back to article Got an Android mobe with a virus? Congrats, you're The One Per Cent

Android has been known to be the mobile malware industry's operating system of choice. Now Google has published a report claiming infection rates on Android devices are much lower than you might expect. While the overwhelming majority of mobile malware is written for Google-powered gadgets, the report claims that in 2014 less …

  1. JCitizen Bronze badge
    Coffee/keyboard

    Apps are the usual point of entry.

    Even the best operating systems can be pwned if any apps have holes in them. In the desktop environment, applications like adobe flash, and java are favorites for criminal exploit kits. In a Windows PC machine, using a limited account with all applications and the OS fully updated; it has been very difficult to find exploits that can take hold in my honey pot lab. However malware, can sometimes run with the same rights as the user and still do damage to their finances or other personal integrity.

  2. Thomas Wolf

    No critical fixes? Sure!

    Google claims that last year it did not have to fix any critical security issues. Could that be because it does not bother fixing old versions of Android? Or, even if it did, that most people with older devices could not install these fixes because their carriers don't make them available?

  3. Mark 85 Silver badge

    A little math..

    1 Billion X .01 (1%) = 10,000,000 infections... wow... I would think there's a pile of money to be made there for a good.... make that great... AV for Android. By great, I mean one that actually worked.

    1. Cliff

      Re: A little math..

      Yes indeed, although 8,500,000 of those 10,000,000 use other app sources, which it's rather harder to police. If someone is determined to side load (or dubious app supplier) it's hard to stop them getting what they should be expecting. Try torrenting any computer game or Photoshop for instance - you stand a better than fighting chance of getting infected.

      Of the 1,500,000 who got infected via Google Play, these are the ones that are Google's real shame.

      1. Anonymous Coward
        Anonymous Coward

        Re: A little math..

        It depends what "infected" means. Are you using it in the same untrue way as the author (or sub-editor) of the article who does not understand what a virus is?

        It could be anything from a dodgy ad network, a security risk, an auto-updating app, etc. Doesn't mean it is an infection as in a virus.

      2. Elmer Phud

        Re: A little math..

        "Try torrenting any computer game or Photoshop for instance - you stand a better than fighting chance of getting infected."

        But isn't that exactly like going elsewhere for your apps?

        1. Cliff

          Re: A little math..

          >>>.But isn't that exactly like going elsewhere for your apps?<<<

          Exactly - going to an illegit distributor massively raises the risk of catching a nasty.

    2. Anonymous Coward
      Holmes

      Re: A little math..

      "good.... make that great... AV for Android. By great, I mean one that actually worked."

      Malwarebytes.

      Free.

    3. Anonymous Coward
      Anonymous Coward

      Re: A little math..

      Small fry compared to windows. I would guess the infection rate is close to 30 percent. I have seen two day old windows 8.1 machines crammed full of malware.. never seen or heard of a single real world android problem.

      Therefore I would trust Google's numbers, they seem to corrolate pretty well with my experiences.

  4. This post has been deleted by its author

  5. Hans 1
    FAIL

    Ouch

    Over 50% of the apps available on Android are phishware - anything on Android that wants to access your SMS, email, or Contacts is phishware, in my books. And you cannot even turn that off!

    1. Anonymous Coward
      Anonymous Coward

      Re: Ouch

      "Over 50% of the apps available on Android are phishware"

      Really do you have a reference for that?

      "anything on Android that wants to access your SMS, email, or Contacts is phishware,"

      So how would you build an messaging client, an e-mail client etc without accessing that? Maybe ask the user to retype all his contacts into your app by hand?

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re: Ouch

          So back to the original point - any downloadable apps should be sandboxed and have no access to anything like contacts

          .. which is why I would very much like to see the iOS approach to permissions come to Android. In iOS, access to user data such as contacts, calendar, location, microphone etc is by default off and users have to give permission for each such resource the first time it's used before a new app has access. In addition, apps are not permitted automatic access to resources that could be abused to create costs such as making phone calls or the whole SMS subsystem, but that is a two-edged sword because that also makes it impossible to create secure SMS apps for iOS (in case you'd want to).

