Until now, Google hasn’t talked about malware on Android because it did not have the data or analytic platform to back its security claims. But that changed dramatically today when Google’s Android Security chief Adrian Ludwig reported data showing that less than an estimated 0.001% of app installations on Android are able to evade the system’s multi-layered defenses and cause harm to users. Android, built on an open innovation model, has quietly resisted the locked down, total control model spawned by decades of Windows malware. Ludwig spoke today at the Virus Bulletin conference in Berlin because he has the data to dispute the claims of pervasive Android malware threats.
This is exactly the kind of data we need, and Google has revealed it all. So, less than 0.001% of application installations on Android – and this specifically includes applications outside of Google Play! – are able to get through Android’s multiple layers of security. In other words, saying Android is insecure is a lie.
Thanks to OSAlert reader tkeith for pointing out this article.
Numbers are arbitrary. You can make them say whatever you want.
Edited 2013-10-08 22:05 UTC
Done in one.
That was the whole point of the post. The longest running fud about android and free software is that it’s inherently insecure.
Umm, if Thom can say the iPhone 5S/5C launch may or may not have been a success because numbers are arbitrary. And he can say that we do not know whether or not Android or iOS is more or less insecure… I see absolutely and utterly no basis here for that same person to claim that this internal Android number shows that Android is secure.
And here’s a simple question to prove how stupid this post is (following those previous posts): Google is providing a percentage number of apps that they were able to detect trying to circumvent their security measures… What percentage of apps that are malicious were they UNABLE to detect circumventing their measures?
Here’s another one: if Apple provided a similar percentage figure that was in fact lower, would that prove that iOS is in fact more secure than Android? Without such a number has Thom actually demonstrated that Android IS secure if it is LESS secure than alternatives?
Edited 2013-10-08 22:39 UTC
What I find brilliant is that you’ve jumped all over this article yet apparently are completely oblivious to the previous article, and Thom’s commentary on it.
I see no lack of reading comprehension on my part of the previous post. Would you care to elaborate?
Calling out Thom is OK, but it was not only Thom that had issues with the sentiment behind the numbers. Again, a minority were contesting the numbers. What people pointed out is that it was a very low jump in sales. Specifically because Apple did not address the major market’s price sensitivity and lowered device subsidies.
Thom did not address the launch numbers either. He performed handwaving that he thought was magical but was rather laughable. He introduced an absurd numerical comparison that was idiotic on its face and then claimed we can learn nothing from numbers because all numbers are arbitrary (even though it was obvious that the numbers are not arbitrary and have meaning, that his numbers were ridiculous). I don’t have to address some issue that you want me to address; I am addressing the issue of the proprietor of this site deciding to claim that nothing can ever be known based on statistics because he could say something stupid with useless statistics (even though the flaws in his numbers were transparent and TELLING) in complete defiance of reason and logic and then he decides to use statistics a few days later to claim that he can prove something that he wishes was the case — which is utterly hypocritical, inconsistent, and not evident.
If he didn’t expect or want that idiocy to come back at him, he should have never have made such a stupid comment or he should have avoided posting a claim based on a number resulting from a statistical analysis ever again.
Edited 2013-10-09 13:03 UTC
Noted.
That’s what she said.
Thom, by all reports, is a man.
*WOOSH*
*WOOSH* right back atcha! You aren’t presuming that I didn’t get the original joke and that I wasn’t joking right back at his post (at Thom’s expense), are you?
Yeah, after reading the article, it really should be .12% of all installs are *potentially* malicious ( taken from their 1200 out of every 1 million statistic). The smaller number only refers to those that actively try to evade the run time detection of malicious behavior.
Of course the .12% contains a large number of false positives ( rooting apps), so its not that bad either, but its no more than that bad.
True, that’s why we never believe Apple’s numbers and especially not Apple numbers quoted by the Apple fans on OSAlert.
