I’m often asked about the real danger of Android malware. This is a difficult question as it has many factors to consider, such as your location, your device, how many apps you install, and how reckless you are with the apps that you choose.
There are two common factions often at odds with each other.
There is one side of the argument that states that the threat to Android is overblown, and that because the number of malicious samples discovered so far is so small in comparison with Windows malware, it’s insignificant. In fact when a company discloses their findings and they show any type of marked growth in this sector, they’re often accused of scaremongering to generate sales.
I believe that the real source of this argument lies in the fact that so many companies have been calling this the year of mobile malware for about 7 years. And by ‘this’ I mean every year since 2004. In 2004, the first cell phone virus was discovered. It was named ‘Cabir’ and travelled via Bluetooth on Symbian phones. With this discovery it was natural to assume more threats would arrive on mobile phones, and they did. Just not in any type of alarming numbers, for many years to come. But this is changing. Statistics show an ever increasing rate of Android adoption. Google claims that they are activating more than a half-million devices per day. With that many new users, malware authors are sure to follow.
On the other side of this argument we see people like me who are doing research on Android threats every day. I see users that are installing malicious applications like DroidDream which affected more than 100,000 users, and ad networks that leak user data without their knowledge. I see the growth of tablets and non-traditional devices like televisions that run Android. I see the Android logo everywhere. And so do the criminals. In fact, if you ask many of the veterans of the anti-virus industry, they’ll draw comparisons to the early days of Windows malware. The slowness of updates, the lack of user awareness, and idea that it won’t really affect me are ever present.
One thing I think is important to mention is that many of the new threats we see are discovered in alternate markets in places like China. In fact, much of the malware discovered isn’t practical for criminals targeting the US, at least not yet. This is due to the fact that most of the mobile device malware consists of SMS Trojans that just don’t make sense in the US. SMS Trojans send messages that cost a certain amount per transmission. This malware is very successful in places like Russian and China. The reason that SMS Trojans aren’t popular in American can be linked to a couple of factors. One is that the pay cycle for premium rate numbers in the US is on a 30 day window. This means that the criminals won’t collect the money from their victims for days to come, leaving a lot more time for the authorities to catch them. Two is that the setup of these premium rate numbers requires a lot more identifying information. In other countries, they may not have to provide much info allowing the criminal to stay anonymous. So what we see in the US is almost entirely data theft malware. If you are in the US, ask around, and I bet you’ll find few people who have been infected. Try this same tactic elsewhere in the world, and you may have a far different experience. We also expect this to change, as the sophistication and type of malware is quickly developing. If there is a shift in the ability for mobile malware authors to collect money, you can be sure they will take advantage of it.
I would finally like to add that it is our job as researchers in the security community is to identify emerging threats. While some of us work for the anti-virus companies in a profit driven business, we advocate for the public. The battle against cybercrime is difficult and always evolving, but we are making an impact, and we will continue to fight it. Educating the public on the types of threats out there is one way in which we do this. The malware problem in the world exists on a grand scale, and any effort we can make to lessen its effects results in a positive outcome.