Report: 99 Percent of New Mobile Threats Target Android 269
MojoKid writes: "Google's open source Android platform has the distinction of being the most popular mobile operating system in the world. That's great in terms of dominating the market and reaping the rewards that come with it, but it's also for that very reason that Android finds itself the target of virtually every new mobile malware threat that emerges. According to data published in F-Secure's latest Mobile Threat Report (PDF), over 99 percent of the new mobile threats it discovered in the first quarter of 2014 targeted Android users. To be fair, we're not taking about hundreds of thousands, tens of thousands, or thousands of malware threats — F-Secure detected 277 new threat families, of which 275 honed in on Android."
Market Share (Score:5, Funny)
When Apple gets the market share that Android has, you'll see that Apple gets as many attacks as Android does.
Re:Market Share (Score:5, Insightful)
Of course Apple used to be the market share leader. But Android also had most malware back then too.
It has nothing to do with market share. It's about security. The difference is a single curated market for Apple, vs multiple markets and no curation for Android.
Re:Market Share (Score:2)
[Citation needed]
Re:Market Share (Score:2)
For what?
Re:Market Share (Score:2)
For what?
For "Android also had most malware back then too"
Re:Market Share (Score:2)
[Citation needed]
Oh, I don't know. Just pick any random slashdot thread where a security vulnerability in an Apple product is mentioned. Those comments seem to rely pretty heavily on "it's about security, not marketshare" when the tables are reversed.
If it's good for the goose, it's good for the gander.
Re:Market Share (Score:2)
no curation for Android
Untrue. By default you have Play, Google's curated app store. You can install other app stores or side load, but the default is just Play.
With great power comes great responsibility and all that. Besides which Apple's App Store isn't devoid of malware either, it's just a different kind of malware. My girlfriend is Chinese and there are a lot of Chinese apps, presumably not even visible in the western version of the store, that look extremely iffy. They ask you for random personal details, direct you to nasty looking web sites, and have masses of rip-off in-app purchases and pay-to-win scenarios.
Re:Market Share (Score:5, Insightful)
no curation for Android
Untrue. By default you have Play, Google's curated app store. You can install other app stores or side load, but the default is just Play.
With great power comes great responsibility and all that. Besides which Apple's App Store isn't devoid of malware either, it's just a different kind of malware. My girlfriend is Chinese and there are a lot of Chinese apps, presumably not even visible in the western version of the store, that look extremely iffy. They ask you for random personal details, direct you to nasty looking web sites, and have masses of rip-off in-app purchases and pay-to-win scenarios.
You realise if an Apple user tried to spin that line in a story where 99% of malware was targeted at iOS they would be down modded into the ground, right?
"Here's tangible, documented proof of 99% of malware being on Android, but hey, some Chinese apps on iOS 'look a bit suspicious' so Apple is bad too!"
Laughable. Truly laughable.
Re:Market Share (Score:2)
and have masses of rip-off in-app purchases and pay-to-win scenarios.
You don't have to be in the "shady" part of the app store for those. That's industry standard now.
Re:Market Share (Score:2)
No man. The Google Play Store is checked for malware and things like that. The issue is a lot of people install apps they got from somewhere else. But you know what? More power to them. At least they can pick other places to shop instead of Apple's one sure way or go to the highway.
Re:Market Share (Score:3)
The Google Play Store is checked for malware and things like that.
Auto-running a virus checker on uploaded apps does not a curated app store make. Curation is a human activity.
And Google Play is not free from malware. I've just been going through old Slashdot stories about mobile malware and most of the reports have been on Google Play (or The Android Market as it was previously known.). This notion that it's only the other stores that are a problem is false.
But you know what? More power to them. At least they can pick other places to shop instead of Apple's one sure way or go to the highway.
The freedom to have malware. One of the lesser known freedoms.
Re:Market Share (Score:4, Insightful)
Apple was never the market share leader. [androidheadlines.com] The press just fawns over them like they were/are.
Re:Market Share (Score:5, Informative)
I keep seeing this line trotted out, but it only serves to distract from the real issue.
What I've seen time and again from these reports over the last year is that it isn't about Android vs. iOS: it's about app stores. The Google Play store, for instance, has been the source of very few malware incidents (i.e. something like 2-3% of the total). Most of the malware hitting Android is coming from third-party stores that are of questionable trustworthiness. As always, users should be advised to only install software from sources they trust. If iOS allowed users to install from third-party stores without jailbreaking, we'd be seeing the same problems on iOS, regardless of their current marketshare or lack thereof (besides which, marketshare is a measure that shouldn't be used in isolation when assessing the worth of a platform's users to developers, including malware developers).
So, please, stop painting this as an iOS vs. Android thing. Regardless of platform, the users being affected by this stuff, in general, are those grabbing apps from untrustworthy sources. Focus your attention there.