So if I’m holding two apples right in front of you, I can somehow twist it to make you think I’m holding 1? No, sorry, numbers are (for the most part) absolute. They can be used loosely though, using approximations, etc.
You do understand that this was Thom’s argument a few days ago? I am mocking it for how stupid it is by using it against this argument which is also stupid.
Edited 2013-10-10 00:12 UTC
To be honest, I’ve been so busy I haven’t been around here much lately because I’ve been busy, so no–I actually wasn’t aware of that.
Does this mean tkeith just won a place at Gartner’s Senior Research Board? They seem to be in need of some knowledgeable people…
All those malware authors must be writing all that malware for Android as a sort of weird hobby.
Spooky.
Or, more likely, especially if you have even a modicum of pattern recognition ability – antivirus companies are scumbag liars, and are padding and overestimating their numbers of discovered Android malware families, something they do for Mac OS X as well.
And the department of homeland security? They’re inventing malware on Android as well because… I do look forward to your theory there.
http://info.publicintelligence.net/DHS-FBI-AndroidThreats.pdf
Edited 2013-10-09 03:14 UTC
Maybe you should actually read the report. In order to, you know, not look silly.
Reading is for cowards!
Edited 2013-10-09 11:40 UTC
What did you write? I didn’t read it.
I am with Thom on this. Antivirus companies are like Nigerian Scammers. They have nothing better to do with their time other than get you to give them your account#
I really don’t think they are scumbag liars. They are reputable companies with scumbag marketing.
These are the same people that alerted us to Stuxnet and flame, giving us the first proof that cyberwar was upon us.
Hint, if they are saying something very specifically technical, its true. If its broad statistics and scare words, its not.
Because everything is a conspiracy! FFS
That may be so, but there is/was certainly a lot of Malware in the Play Store. Hopefully it’ll all get removed at some point, but if you just install “shiney” apps (which is what kids tend to do), you used to very quickly find Malware. The saving grace is that they banned those push message apps and apps that create extra links – those were seriously bad news. But I’m not convinced still.. bear in mind that I’m a full time Android user now, who dabbles in iPad land and will now only use my old iPhone 4 as a MiFi and for iMessage.
Since they’re all morons I wouldn’t say that’s impossible. You’d have to be pretty fscked in the head to be a malware writer to begin with.
I don’t know, I knew a couple malware writers back in the day late 90s early 00’s. These were the harmless hackers who were just interested in figuring out the vulnerabilities and seeing how far they could get. I guess they were grey hats or something. Everything they did was very limited in scope, designed specifically to not spread wildly. They always tested anything out on the coperate network first ( much to the displeasure of the network admin). A lot of the skills of being a good malware writer are the same as those of a good security researcher. Its really just how you use them.
I gained access to systems before now, after I seeing something iffy in the source of a page or similar and normally send a demonstration of the vulnerability to the web-master.
Having heard horror stories of what has happened to people who revealed vulns, I decided to not try.
I make sure I keep an email trail.
Well, they’re not “malware writers” then since they did not release it in the wild for fun or profit.
Edited 2013-10-10 02:12 UTC
http://xkcd.com/1161/
No kidding.
We don’t care about the percentage of insecure apps… that number can be deflated by inflating the amount of harmless garbage apps that nobody uses.
The percentage I’d care about is the percentage of active Android devices out there with malware on them.
Consider this – the percentage of devices with active malware is irrelevant.
Why? Because there has not been a single piece of evidence that installed and active malware will infect any other device. Bluetooth viruses are not common, even by antivirus company whitepapers.
I have to disagree. If a bunch of people download an app with malware and it is connected to a botnet, we have a problem.
Just because the mechanism is an app store rather than a typical infection, this does not mean there is no problem.
Actually the method of redistribution is very important. It highlights the level of security. Any malware distributing itself over a network without a centralised repository is much more harmful and much less susceptible to eradication.
Any(well… absolute majority) malware distributed via Google Play can be eradicated by one command issued by the maintainers of the store.
