Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Cellphones Google Security Software

Google: Less Than One Percent of Android Devices Are Affected By Harmful Apps 91

jfruh writes: One of the selling points of iOS is that its more restrictive nature makes it more secure. But even though it's easier for users to accidentally install malicious apps on Android, data collected by Google (PDF) indicates that less than one percent of Android users have actually done so. Quoting: "During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a Potentially Harmful Application (PHA) installed (excluding non-malicious Rooting apps). During that same time period, approximately 0.25% of devices had a non-malicious Rooting application installed. ... Worldwide, excluding non-malicious Rooting applications, PHAs are installed on less than 0.1% of devices that install applications only from Google Play. Non-rooting PHAs are installed on approximately 0.7% of devices that are configured to permit installation from outside of Google Play. Additionally, the second graph shows devices with any PHA (including Rooting applications). Rooting applications are installed on about 0.5% of devices that allow sideloading of applications from outside of Google Play."
This discussion has been archived. No new comments can be posted.

Google: Less Than One Percent of Android Devices Are Affected By Harmful Apps

Comments Filter:
  • Bring back... (Score:2, Offtopic)

    by ADRA ( 37398 )

    AppOps, tyvm. Done.

  • by Anonymous Coward

    A lot.

    • by jaxn ( 112189 )

      Well, let's see

      If only Jayne from Firefly could help us with the math.

      1% of more than a billion?
      1+1x1, carry the zero, x 1 billion, divided by, oh goram that's a lot! I aint never seen numbers that big.

  • by Anonymous Coward

    If Google or Apple talk stats about their ecosystem, take it with a giant grain of salt.

    It's pure marketing BS.

    • by halivar ( 535827 ) <bfelger@@@gmail...com> on Friday April 03, 2015 @12:59PM (#49399035)

      According to Apple, iOS users are more virile, and have love-making stamina for hours.
      According the Microsoft, Windows Phone users are endowed with the power of invisibility, which is why they are so elusive.

    • by Aighearach ( 97333 ) on Friday April 03, 2015 @01:04PM (#49399063)

      Even in F-Droid, over half the apps want to read my device ID and permission to record all my calls and contacts, and less than 1% have a legit reason for that info. The vast majority of apps in their walled garden don't actually need any special permissions at all to do whatever the app does, or maybe 1 permission. Find an app that has only the permission it needs. Good luck, hope you ate a big breakfast before you started searching.

      How is tracking me with nothing given in return not "harmful?" My privacy has value to me, surely. The claim that there is no harm relies on the known lie that my privacy has no value to me.

      The honest truth is that they think less than 1% of android apps do harm that doesn't benefit google . That is actually a different thing than what they're saying, though. So I call lie .

      • >How is tracking me with nothing given in return not "harmful?"
        I agree, except for the "nothing given in return" part. They're giving you the use of their software. Part of the price you pay is letting them spy on you. A nice straightforward business transaction - except for the fact that their spying is usually deceptively obscured.

        I have no problem with a piece of software that spies on me as part of its declared up front price - I'll tell them to go fuck themselves and look for an alternative unless

      • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday April 03, 2015 @01:59PM (#49399439) Journal

        Even in F-Droid, over half the apps want to read my device ID and permission to record all my calls and contacts, and less than 1% have a legit reason for that info.

        (I'm a member of Google's Android security team.)

        This is a valid issue, but separate from what the report is attempting to address. Well, not entirely separate, because the Android security team does in some cases classify apps that request excessive permissions as potentially-harmful, but only when there's evidence that the apps are actually trying to abuse the user.

        Note that I'm not trying to downplay the issue of apps that request more permissions than they need. I think (based on lots of evidence) that in most cases this is more an artifact of developer laziness than malice; they aren't sure exactly what they need and definitely don't know what they're going to need in the future and so find it easier to ask for the world. This is a problem the Android security team recognizes and is working to address, in various ways that I can't go into.

        How is tracking me with nothing given in return not "harmful?" My privacy has value to me, surely. The claim that there is no harm relies on the known lie that my privacy has no value to me.

        Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.

        The honest truth is that they think less than 1% of android apps do harm that doesn't benefit google.

