Forgot your password?
typodupeerror
Android Security Stats

F-Secure: Android Accounted For 97% of All Mobile Malware In 2013 193

Posted by Soulskill
from the going-for-the-high-score dept.
An anonymous reader writes "Back in 2012, Android accounted for 79 percent of all mobile malware. Last year, that number ballooned even further to 97 percent. Both those data points come from security firm F-Secure, which today released its 40-page Threat Report for the second half of 2013. More specifically, Android malware rose from 238 threats in 2012 to 804 new families and variants in 2013. Apart from Symbian, F-Secure found no new threats for other mobile platforms last year."
This discussion has been archived. No new comments can be posted.

F-Secure: Android Accounted For 97% of All Mobile Malware In 2013

Comments Filter:
  • by smash (1351) on Tuesday March 04, 2014 @08:56PM (#46403751) Homepage Journal

    Linux is secure, right? Isn't Android Linux?

    This is what you get running unsigned code from anywhere people! The last 30+ years of malware on Amiga, DOS, Windows, Unix, Linux, etc. should be a lesson. Trust code to execute by default and this is what you get. Rely entirely on the end user to determine whether or not code is legitimate, and this is what you get.

    The average Joe is not capable of making that decision. Sure, it sucks, but them's the breaks.

    • Security is the minimum of "how secure the system can be" and "how secure the user can be". Not the average of them. The minimum. The most secure system is worthless if a user allows any kind of code to run. Likewise is the best security professional without a chance when facing an inherently insecure system.

      The only way to avoid this is to go the Apple way: Simply taking the choice out of the user's hand. You may only run what we deem ok.

      There is no "right" or "wrong" in this. If you want to have control

      • by symbolset (646467) * on Tuesday March 04, 2014 @11:32PM (#46404793) Journal
        If you can make a computer so simple even an idiot can use it, only an idiot will want to. I like Android's balance with Google play here. Stick with Google Play and you are good to go. Want to adventure? Enable side loading and have at it. Your choice. The complainers appear to be the sort who disable the safety features and then harm themselves, and blame Google for their own screwup.
        • If you can make a computer so simple even an idiot can use it, only an idiot will want to.

          How do you know that? I use many things that even an idiot can use, and still find them useful even when I'm not a complete idiot myself.*

          *) Some people may disagree.

        • by mlts (1038732)

          Nail, head hit. There are two choices:

          1: Buy a device that disallows access to the user for anything except inputting a credit card number and buying apps through only specific channels. Access to the hardware will never happen. Take iOS: A user can't footshoot themselves, but neither can they use their device other than the way Tim or the late Steve wants them to. Want to run a Wi-Fi signal scanner or some specialty software... heck, even a Bitcoin wallet? You can play the jailbreak game, but with A

          • by tlhIngan (30335)

            2: Buy a device that can allow one to click some "accept" buttons and allow themselves to shoot themselves in the foot. Yes, malware can be an issue with this since full control of the device can be obtained by the user.

            We had this same war in the early 1990s when TV set top boxes were poised to bring us an Internet analog, but open computers won out. Do we want to lose this victory and go back to only allowing corporate board members having the ability to dictate what we can and cannot do with -our- device

            • by mlts (1038732)

              The dancing rabbits problem will be a constant plague, unfortunately. It is a choice of lesser evils... allow users to have full access to their device and even with all the warnings, give them the ability to auto-footshoot, or take everything away and have everything happening on a device be at the whim of whatever corporate marketing drones are in charge.

              This is the same problem with desktop machines. Do we want full control of our machines, or do we want to cede all authority to a third party who promi

        • by DarthVain (724186)

          Having just turned off security briefly to install flash for a specific application I can tell you that in order to do it, you have to go into security and select the ability to do so. When you do it pops up a message that basically says "By doing this if you totally screw up your device you know it is totally your fault right, and don't come to us all whiny about it. You sure you want to proceed?"

          If you aren't comfortable with that, click no.

          That said, it isn't something that I would get into a habit of do

    • by msauve (701917)
      It's just a matter of how big the target is. Right now, Android is the largest mobile platform, so that's where the malware is directed. It's a crime of opportunity, no different than Windows on the desktop.

      It's not proof that Apple's iOS or MacOS or Windows mobile are intrinsically more secure, but that they're smaller targets. How much malware is there directed to FreeBSD or OpenBSD or vxWorks in comparison? Emphasis on comparison - sure, there's malware directed at anything which might be Internet facin
    • It comes down to: would you rather have Security, or Freedom?
      • by exomondo (1725132)

        It comes down to: would you rather have Security, or Freedom?

