Android Fails in Mobile Malware Research

There are many more malware-infected Android devices out there than you might think. It's all because the Android ecosystem and Google Play store are more friendly to malware and exploits than iOS and the Apple App Store or Windows 8, Windows Phone and the Windows Store. There's some, but not much reason, to think things will improve for Android in the near future.

What about Windows? Microsoft's Windows Store sells apps for Windows 8, Windows RT and Windows Phone. All of this is a bit young and market share is small enough that it's possible nobody has even tried to submit malicious code, but Microsoft has gone to some trouble to prevent it. The software giant has credibility in this, as over the last 10 years it has transformed desktop and server versions of Windows from security jokes to industry leaders.

Microsoft provided me with these links for app security provisions:

Windows 8 implements all of the techniques in Windows 7 to protect against malware and some new ones, most importantly (as I see it) a new generation of SmartScreen. SmartScreen is a reputation system. For some time it has been used by Internet Explorer to determine whether a web site is known to be safe, unsafe, or if it has never been seen before. Windows 8 extends this reputation system to files generally. See the screen capture below:

Because of the enormous installed base of Windows and Internet Explorer, the reputation system has great credibility. Windows 8 also comes with a version of Windows Defender to act as an anti-malware solution if you don't have a third-party product installed.

Apple's rules and procedures for developer identity verification and vetting of programs ("We review all apps to ensure they are reliable, perform as expected, and are free of offensive material") are famously thorough and strict. Microsoft's developer ID requirements and procedures are also fairly thorough.

Google asks few questions and I see no evidence that they verify anything meaningful. In fact, by keeping fees the lowest in the business, minimizing identification requirements and making a joke out of code signing they have created the perfect low-cost/low-consequence environment for writing malicious code.

Strong controls keep malware out of Apple's App Store and weak controls in Google Play invite it in. Trail of Bits found 30 malicious app campaigns on Google Play and none in the App Store. Source: Trail of Bits

It's simply too early to tell whether malware and other malicious app behaviors will be a problem for Windows Phone, Windows RT or Windows 8 apps. But it's certainly not too early to reach a verdict on Android: Google has failed to implement sufficient controls and malactors have rushed in to take advantage. The overall numbers may be low as they represent only a small percentage of installed base, but they're big in absolute terms. Be careful out there.