You don’t have to look hard to find ominous stories about malware on the Android platform. The exact numbers may change, but somewhere north of 90 percent of mobile malware has been found to target Android. Just how much malware is that exactly? Depends who you ask.
Security firm Trend Micro pegs the number of Android malware instances at well over 175,000. With numbers like this, you’d think nobody would want to touch an Android device, especially enterprises with valuable data at risk.
But it is crucial to put these reports about Android malware into context and to understand who – and who is not – likely to be at risk.
Malware authors have good reason to target Android above and beyond any other mobile OS. Looking at fourth quarter 2012 numbers alone, Android devices clamed 70 percent of worldwide smartphone shipments. With global iOS device shipments at 21 percent, there simply are a lot more Android devices floating around out there.
While domestic U.S. numbers look quite different and less lopsided, malware authors target a global audience. Because malware will only “succeed” in exploiting a fraction of users, it makes sense to invest time (and potentially investment) writing malicious software that has the largest possible audience. While iOS devices are made only by Apple, many vendors sell Android-based devices, some at very low price points, amplifying their global reach.
Further, Google made the early decision to release Android as open mobile OS, in strong contrast to Apple’s iOS. While many debate the merits and drawbacks of an open vs. closed operating system, the openness of Android has several consequences which can benefit malware authors:
- The barrier to entry for Android development is low. There is no licensing fee required to develop or deploy Android apps, unlike iOS or Windows Phone.
- App developers can access a broad range of platform and device features. iOS developers, constrained by Apple development policies, can only access approved parts of the platform.
- Android devices are not restricted to a single walled-garden marketplace, like the Apple App Store. The Google Play Store is the official but not singular market for Android apps.
- Publishing an Android app can be done without any vetting, particularly through channels outside Google Play.
Sideloading and Third-party markets
By far, the largest vector for Android malware comes through forms of "sideloading." Sideloading refers to installing an app that has not come through a known source, namely the Google Play Store.
On a closed system like Apple iOS devices, sideloading is impossible without jailbreaking the system. This is a process usually undertaken only by enthusiast hackers who accept the risks of wandering well outside approved usage.
Android devices by default do not allow sideloading from unknown sources. But Android settings allow a user to override this shackle – which is to say that doing so does not require hacking and does not violate Android in any way. It is just a matter of the user deliberately choosing to potentially expose the device to unsafe sources as the cost for a wider selection of apps. Plus, to put it bluntly, some users enable sideloading to install pirated apps.
Besides the official Google Play Store, there are numerous third-party app stores. The Amazon App Store, backed by a well known brand, is a generally safe source of apps although it does require that sideloading is enabled. But many app stores – like GetJar, Gfan, and Appcity – often appeal to overseas users and are not well defended against malware-laced apps.
Much media coverage has been given to some prominent examples of Android malware. There is Android Defender Platinum, a fake anti-virus app which purports to "find" malware and holds the device hostage for a fee to "clean" the infection. There is the "most complex "Android malware "discovered so far" -- Backdoor.AndroidOS.Obad.a, and a vulnerability that exploits a flaw in Android's verification process.
A key fact that can become buried in reports of this type of news, however, is that these pieces of malware – like most – must be sideloaded onto the device. This means these infections are only found in the wild outside the Google Play store.
For the enterprise worried about Android inviting rampant infections into the corporate network, the message is clear: Android devices in their default state (that is, disallowing apps from unknown sources) are not vulnerable to most of these infections.
Enterprises which control their Android devices – say, through an MDM platform – can ensure that devices are safe from sideloading. But with the rise of BYOD in the enterprise, concerns can still arise around user-owned devices which may not be so secure.
Enhanced Android Defenses
Google itself has recently bulked up the defenses against Android malware, making some of the infections of the past less of a threat today.
Although the Play Store does not employ human vetting like the Apple App Store, Google does use an automated scanning tool called Bouncer to evaluate Play Store submissions. While Bouncer, like any automated tool, is far from foolproof, it does filter out apps which employ known malware signatures or engage in behavior known to be dangerous.
Among the biggest malware infections that did breach the defenses of the Play Store was known as BadNews, which thrived earlier this year. BadNews exploited a loophole wherein apps could be clean when submitted but then later update themselves with malicious code from a third-party server. This “bait and switch" a black eye for Android security.
Google has since closed the loophole by requiring apps to update themselves from the Play Store only – meaning that updates cannot evade being scanned by Bouncer.
Further, with Android 4.2 (Jelly Bean) Google introduced App Verification. This optional feature will scan even apps installed from unknown sources for known malicious signatures, affording an enhanced measure of security even to devices which sideload apps.
Real Android Risks
By putting Android malware in context, it should become clear that despite the absolute numbers of malware apps detected in the wild, reasonably configured Android devices are actually at low risk of infection.
Whereas platforms like Windows XP and Vista put the onus on enterprises and users to take active steps to increase their security against malware, the situation is quite the reverse with Android, where the default state is among the most secure and users must take active steps to reduce their security.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.