Mobile
Commentary
11/18/2011
04:30 PM
Eric Zeman
Eric Zeman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Android Security: Threat Level None?

Security firms are fanning the flames of fear about mobile malware and viruses, while others accuse such firms of being scammers. Who's right, and who's wrong.

Earlier this week, Juniper Networks lit a fire with its report claiming that the amount of mobile malware has jumped 472% since July. According to Juniper's numbers, the number of malware samples collected in October jumped 110% compared to September, and 171% over what was collected in July.

"These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications," the company wrote in a blog post. "With no upfront review process, no one checking to see that your application does what it says, just the world's largest majority of smartphone users skimming past your application's description page with whatever description of the application the developer chooses to include."

Earlier this year, Symantec, too, warned of mobile malware in the Android Market. In its own blog post, Symantec said, "Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces."

Symantec, of course, sells security software for both PCs and mobile devices.

[ Want to avoid Android App stinkers? See 10 Android App Flops. ]

Let's not leave out Kapersky Labs (which also sells security software.)

"When it comes to attacking smartphones, there were clear signs that cybercriminals have made Android their platform of choice," the company said in a blog post on Thursday. "Increasingly sophisticated operations by malicious programs were also noted in Q3 along with some tried-and-tested methods: innocuous QR codes are now being used to conceal malware and computers are facing threats even before their operating systems start as cybercriminals revisit BIOS infection methods."

Are you scared yet, Android smartphone owners?

Are you quaking in your boots? Are you ready to buy antimalware and antivirus software from these companies? Should your corporate IT department be licensing protection schemes in bulk?

Hold on just a minute.

Google's open-source Guru, Chris DiBona, had some harsh words about these reports and the companies that generate them.

"Virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS," he wrote on Google+. "They are charlatans and scammers. If you work for a company selling virus protection for android, RIM or iOS you should be ashamed of yourself."

So, is there a risk then? Yes, says DiBona, but it's not what you think.

"A virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't Independence Day, a virus that might work on one device won't magically spread to the other."

DiBona is right. While some malware and viruses have tried to make use of Bluetooth and Wi-Fi radios to hop from device to device, it simply doesn't happen the way security companies want you to think it does.

But DiBona has one more thing to say. "Policy engines, and those tools that manage devices from a corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on 'virus' protection. That part is a lie, tell your vendor to cut it out," he wrote.

Now that we have a few different views on this topic, who do you think is right? Well, there's some truth to what the security vendors are telling us. Smartphones--and apparently Android devices in particular--can be infected with malware through careless use.

But DiBona is right, too. How do we know that he is? Because there haven't been mass break-outs or major epidemics of malware spreading from phone to phone to phone. It simply hasn't happened yet. Could it? Yes. Will it? Probably not anytime soon.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Abaddon
50%
50%
Abaddon,
User Rank: Apprentice
12/15/2011 | 3:57:50 PM
re: Android Security: Threat Level None?
I would have to agree with ANON on this... The Android marketplace is what is spreading the applications that contain malware not the phones. Here's how it works. User buys an app, then user installs app on the phone. Once user launches the app, the app exploits vulnerabilities in the phone's operating system to gain root level privileges and do what it needs to. Operating systems have vulnerabilities. The problem is that this is still a relatively new frontier for public knowledge so people are not as informed about it as they should be even though vulnerabilities in the mobile operating systems are being discovered. This is not about viruses on mobile devices, it's about malware and trojans on devices. There are differences. There is also a stark difference in the way applications are reviewed and published between the two companies and that is part of the issue as well. I'm not saying that this type of issue couldn't happen on the IOS side of the world, However, until Android/Google start taking this seriously and implement a real application review process this could potentially have some nasty consequences for Android users.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
11/22/2011 | 7:32:35 PM
re: Android Security: Threat Level None?
I agree with the prior post that it's melodramatic to say the least to rant about 10s of thousands of people getting attacked. However he's right about the nature of the Android threat. It isn't the fact that viruses are contagious; it's that applications with malware are less likely to be detected in advance in the uncurated Android marketplaces than they are in curated ones, whether those be the Apple store or the Amazon marketplace for that matter.

To say that is not to be an Apple fanboi; it's to be accurate so that users can make educated decisions. At one point in the past year Android removed some 50 apps from the marketplace after complaints and uninstalled them from users' phones. One piece of malware required killing software on 300,000 phones. Add to this the fact that the phones don't always have the latest security patch and you've got risks there. OS changes don't push over the air and because of all the flavors, an update strategy like synching via iTunes isn't feasible. These things can't be glossed over.

The Android guru is right to point out the self-interested exaggeration of Symantec et al, but he doesn't address these other elements. My final take is that it's up to the consumer to know where the risk is; to read the fine print when downloading applications and pay attention tto their settings; and to ensure before purchase that the carrier has a credible strategy for distributing OS updates and security patches on a timely basis.