        They aren't absolutes. You never have 100% security or 100% freedom and most people would rather a device that can only access a particular app store (Apple's or Google's) as the tradeoff is a much lower security risk (see TFA which states that only 0.1% of the malware is in Google Play). It isn't a case of "you use an iPhone and they took away your freedom!", that's just rubbish fear-mongering, nothing was taken away at all, you have just chosen a device that has certain particular limitations. For some re

    • Have you never asked yourself why Android is getting all of these attacks, but you rarely (if ever) hear anything about Debian/Ubuntu/Red Hat/Arch/Slackware/whatever distro suffering the same fate? Are they not Linux OS's, too? In fact, I think it's Dalvik that's getting exploited rather than the kernel itself; I could be wrong but that's pretty much the biggest difference I see between the vanilla-variety distro and Android. I will admit that your point about running strange code from untrusted sources is

      • by smash (1351)

        No, it's the user who is getting exploited. And that's the point: the average end user (and in the case of more advanced malware, the average technical user, or in fact anyone who hasn't been able to audit the application source code) is vulnerable to this sort of malware.

        Using an app store plus code-signing enables a trusted third party to audit the code, and sign it as approved to run on the device. In the case of appliances like phones, tablets, etc., expecting your typical non-technical user to au

  • think of why it exists: it gets google your eyeballs and your time. with that, they are wildly successful.

    beyond that, they could give a flying fuck. seriously. they don't exist for user experience, safety, privacy (ha!) or quality. as long as its 'good enough' to keep eyeballs glued there, that's all they care about.

    I can't wait for a true '3rd option' (not apple and not android) to come on the market. I don't enjoy or trust either of the two existing choices.

    • by rsborg (111459)

      I can't wait for a true '3rd option' (not apple and not android) to come on the market. I don't enjoy or trust either of the two existing choices.

      What, WindowsPhone isn't good enough to qualify as that "3rd option"? Seriously, you can still get a blackberry, WinPhone or just a plain ol dumb phone that tethers really well (my TMO plan has free tethering) and run an iPod touch or equivalent.

      • by Vermifax (3687)

        What dumb phone provides tethering?

        • Who pays for the "privilege" of doing something the device is already entirely capable of doing? I sure as hell don't.

        • by Dahan (130247)

          What dumb phone provides tethering?

          I haven't been paying attention to the current crop of dumb phones, but back when I was using them, it was pretty much a standard feature. E.g., Nokia 8290 [wikipedia.org] had a v.32 modem and an IR port, and IR was pretty common on laptops of the day. Point the two at each other, and you can start a PPP connection to your dialup ISP. Then when GPRS data became popular, I had a Siemens M46 [phonescoop.com], which didn't have an IR port, but if you got the data cable, you could plug it into a serial port and tether by setting up a PPP conne

    • by smash (1351)

      There's.... Windows :D

      Ironically, I would wager Windows mobile is probably the most secure of the mobile platforms at the moment.

  • saw that coming (Score:1, Interesting)

    by invictusvoyd (3546069)
    Not surprised . When will I be able to run a full distro on one of them phones?
  • by BoRegardless (721219) on Tuesday March 04, 2014 @09:08PM (#46403871)

    It sounds nice in the hacker world, but in the hands of the 'average Joe', an "Open Handset" is an invitation to have your bank account stolen.

  • But seriously, malware tends to target the top player in the market (by numbers). Nothing really to see here.

    • by smash (1351) on Tuesday March 04, 2014 @09:16PM (#46403945) Homepage Journal
      Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?
      • by roc97007 (608802) on Tuesday March 04, 2014 @09:20PM (#46403979) Journal

        Obviously, the malware is so well written that nobody has found it yet.

        • Just like the very best counterfeit money.

          The Craftsman/Craftstress behind either shenanigan will not be needing to work, then, unless they get nicked.

      • Then explain the lack of similar quantities of malware for iOS between 2007 and 2012?

        It's for the same reason that the murder rate inside Disney World is very low.

      • by steveha (103154) on Tuesday March 04, 2014 @10:23PM (#46404397) Homepage

        explain the lack of similar quantities of malware for iOS between 2007 and 2012?

        Because of Apple's "walled garden". The only way to get apps for iOS is from Apple's store, and Apple tries to keep the malware out.

        Apple always charges $100 to put an app in the store, so malware has to make at least $100 before it is discovered or the person who put the malware on the store loses money.

        The "walled garden" does have advantages.

        Personally, I like having a device where I can install anything I want... but I pretty much just get stuff from the Google Play store. If I need an SSH app, and I see one with over 30,000 votes rating it 4 or 5 stars, I'm pretty sure it won't be malware when I download it.

        And according to TFA, almost all of the malware was side-loaded. Almost none of the malware came from the Google Play store. Thus, Android gives me the advantage of the walled garden, while still being more free than iOS.