          In addition, you remain in control over those permissions - you can still switch them off again later. Of course, apps such WhatsApp will then refuse to start up because I assume their main job is to export personal data such as your address book, but then you know at least what it's doing.

          If Android would take over that approach it would go some way towards making it safer.

          1. Montreal Sean

            Re: Ouch

            So you mean they need a permissions system like BlackBerry has?

            I'm given a list of requested permissions and can choose whether or not to enable them. They advise that certain app features may not work correctly if permissions are disabled, but the app will still launch.

          2. RudyF

            Re: Ouch

            "If Android would take over that approach it would go some way towards making it safer."

            I seriously doubt that.

            There's no essential difference of the two approaches. An android app demands that the user looks at all its permission requirements prior to installation while an iOS app demands the same when it's first run. Further, being able to "turn off" specific permissions granted to an iOS app is equivalent to the Android "disable this app" option.

    2. Paul Shirley

      Re: Ouch

      Can't disable those permissions (without rooting) but its not hard to take the hint and just not install any of that suspicious crapware, when the installer warns you. I can't remember any app that asked for blatantly unnecessary permissions so useful or tempting it was with worth ignoring that warning.

      Unfortunately the world is full of stupid people that do ignore those warnings, do install complete crap and there's no good way to stop them doing it. Bit of a miracle infection rates aren't 50%+.

    3. Planty Bronze badge
      FAIL

      Re: Ouch

      I think you are confused... android app needs a permission for this.

      On ios it's totally hidden...

      http://venturebeat.com/2012/02/14/iphone-address-book/

      1. Mike Bell

        Re: Ouch

        Settings | Privacy | Contacts

        All the apps that have access to iOS contacts are listed there, and may be disabled on a per app basis. It's not 'hidden' and you have to grant permission before an app is allowed access to your contacts.

      2. Anonymous Coward
        Anonymous Coward

        Re: Ouch

        I think you are confused... android app needs a permission for this.

        On ios it's totally hidden...

        http://venturebeat.com/2012/02/14/iphone-address-book/

        You're confusing things.

        No app gets rights to the address book in iOS without the user explicitly granting permission (at least, since iOS 7 and above). That article is about what the app then does with that permission - one reason why I will never run WhatsApp on my phone, which, incidentally, we found to stop working on iOS when you take that access away. It wants to keep its masters up to date with your information, all the time.

        It would be worth noting that the specific (IMHO rather misleading) comments were made by people who were flogging their own software, using an approach that other apps have been using for ages (Threema, for instance, uses hashing to identify other people in your address book who have the app installed).

  6. Dan 55 Silver badge
    WTF?

    Google can rest easy then

    So only 10,000,000 devices carry malware. Assuming billion is the US billion. And assuming Google can detect the malware in all of them which is doubtful on non-Play devices and devices which have verification turned off.

    1. Sarah Balfour

      Re: Google can rest easy then

      Assuming you mean 1,000,000 x 1,000, yes…? That's universal standard these days. The old UK billion (i.e. a million squared) is known as a 'billiard'.

      1. dajames Silver badge

        Re: Google can rest easy then

        The old UK billion (i.e. a million squared) is known as a 'billiard'.

        You've missed your cue!

        Er, no. The old UK billion is known by the modern crowd (those who use the term "billion" to mean 10^9) as a "trillion".

        Those of us who still use the term "milliard" for a thousand million know that "billiard" is the term for a thousand billion (that is 10^15).

  7. Elmer Phud
    Facepalm

    Just click and go?

    Don't people check permissions first and look for another app if they think the first one is too intrusive?

    Click and go? -- deserve the pain if you do.

    1. This post has been deleted by its author

      1. phil dude
        Meh

        Re: Just click and go?

        Unfortunately this is Google's Dog's breakfast, and they know it.

        I am a technical user, and there is no way to tell a "good use of contacts" from a "bad user of contacts".

        Accessing anything at all to do with a single phone number is "contacts". As is being able to send you an SMS is "SMS messages".