        Benefit to Google, or lack thereof, is completely irrelevant to the Android security team's decision to classify an app as potentially harmful or not. In general, the Android security team treats the rest of Google as just another app developer and online service provider. It's not our job to enable their revenue streams. Granted that we recognize that those revenue streams pay our salaries, but in the long run treating users well is what will enable Google to continue making money and paying our salaries.

        • by mlts ( 1038732 )

          IMHO, the Google/Android security team is doing a good job. I have never gotten stung on the Play Store, and I've not encountered "fishy" apps (ones that have horror stories in the reviews) that didn't get taken down quickly in a long time.

          Of course, I am still partial to XPrivacy, because it doesn't deny an app permissions... it just feeds it BS. However, I do think Google has kept with the times in terms of security.

          The black eye with Android isn't Google's fault. Virtually all reports of malware I se

          • The black eye with Android isn't Google's fault. Virtually all reports of malware I see here in the US are due to people going to shady repositories for pirated apps. Yes, it might "save" $1.99 on an app, but there is a good chance, a lot more "functionality" might come with the .apk file.

            And so there it is: the exact argument for a Curated Collection (a/k/a "Walled Garden")...

            Thank You.

        • Mod parent up +1
        • by 0123456 ( 636235 )

          Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.

          So when are you going to give us the ability to disable permissions on a per-app basis? You know, like you added to the OS a few revisions back, then took away again?

          This is the biggest single reason I recommend people not to buy Android these days if they ask. I'm sick of apps asking for all kinds of permissions that I don't want to give them, and not having any way to block them.

          • by ejasons ( 205408 )

            I recently moved back to an iPhone, after a few years on Android. It is so very nice to be able to update my apps, and not have to review all of the extra permissions that every app is requesting. And not having to manage the permissions in appops/xprivacy.

          • Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.

            So when are you going to give us the ability to disable permissions on a per-app basis? You know, like you added to the OS a few revisions back, then took away again?

            This is the biggest single reason I recommend people not to buy Android these days if they ask. I'm sick of apps asking for all kinds of permissions that I don't want to give them, and not having any way to block them.

            That really blasts their Pollyanna "it's all roses" line out of the water. If they hadn't made something that was really great on a technical level, that can give us what we want, and then scaled it back so we can't have it... then I'd still be listening to their line. A few short years ago there was nothing I loved more than a new Google API. Now, it reads the same as "Microsoft API," e.g., something I may have to be aware of at work, but not the thing we're actually going to be using.

        • Actually, Google specifically assumes that your privacy does have value to you, and that you should be able to decide what you'll trade it for.

          Of course, then there's THIS [informationweek.com].

        • Tracking is not harmful, it is creepy. It is doing something no person should ever feel the need to do to another person.

          If you are the type of person who will do it, you are not likely to see the fault in your actions.
        • I'm sorry, but I simply don't believe you (by the way, is the 'Android Security Team' still six guys, or did you recruit some new people / start talking to the main Google security teams?). If Google cares so much about my privacy, then why does the 'enable Google tracking my location' dialog box have a 'don't ask me again' option that's only enabled if you select 'yes' and not if you select 'no'? This is a relatively recent change in newer versions of Android: previously you could permanently disable the

          • To expand on this:

            If they wanted to add to the dev tools the capability to auto-generate permissions by running the app in a sandbox, measuring what permissions it actually used, and then generating the manifest, that would be easy to do. In fact, you could just have a test suite that exercises all the app features to drive it. That way for people who write tests, they would get tailored permissions for free; and any missing permission would be parallel to a missing test, and so it would help mitigate bug e

        • The honest truth is that they think less than 1% of android apps do harm that doesn't benefit google.

          Benefit to Google, or lack thereof, is completely irrelevant to the Android security team's decision to classify an app as potentially harmful or not.

          Nonsense. Broaden the meaning of the words until what I said sounds like a true statement; good, now you've understood my statement. ;)

          Like you admit, if you attribute it to laziness you just assume there is no problem. It would be harmful for google to actually try to address the problem, because the only solution for lazy developers would be to inconvenience them in some way; kick their apps out until they fix their permissions. Your whole statement just reinforces my original view; the problem is addressed only in the area that google gets blamed for ("malicious" apps) and totally ignores the problem that hurts users more: incompetence that turns any app security bug into super-malware. Your position makes perfect sense, if the PR of the Google Play Store is the concern.

