clickbait post, shame on /.

[Camael]

To the "anonymous reader" who posted the main article : If you link to TFA, at least post the less misleading title it used:

"F-Secure: Android accounted for 97% of all mobile malware in 2013, but only 0.1% of those were on Google Play"

Makes a world of difference. And yes, shame on you.