Re:Market Share (Score:2)
Indeed, putting all problems into the "malware" category just confuses the issues.
Viruses are the real problem, because even the most secure OS in the world cannot protect its users against trojans. "Enter my password to see the dancing kitty? Of course I will!"
Re:Market Share (Score:4, Interesting)
The problem is, Google Play isn't available in a lot of places where Android is. Say China, for example.
China's especially touching because the Chinese app stores are complete rubbish - full of pirated apps and Trojans and other crap.
But even in North America or Europe, sticking with Google Play is limiting, because there are tons of legit app stores as well. Say, Humble Bundle or Amazon. But the problem is the checkbox is all or nothing - either you only use Google Play, or you allow everything.
The problem with "let the user decide" is it ignores the ultimate reality of security - Dancing Pigs [wikipedia.org]. Basically a user cannot be trusted with their own security - they will always choose the least secure path if it gets them what they want. So if their friend shows them a new app they have to install manually, well, they'll do it.
Hell, even on iOS jailbroken users get broken into constantly. Because they install OpenSSH, usually because some HOWTO said to install it. There have been many iOS worms and Trojans that exploit the fact that if you can SSH into an iOS device, it's jailbroken so you can do many more things.
Re:Market Share (Score:2)
Re:Market Share (Score:2)
True, but you still need to set your phone to allow installation of apps from untrusted sources to install Android apps purchased as part of bundles, don't you? (Because the Humble Bundle app installs them, not the Play store).
This is an issue of transitivity of trust: Let's imagine that I trust Google Play to only include safe apps, so I install the Humble Bundle app from Google Play. However, in order to install any apps from the Humble Bundle store I have to allow the installation of all other apps. Installing the Humble Bundle app from Google Play doesn't transfer trust to the Humble Bundle app so it can't install apps. Similarly, even if the Amazon store appeared on the Google Play store, it wouldn't be able to install apps without me allowing installation from all unknown app sources.
Generally, I still have the ability to choose what does and doesn't get installed (assuming I don't activate ADB, in which case all bets are off, but I would have to actively choose to do that) so it isn't like I'm allowing any app to install whatever it wants. However, by adding an Android permission to allow an app to install other apps there could be some degree of trust transfer.
Of course, the outcome would probably be that huge numbers of apps would request the permission to install other apps and then have a field day because most people don't read the permissions anyway when they are installing, and this is compounded by the stupid Android security model that doesn't allow any permissions refinement (e.g. no "optional permissions", no "ask on first use", only "accept all the permissions or don't install"). BB has managed to have permission overrides for ages without the world collapsing, and iOS is polite enough to ask when apps want to do certain things (e.g. GPS access).
Re:Market Share (Score:2)
By that argument all computing devices should be locked down and not allowed to be general purpose. The internet should be heavily filtered and turned into a walled garden. Some people might like that, but a lot would reject it.
The thing about Chinese app stores is that they have got a lot better in the last couple of years. The reason why is rather obvious. The service provider usually provides the app store, and it is in their interest not to allow apps that rack up massive phone bills by texting premium rate numbers because often the user can't or won't pay. Legally they make themselves liable by providing the app responsible.
Places like China are going through the same phase the west went through in the late 90s/early 2000s. It's all new, people need time to get used to it, and until then they fall for all the old scams. Companies too need time to get their act together in preventing fraud. Eventually they will reach the level the west is at, where most people know not to install random crap or fall or Nigerian princess offering them a share of their millions.
Re:Market Share (Score:2)
He didn't say anything about "should." He talked about "does." You're dragging him into a theoretical argument on the ethics of a curated platform he didn't start, largely because you can't win the technical argument about reality.
Here's reality: since all malware is software, any computing platform that's designed to run as much software as possible will include more malware then a more restricted platform. That is the reality of the situation. Whether the trade-off is worth it probably depends on a lot of factors -- how much software is available on the restricted platform, how bad the malware is, how much more software is on the non-restricted platform, whether the very idea of letting some asshole in Cupertino curate your computing experience creepifies you, etc. The more control you have over your devices the more ability you have to fuck them up, and that's just reality.
I have no doubt these particular Malware problems will shrink as people get educated on these issues. But that doesn't mean that all Android Malware magically goes away, it just means that Android Malware morphs to something new and different.
When you're the big target somebody is gonna succeed in developing malware for your platform. Since Droid don't have an asshole who can just pull a bad app from the store, and then implement a mandatory update to the OS so that said bad app never runs again, Droids always gonna have objectively more hacking/malware/etc. then iOS. That's just the tradeoff google chose when they decided they'd go for the mass market, and make it easy for geeks to do whatever they wanted with their phones.
By Your Command (Score:2)
By that argument all computing devices should be locked down and not allowed to be general purpose.
So what you are saying is that NO platforms should exist that are locked down, so that non-technical users can be fucked every day all so that you can more easily install animated wallpaper.