          And history of walled garden software repositories shows that this approach results in malicious parties putting their apps in without the bad parts first, then later making changes in updates. If you're accepting security problems as long as they are only lazy mistakes, you're not protecting against much. The first wave of security work is just enabling the second wave of attacks in that case. The same thing as is happening to advertisers. Google is what it is today mostly because of text ads; there is no malware vector. Everybody else gives power to advertisers to spew HTML blocks at customers, and it is full of malware. Reviewing the ads in advance isn't helping the competition. Google's left hand doesn't have the wisdom of the right hand, unfortunately.

          With f-droid though, I can just download the source code, remove the permissions, recompile, and install by hand. Done and done.

    • What do you mean? A company might be dishonest when they audit themselves for marketing purposes? I don't believe you... /sarcasm

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday April 03, 2015 @01:39PM (#49399303) Journal

      If Google or Apple talk stats about their ecosystem, take it with a giant grain of salt.

      It's pure marketing BS.

      Take it with a grain of salt, sure, that's wise. However, there's nothing marketing-related about the numbers in the report. These numbers are snapshots of the data the Android anti-malware team uses internally to assess its effectiveness. The numbers are not fudged, and what they show is that while there are issues, Google's anti-malware team is making solid progress and the current state of the ecosystem is actually not too bad. There are some caveats (called out in the report) around the fact that the numbers describe the prevalence of known potentially-harmful apps. The charts get revised retroactively when new PHAs are discovered but snapshots in reports are static. Still, I think the numbers are quite reliable.

      Note that I'm a member of the Android security team, and my manager is the primary author of the report and blog post, though I work on platform crypto features, not anti-malware.

      At worst, the numbers in the report represent the ways in with the Android team fools itself about the state of ecosystem security. At best they're an accurate and nuanced reflection of the state of the ecosystem. The truth is somewhere in between, but I think it's far, far closer to the latter than the former. What the numbers definitely are not is anything cooked up specifically for the public.

    • Indeed. For me, the biggest questions were regarding the date range of the data being used. Why just one month's stats from 6 months ago? Why October specifically, rather than continuing on beyond?

      Turns out I managed to answer my own questions while scanning through the report for answers. October is when they began monitoring these statistics, so that explains why it starts when it does. As for why the stats only run through the end of October, they were preparing the report in February, apparently, and th

  • If it was possible to identify all the PHAs antivirus would still be 100% effective. Not to mention the varying definitions of 'harm.' For instance, i consider all the apps wanting to take my IMEI harmful, and I doubt Google counted these as 'potentially harmful'.
    • They don't claim 100% accuracy, but they readily admit in the paper that they aren't an oracle who can immediately recognize PHAs on sight. Rather, the capture data for all app installations, and then as apps are flagged as PHAs later (most of which happens within 60 days, according to them), they're able to make sense of the data to understand what percentage of installs were for PHAs. I.e. They're using hindsight to provide accurate data, rather than relying on the information they had at the time.

  • by TheGratefulNet ( 143330 ) on Friday April 03, 2015 @01:08PM (#49399079)

    the great Short Attention Span Company(tm) EOLs phones like there's no tomorrow. my older google phone is stuck at android 2.x and will never get updates. I don't care about features, but I'd like kernel, ip-stack and some onboard apps to have fixes for security.

    it won't ever happen. we don't really own our phones. and we are suppose to keep landfilling perfectly fine hardware - to keep the monsters in high profit.

    even if I ran no apps at all, the os is buggy and full of weaknesses. I'm sure I could be attacked with an old 2.2 android os, probably in just a few minutes time.

    this is why I hate phones and have zero interest in spending more money and time on this crap. the ceo's might have gotton it right: use dumb feature phones and be more secure!

    • we don't really own our phones.

      This is a result of you owning your phone. If you were renting the phone, they would be expected to keep it up to date, instead, you buy it and they wash their hands of it. This is not as much a problem with Google as it is a problem with carriers. The carriers want control, so they get it and cause phones to be end of life'd quicker.

    • the great Short Attention Span Company(tm) EOLs phones like there's no tomorrow. my older google phone is stuck at android 2.x and will never get updates.

      You're still using a Nexus One? Even the Nexus S got upgraded to 4.1. Serious kudos on keeping that five year-old phone running. Do modern apps run on it?

