Android threat exaggerated, or is it?

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 10 Oct 2013
Google and Damballa claim the mobile threat is vastly exaggerated.
Google and Damballa claim the mobile threat is vastly exaggerated.

A lot of the talk surrounding mobile security has latched on to the pervasiveness of Android malware. A recent report from Trend Micro said the number of samples of Android malware has reached a million, and that the vast majority of mobile malware ? 99% ? is written for the Android platform.

However, new research by Google claims the threat is vastly exaggerated. At Virus Bulletin last week, Google said a mere 0.001% of apps downloaded by Android users are potentially harmful to their devices or data, because most malware is caught in the net of its multi-layered defence strategy way before installation.

A study released this week by security company Damballa, in conjunction with several researchers from the Georgia Institute of Technology, backs up Google's claims.

Entitled "The Core of the Matter: Analysing Malicious Traffic in Cellular Carriers," the study found that mobile malware appears in an infinitesimal number of devices ? a mere 0.0009%.

How they did it

The study said "much of the attention surrounding mobile malware has focused on the in-depth analysis of malicious applications", and although this analysis has resulted in valuable information about the malware author's methods and targets, it has not yet been able to quantify the "prevalence with which mobile devices are actually infected".

The researchers studied hosting infrastructure used by mobile applications, and by using DNS traffic gathered over three months from a major US cellular provider as well as a major US non-cellular ISP, it identified the DNS domains looked up by mobile applications, and analysed data related to the Internet hosts pointed to by these domains.

Effectively, the researchers had visibility into 43% of wired and 33% of wireless traffic in North America, and because network level analysis is device-agnostic, it allowed them to track the threat to mobile devices in general.

The mobile malware found appeared in only 3 492 out of over 380 million devices observed during the course of the study.

Backing up the claims

This result lends weight to Google's argument that although not bullet-proof, mobile app markets are doing a fair job in terms of offering security to their users, the researchers said.

The research also challenged the maxim that one mobile platform provides better security than another, as it revealed that users of iOS devices are "virtually identically as likely to communicate with known low reputation domains as the owners of other mobile platforms".

Charles Lever, Damballa Researcher and Georgia Tech PhD candidate, said the difficulty of distribution could explain the low levels of mobile malware. In a posting, he added that between them, Google Play and the iOS App Store offer 1 750 000 applications, and provide malware controls too.

In this way, over and above getting applications approved, malware writers enjoy the same discovery challenges as legitimate applications, and this lowers the chances of users encountering malicious apps.

Opposing views

Not all security practitioners share this view. Roman Unuchek, senior malware analyst at Kaspersky Lab, says the difference in evaluating threats for smartphone and tablet users who are downloading Android apps can be explained by different detection rates of the anti-virus tools being used in the research.

He says the ways in which companies determine malware can differ. "Comparing Kaspersky Lab's research results with those conducted by other companies, revealed differences due to their use of different solutions for malware detection."

Kaspersky data is collected through its latest solutions, all of which Unucheck says have had great results in independent tests in terms of detection rates, which he says are "one of the most important, deterministic and reliable features of an anti-malware product".

"Kaspersky Lab data shows that around 0.4% of all installations of Android apps for the past half year (April 2013 - October 2013) were malicious."

Therefore, he says it is Kaspersky Lab's assertion that threats for Android devices are persuasive and can cause harm to Android smartphones and tablets users.

Protecting their reputation?

Gregory Anderson, country manager of Trend Micro SA, says there is no doubt the mobile threat is on the rise. "While naturally vendors will look to protect their reputations, the very nature of the mobile device opens them up for malicious activity."

He says neither Android, nor Google through its store, certifies or guarantees the applications have been tested for their security. "One cannot simply state that these devices are free from malware and believe that you are safe using them, there are silent threats such as Botnets that may enter at any time along with downloaded data."

So are Android device users vulnerable, asks Anderson. "Absolutely. Does it mean they should stop using them? Absolutely not. But they must secure them better and they must be cognisant of the fact that not all Android applications are secure, particularly those that are free for download on the Internet. Remember the Android development ecosystem allows people to test and try applications, without testing them for vulnerabilities, in a live environment."

The 'consumerisation' of IT

From a security industry point of view, the concept of 'consumerisation' is forcing companies to change their approach to how they detect, monitor and remove threats from mobile devices, adds Anderson.

"Mobile security isn't simply about detecting and quarantining a threat anymore - the detection methods need to be a lot more sophisticated."

He says we would be na"ive and remiss to say that mobile security threats are not growing. "They are growing and this is why corporates are having to increase their investments into security, and why many of them are changing their approach from monitoring simply what comes in to include monitoring what goes out on their networks."

Trend Micro's latest threat report tracked 718 000 separate instances of high-risk Android apps in the second quarter, up from 509 000 high-risk apps found in the first three months of this year.

"We estimated that the number of high-risk Android applications available on the market would exceed one million by the end of 2013 - I can tell you it already has."