I was not claiming that there was no problem. There is a problem that requires attention, but it is being successfully mitigated. Thus claims that Android is infested with malware or is inherently insecure are outright lies.
That was all letters and stuff… I’m not comprehending any of it… can you dumb it down for me into a 5 simple word summary please?
As y seem to like a scientific comic, maybe you should try to, you know, actually calculate how many infections worldwide we can expect from a reported 1 ppm infection rate (false positives included)…
Edited 2013-10-09 08:48 UTC
How secure an os is is irrelevant if the user installs something. I’m not aware of many Android malware instances that bypass, or even attempt to bypass, the security model. It’s the same for Windows and Mac malware these days: malware doesn’t need to bypass os security, because the users let it in on their own. There’s no amount of built-in security you can do to solve this if you want to keep a platform open.
With this will always be a problem. The point is to limit what the software can do, not what the user can do. How is the app permission model worse than the “administration rights” model on windows or even Linux. Click an OK, or type in your password and the app can do almost anything? Android already lets you disable some permissions(notifications) and I think they will roll out more in the next version. App-opps exists on 4.3, but is hidden by default.
Still I think your forgetting about the traditional virus model of taking over the system, not just accessing user data. The article is mainly about that Android security model.
There are apparently some that do according to the article. But that’s why I prefer the stat of .12% of installations are malware thats the number that doesn’t care about attempts to evade further detection.
So here’s a little thing about this. While the ‘security’ of the OS may be all well and good, as anyone knows, security only works if the people use their device intelligently.
With that in mind, by the definition on Wikipedia;
https://en.wikipedia.org/wiki/Malware
Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.
I would have to say that 90% of the software on Android IS malware. All those “pay me for the full version without ads!” software out there that has become the norm makes me ill.
Also, I would like to add that “This application is requesting access to your contacts…” etc is where the ‘security’ is at. So while an apk file may not be able to just secretly go in and steal all your stuff, it can ask if you think it’s okay for it to do so.
Just sayin’…
Please note, I say all of this, not because I’m an Apple fan (they’re just as guilty) but because up until now, we haven’t had a really successful open platform that don’t have these issues. Even my beloved N9 has some software that is ad-supported, even the included AP Mobile application (which is annoying to say the least). Hopefully SailfishOS or even perhaps the fork of Fremantle on the Neo900 will help alleviate some of my pain with mobile phones. If not, I’ll probably end up going back to a dumb phone
So, for you, 99% of websites are malware too, aren’t they? They display ads. They even know your location (through your IP).
You might want to go away from OSAlert.com. Just sayin’…
Yup!
Well, there is the F-Droid repository for Android …
https://f-droid.org/
From there at least you can get applications for Android which do not suffer from the problems you describe. I would contend there is no equivalent to this for the closed-garden iOS and Windows Phone ecosystems.
You probably aren’t aware that most mobile software is ad-supported. Android is no exception.
I think some apps take that too far. Using push notifications for advertising for example. That’s in line with the more traditional notion of adware.
This is not allowed anymore in Google Play.
Yeah, I remember the article here about it. Imo its helped tremendously. Its still only a symptom of a larger problem, that being that it is way easier to get into Google’s store vs other stores, with a much more capable (and potentially harmful) API.
“This app may use your location” and “This app may take over your launcher” aren’t useful before you’ve run the app as you have nothing to make that judgment call on. If you run a seemingly harmless app and then out of the blue it requests consent for location then it’ll raise more alarms.
On the Windows Store, permissions are granted while in the app at the time the relevant API is called which imo lets users make a more informed decision.
So you are conceding that adware was condoned behavior for nearly five years and that a responsible proprietor should curate applications.
As usual, you are seeing antagonism where there is none.
As long as I have a switch to flip the proprietor the bird and take my business elsewhere, sure.
Completely lost on me what “antagonism” you are perceiving me as perceiving. I’m just pointing out the self-evident conclusions that result from your statement.