      From a broader perspective, while I think Google should probably do a little better at updating older Nexus devices than it has, it's really not that bad; the Nexus 4 and first-gen Nexus 7 got Lollipop (though it doesn't run all that well on the N7v1), and I suspect that if it weren't for the fact that the SoC vendor is gone, the Galaxy Nexus would have

    • Go back to your bedroom. Loads of people think five years is still a child. I am writing this on a ten year old laptop, and regularly use a 10 year old Nokia phone (I have a new Samsung, but quite often I need to be away from the mains for more time than 3 spare batteries allow.

      Electronics does not rot or rust, and in the absence of a hard disk or CDrom drive, should last 30 years.

      I see no reason why Google should have to maintain old devices. However, I do think that if a manufacturer EOLs a device, which

  • by Immerial ( 1093103 ) on Friday April 03, 2015 @01:13PM (#49399103) Homepage
    Even .1% of a billion devices, is still a lot of devices affected. Even that is still a very conservative number: lowest rate listed and a very small number of devices. This says there are ~1.6 billion phones (http://www.statisticbrain.com/android-phone-statistics/), which doesn't include tablets or any other devices. So percent-wise .1% sounds great... but numbers-wise I hope they get that percent even smaller ;) Just saying...
  • While I have seen a lot of viruses on Windows PCs, I have never seen an Android "harmful app" or virus. They probably exist, but I tend to believe that they are only installed on less than 0.5% of Android phones.
    I've seen a lot of crapware with too much permissions and lots of ads, just like on iOS, but nothing the user didn't agree with.
    Soon enough, all these apps will be forgotten and replaced by better alternatives, just like nobody still use WinZip or any other file archiver with a nag screen.
    • Take a look at the permissions your average (free) flashlight app requests then reconsider your definition of harmful.

      • Flashlight app? I use the one built-in to my OS.
        • Me too, but that is a newer thing, many of the older phones did not include that. I was pointing out that there are many definitions of harmful.

          https://www.youtube.com/embed/... [youtube.com]

          According to this guy, the most popular free flashlight apps steal your personal information and transmit it to other countries. It makes for an interesting spy gadget for them apparently.

  • All of the Android phones I've owned had huge space limitations (can not install to the SD card) which keeps me from installing and playing with many potentially dangerous apps. Hey, Google, why can't I install apps to my SD card?
    • You're probably asking the wrong company. Ask the company who built your device. The google branded Nexus devices don't have that limitation.

      • by Anonymous Coward

        Kind of weird to say the Google branded devices don't have the limitation of not being able to install apps to the SD card, when they don't have an SD card at all.

  • Google: Less Than 10 Million of Android Devices Are Affected By Harmful Apps Doesn't sound so nice now does it
  • Rooting applications are installed on about 0.5% of devices that allow sideloading of applications from outside of Google Play.

    When an article (and a summary) include garbage like this, I refuse to take the rest seriously. Rooting is not Sideloading. There is a feature right in every stock Android system that tells Android that it is OK to accept Apps from sources other than Google. There are apps included with factory fresh Android that will install these apps as long as the user has chosen to allow i

  • by 140Mandak262Jamuna ( 970587 ) on Friday April 03, 2015 @01:56PM (#49399421) Journal
    How to lie with statistics, trick number one.

    95% of the brand A cars build in the last 10 years are still one road, does not mean brand A cars have a 95% chance of lasting 10 years. Only 10% of the cars built over the last 10 years is likely to be 10 years old. So they could be talking of just 50-50 chance of their cars lasting 10 years.

  • An app that you don't want, is completely useless, that consumes storage space, but is not removable - that, to me, is harmful. By that measure, 99.9% of Android phones contain harmful apps.

    Just wait until one of the cannot-be-uninstalled apps comes up with a major security vulnerability. That's going to be fun to watch.

  • What do they actually count? When a device was compromised, the attackers should cover their tracks and the device should be difficult to identify as being compromised.

    In other words, there is no "compromised' flag to easily identify on devices. Which leads to the question: what does Google's number mean?

  • Even if that number is correct that goes by google's definition. I'd say many of the apps in their own store are harmful because they ask for too many permissions and you have little you can do about it thanks to google's all or nothing approach to permissions.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...