Why is not NOT OK to have a real choice, where people can choose a more open Android or a platform that ships with defaults that are vastly better for 98% of people that will own mobile devices?
Re:By Your Command (Score:2)
Why is not NOT OK to have a real choice, where people can choose a more open Android or a platform that ships with defaults that are vastly better for 98% of people that will own mobile devices?
That's a false dichotomy. Android is a platform that ships with defaults that are better for 98% of people that will own mobile devices. By default it only allows installation from the Google Play store.
That said, I have absolutely nothing against people having a choice between iOS and Android (and whatever else). I'd be very, very concerned if the walled garden were the only option, but it's not.
Re:Market Share (Score:2)
"But the problem is the checkbox is all or nothing - either you only use Google Play, or you allow everything."
Not true you can use the check box, install your third party application and the remove the check limiting installs to play store only again.
Re:Market Share (Score:3)
You're right. The way I should have phrased that is that it isn't about the security of the OSes themselves or their relative market shares, it's about the security of the stores from which the OSes procure their apps.
That said, I'd be careful in how you refer to them. This isn't an OS issue, per se, so much as this is a platform or ecosystem issue. We're not talking about inherent weaknesses in the OSes themselves; we're talking about weaknesses in other parts of the ecosystem that can affect the OS.
Re:Market Share (Score:2)
So, the iOS solution is to not _let_ users install apps from untrustworthy sources.
Android doesn't have a solution... so... there's that.
How is that not an iOS vs Android issue?
Because it's an App store problem. Google Play store and Amazon probably do a pretty good job on security but dozens of others do not. Both OS'es are more or less equally vulnerable and if Apple allowed every Tom, Dick and Harry to sell iOS apps with zero effort to assure that they are selling malware free software Apple would have the exact same malware problem that Google does with Android. Whatever else iTunes may be, as far as malware is concerned, iTunes seems to be a quite trustworthy source. To distill his comment into a single sentence for the catchphrase loving 2/3s of the /. reading public: "When it comes to making life hard for malware authors, walled gardens have their advantages." I'm sure that like your self very few people here agree with that statement so if you'll excuse me, I'm going to pop into the locker room now to don my fire resistant suit.
Re:Market Share (Score:2)
When Apple gets the market share that Android has, you'll see that Apple gets as many attacks as Android does.
When Apple had more market share, the malware rate was for Android was still way higher. Just that back then Symbian, Windows Mobile and J2ME beat Android by a wide margin. http://www.themobilewebtrends.com/2013/03/why-android-is-most-unsecure-mobile.html [themobilewebtrends.com]
Re:They are not much different (Score:5, Informative)
Try 78% and 15%, in favor of Android.
http://www.engadget.com/2014/0... [engadget.com]
Re:They are not much different (Score:2)
He's probably one of those Apple fanboys who only compares iOS marketshare in the US in the quarter a new iPhone model comes out.
Re:They are not much different (Score:2)
Re:Market Share (Score:2, Funny)
Re:Market Share (Score:4, Interesting)
Re:Market Share (Score:2)
Attacks for Android exist because Android doesn't have as high of walls on its garden.
That said, a US-based malware writer does set the "USA Only" flag when he publishes. He's content to allow it to run in China and India.
Re:Market Share (Score:2)
But since it's roughly 50/50 in the USA why aren't the attacks in the USA also not 50/50?
Maybe they are. I can't say I have seen any such statistics and I certainly can't understand why malware writers in general would target only a specific geographic area or even how they would limit it to that area.
Re:Market Share (Score:2)
Re:Market Share (Score:2)
I can imagine that credit card details of someone living in the USA is more useful than say someone living in Mexico (which I actually do).
Of course but I doubt they would go to the effort of limiting malware to the USA to exclude Mexico just because those card numbers may not be as valuable. Do you have evidence of them doing this?
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Nope, hence why I imagine.
That's why I thought the assertion in this question: But since it's roughly 50/50 in the USA why aren't the attacks in the USA also not 50/50? [slashdot.org] was pretty disingenuous.
But the question remains, if install base in the USA is roughly 50/50, why are 99% of the mobile threats Android only.
Well the way I see it there are a number of contributing factors, Android has a much higher marketshare globally (restricting it to the US is silly because malware writers don't restrict their software geographically) so it is a larger target and it also allows installation of applications outside of Google Play. Apple disallows that and seems to do a pretty good job of curating their app store, getting malware past an app store curator is a hurdle that doesn't exist on Android hence iOS has less malware targeted at it. So it's simple: path of least effort combined with largest userbase.
Re:Market Share (Score:4, Informative)
In the smartphone market, the US still comprises a decently large slice of the pie
The US numbers show iOS at 42%, and Android at 51%. The worldwide numbers show iOS at 15.5%, and Android at 78.9%. So, there's your difference. Links stolen from above:
http://www.comscoredatamine.co... [comscoredatamine.com]
http://www.engadget.com/2014/0... [engadget.com]
Those worldwide numbers are from 2013 though, so I expect that iOS would have continued to shrink over the past 4 months, there's no reason it would have gone up.
particularly at the high end of the market where the more valuable users tend to reside.