How about you stop pulling BS out of your a**? Google never condoned intrusive adware. Being neutral or unaware is not approval.
Condone does not necessarily or implicitly imply approval. The definition can certainly imply disregard, allowance, and acceptance.
We could split hairs over whether or not disregarding it and/or allowing it implies approval, but I’ll leave that to you, not of interest to me. I can certainly say that I chose the word condone for its potential to imply approval (through disregard or acceptance) while not necessarily requiring explicit and overt approval.
Edited 2013-10-09 17:14 UTC
The same company that tries to pass off Activations as sales? So there have been a billion activations and everyone is acting like a billion devices have been sold? Right even though the biggest Android vendor was caught in court padding their sales numbers (Samsung) and now doesn’t even give sales numbers. (Nor does Google or Amazon)
The same company that changed the way they count active Android devices but effectively cutting out old devices from the list to make their adoption numbers look better?
Come on, yes all companies do it, that’s why you can’t believe any of them including Google.
http://www.theregister.co.uk/2013/10/08/android_ad_peril/
I guess they don’t count malware that comes pre built into apps?
Or I guess everyone is totally wrong. Not just Anti Virus companies, but research companies, CIOs of Fortune 500s who test this stuff, the US Government everyone?
You really have issues, that you have to resort to lying.
Google does not sell phones, so how would they know anything about sales?
https://plus.google.com/112599748506977857728/posts/Kkjf8oESTZs
Making the charts useful for the purpose they exist. That dashboard is for developers, not general market statistics. As a developer I could not care less about devices that never visit Google Play store.
And iirc Samsung was only caught inflating their tablet numbers, which at that point weren’t even spectacular to begin with.
I don’t think it matters if Google inflates activations or not, the undeniable reality is that there are a lot of Android devices out there.
Wait so Nexus phones and tablets are not made by Google??? So Motorola is not owned by Google???
This goes to prove my point, they hide the numbers so good you forget they even sell two different lines of phones and tablets themselves. LOL!
http://www.phonearena.com/news/Google-could-be-counting-Android-dev…
Turns out, Google is counting devices based on Google services. Most mainstream Android products do have the Android Market, Gmail and the rest of the Google suite of applications. Whenever someone activates a Google services account on a new device, Google^aEURTMs activation counter goes up. Simple as that.
These are the same charts though they roll out to the media to show Android version adoption rates. If this is for developers only then put it in the developers site and don’t wheel it out to the general public.
Good job at trying to derail the thread into your own universe, but let’s stick to the context you provided yourself.
None of the Nexus devices is made by Google. Not a single one! And most are sold via channels bypassing Google.
Motorola is a minor player, who’s numbers would not boost or undermine the “over a billion” statement. The reason why Motorola don’t disclose is embarrassment for the low sales.
That link you are providing links back to the post I linked. In all your rage you are not thinking straight.
Let alone, you are proving that an activation is in the absolute majority a sale. Google services are activated when a user logs in into their Google account of the phone.
You should ask the media outlets why they pick it up, since the bi-weekly updates of those charts don’t pop-up as PR on Google’s official PR site.
Here’s the link: http://developer.android.com/about/dashboards/index.html
Does the word developer in the URL mean something to you other than a developer?
Do you have anything else you want to vent about and display your astounding lack of knowledge?
Edited 2013-10-09 15:38 UTC
Are you ok? Saying Google doesn’t make the Nexus phones is like saying Apple doesn’t make the iPhone cause Foxconn puts it together. Because they commission LG at this time to make them, they know exactly how many they sell, they are Google branded and they are mostly sold from Googles Nexus site! No excuse not to give numbers.
But! You are right the Nexus sales are also an embarrassment which is why they don’t give the sales numbers the same as for Moto.
And Samsung is a MAJOR player but they don’t give sales numbers ether so that’s no excuse.