Speaking of fanbois, whoever trotted that tired epithet out of his back pocket and lobbed it at Mr. Zeman, pls take it back. This is fair and balanced reporting that if anything tells the folks carrying Androids that they are not at imminent risk of attack. It's a very fine piece of reporting.
seattlemkh
50%
50%
seattlemkh,
User Rank: Apprentice
11/22/2011 | 12:04:46 AM
re: Android Security: Threat Level None?
This is a carefully chosen set of words to obfuscate the issue in favor of one company or another - as all marketing BS is. A "virus" connotes something that moves from system to system independently, exploiting some vulnerability to do so. Very 20th century. Malware that monitors keystrokes, steals data from banking apps, or makes expensive SMS/phone transmissions are the issue. Those are legitimately becoming a concern, and when organized criminals figure out a way to monetize access to smart phones, the emphasis will shift altogether. A/V companies produce malware protection. Parsing the word, "virus" and emphasizing the lack of automatic propagation is disingenuous.
ExpatZ
50%
50%
ExpatZ,
User Rank: Apprentice
11/21/2011 | 2:23:53 PM
re: Android Security: Threat Level None?
AAAAAHHHHHAHAHAHAHAHHHHHHHHHHHHHHHHH!!!!!!!!
THE END OF THE WORLD IS NIGH - REPENT SINNERS!!!!!
ONLY THE CULT OF STEVE CAN SAVE YOUR PHONES NOW!
BITE OF THE APPLE AND SAVE YOURSELVES FROM CERTAIN PWNAGE!
FOR ONLY THROUGH THE GLORY AND THE MAGIC OF THE iVERSE CAN YOU ACHIEVE SAFETY!

REPEEEEEEEEEEEEENT!

Idiot fanbois.
DLYNCH294
50%
50%
DLYNCH294,
User Rank: Apprentice
11/21/2011 | 1:53:04 PM
re: Android Security: Threat Level None?
Hey, look, an anonymous idiot says that the Android Market is spreading malware. There are "10's of thousands of people with malware on their phone RIGHT NOW"? Says who?

It's impossible for any piece of software to install itself on an Android phone. Read that again. Impossible. The user has to accept the permissions and then initiate the installation. The permissions page lists exactly what the software will be able to do. That's not something that a programmer can fake. It's part of the operating system and there's no way around it. If you don't want apps to have access to your personal data, then don't install apps that say they are going to access your personal data. It really is that simple. No app will ever have access to your personal data unless you have explicitly given it permission to access that data.

If these companies want to market and sell "stupid protection", there would be nothing wrong with that because that's all their software does. It protects you from your own stupidity. If you don't understand what the permission mean, then why are you installing software from some goofball developer that you've never heard of?

We all understand that you're an apple fanboy who hates the fact that Android is crushing your silly, locked-down operating system, but you really need to work on your presentation a bit because you're just making yourself look like a fool.
ANON1244594108572
50%
50%
ANON1244594108572,
User Rank: Apprentice
11/21/2011 | 1:37:44 PM
re: Android Security: Threat Level None?
apparently you skipped the part where the Android MarketPlace IS THE MASS BREAK out point of malware... Phones are not spreading malware from phone to phone, but the point is that the Marketplace IS SPREADING malware to phone to phone... GET IT?????

no you shouldn't trust a security vendor, but what you did was instead trust a Android vendor????

trust neither one... trust the facts...

there are 10's of thousands of people with malware on their phones RIGHT NOW....growing exponentially... not from spread form their friends, but from spread of malware from the ANDROID STORES...

literally if you plug into an Android marketplace in China or Russia, or korea you have more than a 50% chance of getting malware or a stolen product, instead of a legit app...

in the US you have somewhere close to 5% chance.. but that figure is growing exponentially....

THAT is the threat....

Android is destroying Android.... no one else.
Bprince
50%
50%
Bprince,
User Rank: Apprentice
11/21/2011 | 1:57:58 AM
re: Android Security: Threat Level None?
Good article. There was an article recently in Mac Observer that also questioned some of the common assumptions about Android malware. Worth a read.
http://www.macobserver.com/tmo...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Steve_CISSP
50%
50%
Steve_CISSP,
User Rank: Apprentice
11/19/2011 | 6:10:37 PM
re: Android Security: Threat Level None?
This is a great article! Finally a journalist that is asking the right questions about mobile anti-virus. I have been very suspect to the FUD around this, if anything it is about marketing hype, people assume that since their computer needs anti-virus so do their phones and these companies are taking advantage of this. I think one of the biggest offenders is Lookout Mobile Security, who not only have scammed the public, but also investors, as they have raised close to $80 million dollars on the hype and fears of mobile anti-virus. When it comes down to it though their software has done nothing to protect their customers, it is complete BS. However, they release their pretty infographics and the media love it and fan the flames.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of October 26, 2014 and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.