News flash: there are more high-end smartphones [laptopmag.com] that run Android then there are that run iOS. Welcome to 2012.
Saying that more malware targets Android than does iOS is the same as saying more targets Windows than MacOS. It's a market share issue, again.
Re:Market Share (Score:2)
Oh, market share is certainly a factor, but as I already detailed in another reply [slashdot.org], I hardly think it's the factor that matters most.
Also, I never suggested iOS outnumbered Android, whether at the high-end or not, nor would I, since I agree with you that that simply isn't the case. Setting aside your straw man, what you'll see is that I suggested that the US' population tends to reside disproportionately at the high-end of the market, relative to the world's smartphone market.
Going back to market share, I wasn't trying to make a point, other than that his statistic was irrelevant. I don't particularly care which platform is "winning", so long as we have some competition going on.
Re:Market Share (Score:2)
Most of the cellphone market is smartphones now. Sorry bud.
Re:Market Share (Score:2)
Over a year ago, there were more smartphone subscribers in China than the entire population of the US [cnn.com]. And that represents just a 22% market penetration in China. Between China, India, and SE Asia there are over 3.3 BILLION people - and they are rapidly moving into smartphones.
The future of smartphones is NOT the US, and the US is not even a decently large slice of the pie even in the high end (most mobile phones in China sell for over 3000 RMB - $500). It resides in Asia. Come on over to Shanghai and you'll see what smartphone penetration can be.
Re:Market Share (Score:2)
"Who cares what phone some illiterate sweatshop worker has?"
People who make malware and want it to spread as far as possible.
Re:Market Share (Score:2)
"Who cares what phone some illiterate sweatshop worker has?"
People who make malware and want it to spread as far as possible.
Favor market share over profits? Sounds like malware writers are like Amazon.
Re:Market Share (Score:2)
Re:Market Share (Score:4, Informative)
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Kindle is not a good Android representation. I have 3 different Android tablets..they all 'just work'. Never saw any need to pay more cause I got what I need. I did get super frustrated trying to add some free apps to wife's iphone without giving them a credit card number. Had to run through all kinds of hoops. That was a huge turnoff for me, but the phone works fine for the wife...she's happy, I'm happy.
Re:Market Share (Score:2)
Re:Market Share (Score:3)
Re:Market Share (Score:2)
http://tabtimes.com/resources/... [tabtimes.com] begs to differ
You're bad at reading statistics. Your sources show that in Q1 2013, iOS had a market share of 48.2%. Then in Q3 2013, six months later, the market share was 29.6%. That still sounds like lots more Android. Look at that table on the Wikipedia article also. In Q2-Q3 2013, according to units sold or units shipped, iOS was between 14.2% and 18.2%, and Android was between 74.4% and 79%.
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Market share and actual use are 2 different figures.
Yes, I know that. Which of those are we discussing in this thread? Hint: check the thread title.
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Re:Market Share (Score:2, Funny)
In related news: the market share of christmas trees has plummeted significantly. Oh, and if you don't get that, you don't get marketshare (Hint: AUGUST 2013).
Are you suggesting that the market share of units sold changes for some reason 4 months before Christmas versus the rest of the year? Wouldn't the two OSs be sold in the same percentages both before and after Christmas? The price points aren't so different that something like that would happen.
Also, what is "the market share of Christmas trees"? Which market are you referring to there? In the Christmas tree market, the market share of Christmas trees stays roughly at 100% the entire year. Christmas trees don't have a lot of competition in the Christmas tree market. That's not a very good analogy.
Re:Market Share (Score:2)
Re:Market Share (Score:2)
Re:Market Share (Score:2)
It's beyond me why any new OS isn't virus immune. (Score:2)
During a special system boot: You can only install drivers and bootable items.
During a security boot: You can only install software to its own directory, and it can't interact with other software or system files.
There, you can't get a virus. Its up to the OS designer to decide how to share things securely. There are lots of options which can be secure to do that, and isn't worth talking about securing the very system.
It is beyond me why we have modern OSes which aren't 100% virus secure during a security boot... Especially when we're talking about Aps, something people assume should be running in a sandbox mode.
Re:It's beyond me why any new OS isn't virus immun (Score:2)
It isn't incredibly hard to make an OS that...
If it was easy, we wouldn't have so many viruses.
Re:It's beyond me why any new OS isn't virus immun (Score:2)
Re:It's beyond me why any new OS isn't virus immun (Score:2)
The issue is further confused by the mobile ecosystem itself. In a lot of cases, whether an app is "trojan malware" or "legitimately ad-supported product" has become a question of destination rather than behavior: the former will send your phone number, email addresses and/or contact list to some strange server in the far east, the latter will send them to AdMob et al... both major platforms have the same philosophy, it's not an Android/iOS fanboy issue.