All I can say is Wow to this. If I GIVE my brother my Android phone and he puts his Google account on it, that’s counted as an activation! Where in there is a sale?? Come on use your brain. And this undermines the billion number because a lot of activation’s are not sales.
Huh? How do you think the Media picked up on it?? Google talks about those numbers all the time! Also there are TONS of things people at Google say to the press that are not on the official PR site. How about what Eric Schmidt said the other night about Android security being better then the iPhone is that on the official PR site?? Noooooo.
Keep up, I said put it IN the developers site, not ON the developers site. I know its tough sometimes to tell the difference between IN and ON but IN as inside where developers log in and not ON where the public and from you the “press” can get to it. LOL!
I think you just want to hop on my post to have something to say but so far you have been loud and wrong.
Edited 2013-10-09 16:17 UTC
I am looking at my Nexus for and NOWHERE does it say Google. Nexus and LG figure prominently. LG designed the hardware. LG certified it. LG handles warranty. It’s made by LG.
http://www.lg.com/uk/mobile-phones/lg-E960-nexus-4-by-lg
https://support.google.com/googleplay/troubleshooter/3070579#ts=3070…
iPhone is in fact made by Apple. Apple designed the device inside-out. Apple certifies it. Apple has it’s name and logo on it. Apple handles warranty. There is no indication that Foxconn made it and if it were made by HonHai tomorrow there would be no change to the device.
http://support.apple.com/kb/index?page=servicefaq&geo=United_Kingdo…
Thanks for displaying your astounding lack of knowledge once again.
Seriously? I thought you lot died out already. This discussion is from 2011!!! Read the sources you are linking to and stop bringing up the things that were put to rest almost 2 years ago.
Thanks for displaying your astounding lack of knowledge once again.
Not even in those semi-formal statements do they disclose those numbers. The media s***storm is not same as official statements.
Thanks for displaying your astounding lack of knowledge once again.
There is no login into the developer site. There is no “in developer site”.
Thanks for displaying your astounding lack of knowledge once again.
You have not provided any proof for your arguments and tell me that I’m wrong.
Good try again. In the end the original fact and statement I made still holds. Google commissions LG to make the current Nexus phones for them and they are sold through Google’s site and the inventory is paid for by Google. Google knows every single Nexus phone sold. AND I am not letting you slide on the Motorola point. Google MAKES phones as the owner of Moto.
Again I am right and you are wrong on this but if you want to believe Andy missing in action Ruben as a Google fan boy you can. Fact is an activation is any time a new google account is added to an Android phone. Those are not all sales.
Again Google posts the numbers up there for the world to see, if they didn’t want them to be used they would just post them in your developers console. Simple. But they want the numbers to be seen and they tweaked them to look better. Also they used them as talking points at conferences, media events and the like.
What do you mean there is no log in? HUH? Are you that dumb. You have to log into your developers account console to publish apps etc. You can’t just come to the site and do that without logging in. LOL! Thats worst then the lack of common sense that you used in saying that Google doesn’t make phones so it shouldn’t have a count when they make phones through Moto and pay LG to make Nexus phones. LOL!
Again you just wanted to jump on my post. And again no logic! You don’t log IN to your developers account?? Really. LOL! Got a good laugh out of me on that one.
“saying Android is insecure is a lie.”
The numbers provided have nothing to do with the security of Android.
– The number is provided by Google (might be marketing).
– It only tells you what Google is able to detect.
– The number does not tell you how well Android helps users to cope with security issues (which is much more important because malware normally relies on user interaction and not direct system security breach)
– The number does not tell you anything about infected systems (one popular app that contains malware can do more harm than 1000 apps that are not popular).
Is Android insecure? We simply don’t know.
Since more and more user data is stored in cloud services and user tracking has become the norm, the security / data protection / anonymity protection of the services connected to a devices becomes more important. Of course, no word from Google about that ..
Saying that X software is secure or insecure is a lie. Any absolute statement is a lie.