        I recommend installing (IMHO) what you can from "F-droid" which are GPL apps and have the minimum of cruft included. Start with SecureText, Redphone and Owncloud. Securetext makes your SMS's unusable to other applications, or at least will make them appear as garbage.

        My recommended Play store apps, Trucaller* . This way you can control/block text messages from/too numbers.

        In general Google, Android security is very ,very , stupid or perhaps lazy.

        You pick.

        P.

        PS this is my first android phone, but third android device. I am not at all sure it is improving, though battery life is pretty good. Not "Nokia Symbian" good, but still good.

  8. DrXym Silver badge

    Most people are quite safe

    Assuming people get their apps from the Play store then they're likely fairly safe. Malware doesn't rise to the top of charts so the rate of infection is self limiting. Even if some people come across "sexy girl screensaver" and click through the permissions, they will be a tiny minority.

    On top of that Google have monitoring which occurs client and server side. I wouldn't be surprised if they have a few canaries in their client side software which detects phones which are rooted or checksums changing and can correlate that to malware. They also have the ability to remove apps from the store and remote kill apps.

    It's probably the dodgy sites where the most risk lies. Doubtless many of the free APKs on these sites are actually malware, particularly where the app is something that costs money on the Play store.

    1. Anonymous Coward
      Anonymous Coward

      Re: Most people are quite safe

      On top of that Google have monitoring which occurs client and server side. I wouldn't be surprised if they have a few canaries in their client side software which detects phones which are rooted or checksums changing and can correlate that to malware. They also have the ability to remove apps from the store and remote kill apps.

      Just out of interest, you see nothing wrong with the world's greatest (public) collector of personal data having that kind of control? <shudder>

  9. Mikel

    1% is great

    Considering how open it is, how many people use dodgy software sources, 1% is pretty darned good. Stick with Google Play Store and you should be golden. This is why when looking for a tablet I say "No Play? No way!"

    1. phil dude
      Boffin

      Re: 1% is great

      I'm afraid that is no guarantee.

      Motorola support, however, said (told me on the phone) they will support everything in the Playstore, so I am holding off rooting this phone to see if I need them to get involved.

      Perhaps attaching liability to closed source apps would help...

      P.

  10. Anonymous Coward
    Anonymous Coward

    actually

    if you only use the play store (as most do) its only 0.1% have an app of "questionable intent", not "a virus" per-se and if deemed truly malicious they were removed.

    There is nothing inherently insecure about stock android itself any more than iOS, its just we are given the option of being insecure.

    Many android phones such as from samsung, as well as all lollipop based have SELinux enforcing enabled and basically cannot be rooted via an exploit.

    Claiming that 1% of "android" phones have a virus is a very misleading statment. Hopefullly your stereotypical views of things don't extend beyond technology.

  11. Wize

    Does this total include...

    ...any spyware or tracking software from the NSA?

    1. Sebby
      Thumb Down

      Re: Does this total include...

      Indeed, does it include the privacy-violating crud from Google itself?

      IMO Google's report is false: 100% of Android devices carry malware, because 100% of them run Android. This will never change until Google provide a fine-grained permissions and background-process control mechanism and allow the user to remove whatever the hell they want, without rooting. The first two, at least, are provided by iOS.

      Or you could just go with iOS. Less flexibility and freedom while in the hands of the ever-jocund Apple, for sure, but at least it's a quality product. And I'll take a quality, more disagreeably expensive, if more restricted, experience to a horrid, data-raping one any day.

      Potential downvoters: I like and use ChromeOS, and run Linux on my servers and VMs. :)

      1. DryBones

        Re: Does this total include...

        Rubbish. By that logic your garage door opener and washing machine are full of malware. They don't have the permissions model and you can't load whatever you want on them.

        Android and iOS give their customization in different places. I use Android because it gives me the control where I want to make things work how I want. Would I like the control something like App Ops gave? Yes, but not enough to switch back. Apple has way too much in the way of pretentious, elitist airs.

  12. g7rpo

    Make app store more stringent, ban devs who produce these apps, make the google app store trustworthy which at the moment its very far from

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021