Re:It's beyond me why any new OS isn't virus immun (Score:2)
There, you can't get a virus
Unless it finds a way to disguise itself as a driver or bootable item and interact with other files (which is what malware does).
Re:It's beyond me why any new OS isn't virus immun (Score:2)
Everyone always forgets that virus can travel in fonts too.
Re:It's beyond me why any new OS isn't virus immun (Score:2)
Even if it's not a virus it can be malware anyway.
Comic Sans, anyone?
Re:It's beyond me why any new OS isn't virus immun (Score:2)
During a special system boot: You can only install drivers and bootable items.
During a security boot: You can only install software to its own directory, and it can't interact with other software or system files.
There, you can't get a virus.
Sure, now just don't have any errors in any of your user space code, or don't allow multiple programs to share code (all static links) -- Every program will need its own image decoding software, no two programs will interact, so the camera app won't be able to pass off an image to the QR code app which passes the data to your browser or price checking, or etc. apps, etc. So long as you keep the bits of each program in 100% (virtualized) isolation from each other, and NEVER allow outside data in to exploit them then you'll be ALMOST protected against getting viruses.
One the problems I ran into when porting my OS to ARM is that ARM only gives you a single bit of execution permission level. That means monolithic kernel only, which is just stupid. Only having user-space or kernel space means no driver-space between kernel or users, and no agent-space for plugins below user space. x86 gives me 2 bits (4 execution permission ring levels), in addition to hypervisory mode, which is essentially another bit of execution ring level. So, you have either trusted or untrusted code running in the OS, but that's daft. With at least one more layer between root and code you download and run in your browser, you could actually have hardware supported sandboxing.
Fast, Cheap, Convenient, or Secure. Pick Only Two.
The monolithic kernel design isn't designed for security, it's just the quickest and dirtiest design (read: dumbest). Compare this with 16bit DOSes unified memory space where any program can fuck with any other part of memory... Any kernel module can screw with any other part of the kernel, same problem different level. Since everyone's using the dumb monolithic kernel design the (ARM, PowerPC, MIPS, etc) hardware vendors do not give us the required additional security features in hardware (see: ARM's User Mode, Supervisor Mode [, and interrupt modes, but that's not where the bulk of your OS code is]). Restricted memory access does a lot to isolate processes, but the fact is that the way we are using software and OSs is not in line with the current hardware capabilities (which are lacking in some areas, and under utilized in others, e.g., hypervisor).
Contrary to popular belief software and hardware are inexorably linked. Features in hardware (or lack thereof) can enable, promote, prevent, or suppress certain types of program constructs, primarily those to do with security. I do not JIT compile JS into machine code and execute it in user space, that would be daft, but there you are.
Re:It's beyond me why any new OS isn't virus immun (Score:2)
Android is the Windows for mobile (Score:2)
Security flaws weren't what made Windows the prime target for attacks. It was market share. So it makes sense that Android is being targeted, it has the market share (phones and tablets).
Therefore, this should come as no surprise.
All software has security flaws (bypassing software you have hardware vectors as well).
Most any app could be malicious based upon the OS features it requests access to.
Apples iOS ecosystem seems pretty secure, a big part of that is app review/rejection.
Re:Android is the Windows for mobile (Score:2)
...it makes sense that Android is being targeted, it has the market share...
Speaking as an Android fan, that is a cop out. Better we should fully concentrate on examining the attack vectors and closing them. IMHO, the major attack vector is Google's project governance: Android is not a faux-open project, therefore gets a tiny fraction of the peer review that is possible. Next item on the list would be: a security model designed on a whiteboard in a marketing meeting. Typical megacorp engineering approach, by the way. Third thing to regard with high suspicion: Java and anything to do with it. I am sure the list goes on. At least Linux itself is pretty tight, but as long as Google gets free run with no adult supervision, anything can happen.
Re:Android is the Windows for mobile (Score:2)
Which is why no IOS device has ever been Hacked, erm sorry, I mean Jailbroken.
I'm pretty suspect of these figures, I have no doubt Android is higher due to mainly higher market share and number of devices but also due to the freedom of the Android operating system making it easier for malware writers to hide malware in dodgy app stores (Personally, I'll keep the freedom and take the risk as the risk is so low it's almost funny).
I'm also pretty suspect about the numbers as I'm sure if there was significant levels of malware on IOS Apple wouldn't be nearly as forthcoming as Google. Also things that are considered Malware on Google are permitted by the Itunes Store T&C (spyware). It's better to say that 97% of _known_ malware is targeting Android and that is a good thing(TM). Nothing is worse for security than ignoring threats.
The biggest security threat is a problem on any platform however, phishing and social engineering attacks. Anywhere where there are people, there will be phishers.
