Android Security: Threat Level None?

Security firms are fanning the flames of fear about mobile malware and viruses, while others accuse such firms of being scammers. Who's right, and who's wrong.
Earlier this week, Juniper Networks lit a fire with its report claiming that the amount of mobile malware has jumped 472% since July. According to Juniper's numbers, the number of malware samples collected in October jumped 110% compared to September, and 171% over what was collected in July.

"These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications," the company wrote in a blog post. "With no upfront review process, no one checking to see that your application does what it says, just the world's largest majority of smartphone users skimming past your application's description page with whatever description of the application the developer chooses to include."

Earlier this year, Symantec, too, warned of mobile malware in the Android Market. In its own blog post, Symantec said, "Android malware is on the rise. Android.Pjapps is another example of a Trojan with back door capabilities that targets Android devices. As seen with previous Android threats, it is spreading through compromised versions of legitimate applications, available on unregulated third-party Android marketplaces."

Symantec, of course, sells security software for both PCs and mobile devices.

[ Want to avoid Android App stinkers? See 10 Android App Flops. ]

Let's not leave out Kapersky Labs (which also sells security software.)

"When it comes to attacking smartphones, there were clear signs that cybercriminals have made Android their platform of choice," the company said in a blog post on Thursday. "Increasingly sophisticated operations by malicious programs were also noted in Q3 along with some tried-and-tested methods: innocuous QR codes are now being used to conceal malware and computers are facing threats even before their operating systems start as cybercriminals revisit BIOS infection methods."

Are you scared yet, Android smartphone owners?

Are you quaking in your boots? Are you ready to buy antimalware and antivirus software from these companies? Should your corporate IT department be licensing protection schemes in bulk?

Hold on just a minute.

Google's open-source Guru, Chris DiBona, had some harsh words about these reports and the companies that generate them.

"Virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS," he wrote on Google+. "They are charlatans and scammers. If you work for a company selling virus protection for android, RIM or iOS you should be ashamed of yourself."

So, is there a risk then? Yes, says DiBona, but it's not what you think.

"A virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't Independence Day, a virus that might work on one device won't magically spread to the other."

DiBona is right. While some malware and viruses have tried to make use of Bluetooth and Wi-Fi radios to hop from device to device, it simply doesn't happen the way security companies want you to think it does.

But DiBona has one more thing to say. "Policy engines, and those tools that manage devices from a corporate IT department are not the same thing at all, but sometimes marketers in companies that sell such things sometimes tack on 'virus' protection. That part is a lie, tell your vendor to cut it out," he wrote.

Now that we have a few different views on this topic, who do you think is right? Well, there's some truth to what the security vendors are telling us. Smartphones--and apparently Android devices in particular--can be infected with malware through careless use.

But DiBona is right, too. How do we know that he is? Because there haven't been mass break-outs or major epidemics of malware spreading from phone to phone to phone. It simply hasn't happened yet. Could it? Yes. Will it? Probably not anytime soon.