        P.S. The reason I went with Android rather than iOS was Apple's policy of no interpreters and no emulators. I wanted Python and games emulators. Apple has since then unbent a bit, but Android has always allowed you to install whatever sorts of apps you prefer.

        Thus I am able to install interpreters and emulators, without rooting my phone, and getting them from the Google Play store. Why wouldn't I want this?

        • Is it $100 each time, or is that $100 for the development kit?

          • by smash (1351)
            It's $100 for a number of support incidents and a developer certificate which enables you to use the free development tools to upload your code to a real device.
      • "You run OS X?"

        Yeah, your brother's sister's hairdresser had all this malware -- and of course all those security firms who present dire warnings every week in order to drum up business.

        Did "You" actually have malware that effectively exploited your machine? Or are you just here to add balance because you've "heard" rumors? What was the name of this malware -- what did it do? How did it exploit the system?

        There are problems and benefits of all kinds of systems -- but what we don't need is people throwing ar

  • By default most Android phones (which today means made by Samsung) will not install anything from outside the Google Play store, and in the case of only Samsung phones outside the Google Play store and the Samsung store. Most users do not adjust this setting, so virtually nobody is susceptible to this malware. F-Secure is making mountains out of molehills.

    If you don't use a Samsung Android phone, I commend your spirit of adventure. It's not worth the hassle for me. There's where you start becoming susceptib

  • by Johnny Loves Linux (1147635) on Tuesday March 04, 2014 @09:26PM (#46404027)
    Don't install apps from back alleyways:

    At the very bottom of the list was Google Play itself, with the lowest percentage of malware in the gathered samples: 0.1 percent. F-Secure also noted that “the Play Store is most likely to promptly remove nefarious applications, so malware encountered there tends to have a short shelf life.” While that’s great news for most Android users, it

    Why would anybody shop for apps on their android phone/tablet like a crack addict looking for their next hit is beyond me. Are people really that naive?

    • by joeflies (529536)

      That may be true in the US, but i've heard from friends overseas that other markets prefer their own stores, like a Chinese phone will have a custom rom and local app store, of which the legitimacy of the apps may come into question.

  • by Kelson (129150) on Tuesday March 04, 2014 @09:43PM (#46404149) Homepage Journal

    "...but only 0.1% of those were on Google Play"

    So that vast majority is practically all third-party installations (something which isn't even an option on iOS).

  • google play .. (Score:1, Interesting)

    by invictusvoyd (3546069)
    why does an app ( from google play) which just produces fart sounds ( just like 80% of the other apps) want permissions to access my browser bookmarks , call information, data store and what not .

    That is beyond my understanding
    • So they can serve you ads.
    • why does an app ( from google play) which just produces fart sounds ( just like 80% of the other apps) want permissions to access my browser bookmarks , call information, data store and what not .

      Yes, it seems like every single app now needs full control of our lives. I'm not happy about granting such sweeping powers where they are clearly unnecessary.

      Except the apps from f-droid, for some dumb reason open source apps tend not to overreach on permissions and snooping.

      Oh, but I guess now we can assume those are 33% malware since it's not the play store.

  • It's possible to download Android apk's at developers sites as well as other places,
    be nice to scan them for malware before transferring/installing them to the Android.

    An example is AdAway which I assume is safe from malware, you can't download this from play.google.com
    https://f-droid.org/repository... [f-droid.org]

    I've Googled this query and have gotten no results, figure I'd hit on a geek :}

  • As others have said, the walled gardens are *EXTREMELY* safe. iOS App Store and Google Play are both *VERY* safe.

    Jailbroken iPhones are targets, but most people concerned with open platforms are on Android - and sadly Google has gotten people used to "going off-reservation" for some apps. (Is Kindle Market available to install direct from Google Play yet? Or do you still need to root and side-load?)

    Symbian is effectively dead (the former leader of malware,) and Palm is all but buried at this point. Not su

  • http://www.f-secure.com/static... [f-secure.com]

    The content of interest here starts on page 22.

    It'd be nice if TFA actually included a link. Or even cited the fucking source of the graphics they lifted.

  • what other Mobile OS? apart from iOS which has a much strickter policy on what goes into their store and is mostly paid.. Also how much malware is actually from software from the play-store and how much by sideloading (which isn't even possible on iOS without jailbreaking)
  • Android gives people freedom of choice and some people exercise that freedom by doing really dumb things. Dumb things like downloading warez and then clicking through all the permissions. Or installing "sexy girl screensaver" which wants permission to send SMS messages. In addition there are various forks and branches of Android which point to different app stores where the quality of application vetting ranges from minimal to non existent.

    That isn't to say there are some very obvious things that Android

"Hello again, Peabody here..." -- Mister Peabody

Working...