Market Share /= Rewards (Score:3, Informative)
That's great in terms of dominating the market and reaping the rewards that come with it,
Hmm, I guess you've not seen the $ that Androids competitors bring in directly and for their developers.
Zero malware (Score:3, Funny)
I use Windows Phone and get 0% malware. The 1% goes to IOS.
Windows is indeed getting better. ;)
Re:Zero malware (Score:2)
You are safe in the walled garden (Score:3)
Re:secure from what? (Score:5, Interesting)
fwiw, the NSA has owned all platforms, so it's not like iOS is invincible.
I strongly suspect that it has less to do with any flaws in either OS, than it does in the fact that iPhones get regular updates/patches/etc, whereas the vast majority of Android phones do not.
This is the one thing that Apple really should get props for - they go out of their way to ensure that, within reason, older iPhones get patched/updated along with the newest ones. Meanwhile, all but a relatively tiny fraction of (global) Android users buy models where neither carrier or manufacturer really give a damn if the phones they sell ever see a patch. I mean, seriously - the cheap/low-end Android phones can still be found coming out brand new with 2.2/2.3 installed on the damned things.
Until that paradigm changes, the massive majority of malware and hacks will target the obviously juicy (and mostly obsolete and/or unpatched) Android market.
Re:secure from what? (Score:3)
the cheap/low-end Android phones can still be found coming out brand new with 2.2/2.3 installed on the damned things
BS
Re:secure from what? (Score:3)
the cheap/low-end Android phones can still be found coming out brand new with 2.2/2.3 installed on the damned things
BS
I was surprised, but you're right: when I looked at the pre-paid devices offered by several mobile providers, I didn't find any that were being sold with a pre-4.x OS version. It is no doubt still possible to buy old Android phones with old Android versions, but even cheap devices by Huawei and ZTE are now coming out with Android 4.x
Unfortunately, because manufacturers often provide very poor ongoing support for devices, a large number of devices already in the market will never be updated. In that way, I agree with the parent's parent: Apple can get props (relative to many Android device manufacturers) for providing relatively long term OS/security updates.
Re:secure from what? (Score:2)
Android devices do get regular updates direct from Google via Play, including security fixes. However, since Play is not available in some countries, notably China, those users are reliant on their provider (usually the mobile network operator).
So your statement that the "vast majority" don't get updates is simply wrong, particularly for people in the west and Japan/Korea, but applicable to China. Even so most malware does not rely on security flaws, it simply entices the user to install it (trojan).
As for iOS updates, while technically true that older devices like the iPhone 4 and iPad 2 get them a lot of people find that the loss of performance is crippling so choose not to upgrade. At work all company iPhone 4s are still on iOS 6 because of the poor performance of v7 and some compatibility issues (sorry I don't have details).
Re:secure from what? (Score:2)
Android devices do get regular updates direct from Google via Play, including security fixes.
But are those updates limited to Google Play Services or can they patch kernel and driver vulnerabilities or say the bluetooth, input or usb packages for example?
Re:secure from what? (Score:2)
This is the key point in this discussion, as it reveals the FUD from TFA. Note that TFA says "99 Percent of New Mobile Threats Target Android", but does not disclose the number of devices infected.
Right, I would be surprised if the percentage of Android devices infected is much different to the number of iOS devices infected, a little higher given the ability to install apps outside the official channel but probably not by much.
Re:secure from what? (Score:5, Funny)
This is probably worse for iOS than being insecure.
Their marketshare has fallen so far it's not worth targeting them any more.
Speaking as an iOS user, I'm perfectly fine with you Android users getting all of the malware love. No really... you can keep all of it... I don't want any!
Re:secure from what? (Score:2)
A lot of the malware exists because people can sideload apps. I would rather continue being able to sideload apps that I developed myself rather than pay Apple for the privilege of running my own code on my own device.
Re:secure from what? (Score:2)
I would rather continue being able to sideload apps that I developed myself rather than pay Apple for the privilege of running my own code on my own device.
Personally I'm not that fussed about it, I can either jailbreak my device or shell out $99 (which includes the ability to publish and share my software with others) if I really want to do that. Either way it's no big deal.
Malware for Android is no different from malware for Windows or for OS X, the bulk of it is due to being able to run any code you want (where unless you wrote it you probably don't know what it does) and most people will just click through warnings about unsigned code, virtually none will ever vet any code ever. If you take the precautions to only run binaries from reputable sources or to compile from source yourself (nobody does that outside of a few geeks) from a reputable repo then you should be ok...but then again the heartbleed bug shows that isn't the case all the time either.
The flip side of that is that on iOS you place all your trust in Apple to make sure that they vet code properly, by and large they do a pretty good job of that but that isn't to say they couldn't have a major slipup (in the style of goto-fail) in the future. With the freedom to run any code comes the responsibility to vet that code (whether that is the source - as in where it came from - of the binary or the sourcecode itself) and most users are not up to that challenge or just cannot be bothered and so malware persists.