On the other hand, saying that Android is reasonably secure is true. Saying that Android is insecure is a lie.
Yes. On the other hand we have a document that tells that a lot of malware is distributed using links in SMS and anti-virus companies. In short the only objective report had no complaints about Android’s security model.
That is not a constructive argument. Everything is based on what can be detected.
Did you read the post? It does tell that. That is hte purpose of the verifier.
Edited 2013-10-09 12:05 UTC
Self-contradiction at its best!
I wish I could express that sentiment using non-paradoxical expressions.
Words to live by: don’t do anything until I hear from you. All generalizations are inherently false, including this one. Moderation in all things, including moderation. Always avoid alliteration.
Considering how most apps on Android engage in behavior we’d refer to as spyware and adware if they where desktop apps, even in their paid versions.
If tracking your GPS location and reading your contacts lists for profit aren’t malware behaviors then what is anymore?
Please, if u think they are malware, challenge them in court.
How DARE a fitness app track my location!
Ever heard of a step counter/pedometer? The modern kind have only existed for 30 years… If your phone has an accelerometer it is able to be used as a pedometer as well, without having to track your location via GPS.
So, you too are apparently willing to sell yourself out completely just to not have a second device on you the size of a lapel pin like the model Nike sells? I guess there really is a sucker born every minute.
Because, you know, there’s no legitimate reason at all to want GPS tracking of fitness data.
At all.
You would never want to know how fast you are on a given route, and compare with other people. Or record a route, and then follow that route later.
(Myself, I use a Garmin Edge for cycling data. I mainly use it because I wanted instrumentation, and it’s a pain to get a conventional cycle computer working on a recumbent trike. And, it’s more water-resistant and rugged than a smartphone, with much better battery life.)
Its not the use of the features themselves, but how they’re used.
There’s a really low bar for entry in the Play Store, a place that’s supposed to be trusted. If you can’t trust the apps on there, and instead have to do your own research on the publisher, its purpose is defeated.
That’s a definite security issue.
The evidence suggests otherwise.
The data suggests no such thing. It shows that of the malware Google eventually flagged, they had an effective block rate. That says nothing about the malware they didn’t flag, or even how soon after an outbreak it was flagged.
The problem is that this happens in the first place. More stringent screening is required in the Play Store. I don’t think that’s a position even you disagree with, given that you’ve publicized and reacted positively to Google’s policy changes to combat annoyanceware.
ou can trust them as much as you can trust Bonzai Buddy, Gator or Alexa.
They won’t steal your credit card number, but what they’re doing is no different then any other spyware program.
The last thing any of us needs is to be tracked any more then we already are, it’s bad enough the NSA is collecting data on us, that doesn’t make it right for every company on earth to do the same.
Stopwatch function on all phones and digital watches since forever and a day.
Memory, since before the first critters crawled out of the ocean…
Most apps don’t read contact lists on Android, please keep that BS to yourself.
GPS location(precise location) is also a rare permission to have.
Approximate location is much more common, but still far from the norm.
Oh really?
https://www.xda-developers.com/android/android-permissions-permissiv…
http://lifehacker.com/5991099/why-does-this-android-app-need-so-man…
http://blog.jammer-store.com/2012/12/may-i-have-that-permission-or-…
http://www.instantfundas.com/2013/03/how-to-check-installed-android…
http://techpp.com/2010/07/30/android-apps-permissions-secure-privat…
http://phandroid.com/2011/04/07/every-wondered-why-pandora-needed-a…
Tracking me for advertising purposes is malware behavior and it’s happening more often then you think, just because it doesn’t render the phone useless like Windows malware eventually does doesn’t mean it’s not malware.
Believing otherwise is like giving money to Bernie Madoff and expecting a return on investment.
We have got to a point that most Operating Systems that are regularly in use are fairly well protected and most forms are infection are usually the user installing something malicious.
With 900 000 000 registered Android phones, this still has the potential to affect 90 000 users, not a small number.