Re:secure from what? (Score:2)
Malware for Android is no different from malware for Windows or for OS X, the bulk of it is due to being able to run any code you want (where unless you wrote it you probably don't know what it does) and most people will just click through warnings about unsigned code, virtually none will ever vet any code ever.
Absolutely 100% incorrect. I don't think you understand android that well. Android will refuse to run unsigned apps - they MUST have a signature, though there is no certificate authority they have to go through. But, apps with differing signatures can't interfere with one another. This means that malware app A can't steal or inject information into facebook app B. However facebook app C can manipulate facebook app B if that's what the publisher who holds the keys wants it to do. You are free to alter these rules on your own if you'd like, either through rooting or putting your own signature on both APKs. Neither involves a simple warning that you have to click through; it's a rather manual process. This results in Android being inherently very secure by design.
The flip side of that is that on iOS you place all your trust in Apple to make sure that they vet code properly, by and large they do a pretty good job of that but that isn't to say they couldn't have a major slipup (in the style of goto-fail) in the future.
Wrong again; Apple already has made a major slipup. In fact they've made a few of them, the most recent being this one:
http://www.theguardian.com/tec... [theguardian.com]
And of course, that is only what's known. Apple users assume that everything they do is 100% secure once vetted by Apple, but they couldn't be more wrong. iOS has a "city wall" but no guards to maintain order inside of the gates. Anybody with any security background will tell you why this is a horrible idea, as opposed to a layered security model, which is what Android sticks to.
Generally if you live in a first world country, malware on Android isn't a problem in the slightest. Most first worlders don't sideload apps, except for pirates, power users, and developers. In third world countries, especially China, piracy is often the first choice for obtaining software rather than getting it through app stores. It's in these countries where the malware is common.
US users who buy antivirus software for Android are flat out wasting their money. Malware found on the Play store is removed from your device by play services when it is identified; so just by that alone you already have all of the malware protection you need. The only people who really need that are the ones who pirate their apps (and you can pirate safely, but it's inherently less safe to do so because you can't validate the original publisher's signature) however chances are if you already pirate your apps, you probably aren't terribly interested in paying for an antivirus app to begin with.
Nonetheless, what I said above won't stop companies like F-Secure from giving sensationalist figures like "99% of malware is aimed at android," because their product can't sell unless they're somehow able to scare their users into buying it. The same is true of ID theft services such as lifelock that don't actually do anything as well as ripoff home security services like ADT and Brinks.
Re:secure from what? (Score:2)
Android will refuse to run unsigned apps - they MUST have a signature, though there is no certificate authority they have to go through.
Right well "signed by anybody" isn't that much different from a code safety perspective than unsigned code, you still have to trust who it is signed by and while they might not be able to modify existing apps we can see that from the malware examples on Android (even though I don't believe that many are particularly widely circulated) that this doesn't make much of a difference in terms of their ability to be malicious.
But, apps with differing signatures can't interfere with one another.
The protections in modern Windows and OS X offer the same thing unless you start running things as administrator, and if you have root access on any system you get pretty much free reign to do whatever you want anyway.
Wrong again; Apple already has made a major slipup.
The one you refer to was a research project, it's hardly a "major slipup" (I'm sure platform fanboys would like it portrayed that way but I don't have a religious devotion to any technology platform), in fact it had exactly zero impact on anybody, period.
And of course, that is only what's known. Apple users assume that everything they do is 100% secure once vetted by Apple, but they couldn't be more wrong.
No i don't think that's true at all, I guess I'm an Apple user (amongst Windows, Android and Gentoo) and I pointed out that whilst they are very good they are not perfect, which is the same as Google with the Play Store.
Generally if you live in a first world country, malware on Android isn't a problem in the slightest.
Obviously if you restrict yourself to the Google Play store it is very much the same thing as using an iOS device which is restricted to the Apple App Store. But that negates the biggest advantage of Android.
Neither is inherently more secure, it comes down to flexibility and if you provide the freedom to do whatever the user wants and they take it then - just like on desktop systems - the user needs to take on additional responsibility, which they usually aren't capable of or willing to do. You will only get more safety for the userbase if they take on that responsibility and act on it or you restrict them. The nice thing is we - as users - have the choice :)
Re:secure from what? (Score:4, Insightful)
Obviously if you restrict yourself to the Google Play store it is very much the same thing as using an iOS device which is restricted to the Apple App Store. But that negates the biggest advantage of Android.
Say you restrict yourself to Google Play Store, Amazon Appstore, Humble Bundle, F-Droid, and applications you compiled yourself. Is the advantage still negated? In my opinion, the advantage of Android's "Unknown sources" and "adb install" model is 1. compiling apps yourself without having to replace your desktop computer and pay a recurrring fee, and 2. ability of third-party app stores to build a reputation for quality control.
Re:secure from what? (Score:2)
Strictly speaking, you forgot that it's $99 per year
Yes that's true.
and you forgot the cost of the mac you need to build the app.
I already had one.
You can build an android app on nearly any platform.
So of course you need to have a PC of some sort, if you want to run arbitrary code and you already have a PC but it isn't a Mac and you don't want to buy a Mac and don't know somebody that could build the binary for you on their Mac then obviously buy an Android device, the options are all there. I'm not advocating for one over the other but clearly if the cost is too much for you then by all means go for Android.
If all you want to do is tinker with android, the cost is zero - the one-time fee only applies when you want to publish the app.
This is all nice in theory but if it were actually a legitimate issue then I would think we should see a LOT of innovation on Android relative to iOS simply because of the supposed hurdles to develop for iOS. Assuming this cost is such a significant barrier to entry we should be seeing some negative effect, where is it?
I often see this barrier to entry issue paraded as a disadvantage of iOS so it should be seen as an advantage to Android but are the benefits actually anything more than theoretical?
Re:secure from what? (Score:2)
A lot of the malware exists because people can sideload apps. I would rather continue being able to pirate apps than pay for them.
Fixed that for you, and the vast majority of Slashdotters.
Re:secure from what? (Score:2)
Android has just over 50% of the US marketshare, hardly "fallen so far".
Re:secure from what? (Score:2)
Android has just over 50% of the US marketshare, hardly "fallen so far".
I suppose that 60% counts as "just over 50%" if you hold your tongue right.
href=http://www.androidauthority.com/android-up-8-us-market-374932/ [androidauthority.com]
Re:secure from what? (Score:2)
> This is probably worse for iOS than being insecure.
> Their marketshare has fallen so far...
Ha. Apple won't care until this graph [twitter.com] takes a sharp downward turn. They could probably drop to 10% market share and still make the most money in the industry.
Re:secure from what? (Score:2)
> This is probably worse for iOS than being insecure.
> Their marketshare has fallen so far...
Ha. Apple won't care until this graph [twitter.com] takes a sharp downward turn.
The '12 drop looks pretty sharp to me, and flat since then.
They could probably drop to 10% market share and still make the most money in the industry.
How, by selling products for ten times the going price? Seems like a recipe for 0% market share to me.
Re:secure from what? (Score:2)
> This is probably worse for iOS than being insecure. > Their marketshare has fallen so far...
Ha. Apple won't care until this graph [twitter.com] takes a sharp downward turn.
The '12 drop looks pretty sharp to me, and flat since then.
They could probably drop to 10% market share and still make the most money in the industry.
How, by selling products for ten times the going price? Seems like a recipe for 0% market share to me.
Nice theory - so why isn't their market share 0% yet? And frankly: making negative profit (as all Android makers but Samsung do) seems to be a much better recipe for 0% market share.
Re:secure from what? (Score:2)
> The '12 drop looks pretty sharp to me, and flat since then.
Tip: READ THE NUMBERS. That "drop" was from about 70% to about 62%. It's not like they went from 90 to 10. And as you said, it then leveled out. As in, did not continue to fall.
>> They could probably drop to 10% market share
>> and still make the most money in the industry.
> How, by selling products for ten times the going price?
No -- by letting everyone else win the race to the bottom. If you look into the data behind the graph, you'll see that the percentages of Samsung plus Apple total over 100% because other players in the industry are losing money. Apple won't sell products at a loss.
Re:secure from what? (Score:2)
Well I can share this with you: I look forward to the day that that Apple has 10% share and failing to match its competitors' prices is an efficient way to get there. I hope they keep it up.
Yep, nobody has an iPhone or iPad (Score:2)
Apple is doomed.
In other news, you're an idiot.
Re:Android more insecure than Windows!!! (Score:2)
It ain't inherent security so much as it is inherent refusal to patch on the part of manufacturers and carriers.
It would be like putting up a Redhat 9.1 box with all default settings, giving it a public IP addy, and plugging it in directly to the Internet - sure it was very secure for its time, but unpatched and obsolete, it'll become just another victim.
Until manufacturers and carriers realize this (and stop thinking strictly like a damned CE company), this will continue to be the state of things.
Comment removed (Score:2)
Re:No shit (Score:2)
This comment reminds me of the people on Apple Support Communities who insisted that FlashBack was not actually a thing, that it was not infecting any systems, anywhere, and it was all just a big myth created by AV companies to sell product.
Meanwhile I was spending a day each week clearing FlashBack off dozens of infected student systems because the kids were too &*(@#$ stupid to not whack the monkey or whatever stupid thing they did in order to get infected (and god help us if we didn't give them administrative privileges, you don't want to hear the caterwauling they make at the slightest hint of restrictions).
See, apparently I'm in the employ of AV companies and didn't know it. My bank account never noticed it either.