Android security chief says the OS is almost impenetrable to malware

[securitybreach]

Very interesting article about Android's security with a large portion quoted from the Android Security Chief, Adrian Ludwig:

 

 

Until now, Google hasn’t talked about malware on Android because it did not have the data or analytic platform to back its security claims. But that changed dramatically today when Google’s Android Security chief Adrian Ludwig reported data showing that less than an estimated 0.001% of app installations on Android are able to evade the system’s multi-layered defenses and cause harm to users. Android, built on an open innovation model, has quietly resisted the locked down, total control model spawned by decades of Windows malware. Ludwig spoke today at the Virus Bulletin conference in Berlin because he has the data to dispute the claims of pervasive Android malware threats.

 

Ludwig sees security in biological terms:

“A walled garden systems approach blocking predators and disease breaks down when rapid growth and evolution creates too much complexity. Android’s innovation from inside and outside Google are continuous, making it impossible to create such a walled garden by locking down Android at the device level.”

 

He stated Google’s mission in defending against malware in terms more closely akin to the Center for Disease Control (CDC) than the PC security industry. “The CDC knows that it’s not realistic to try to eradicate all disease. Rather, it monitors disease with scientific rigor, providing preventative guidance and effective responses to harmful outbreaks.”

 

The problem Google wants to solve is that most independent security researchers don’t have access to a platform such as Google’s to measure how many times a malware app has been installed. They are analogous to human disease researchers without a CDC to measure the size of a disease outbreak and coordinate a response. Security researchers are very good at finding and fixing malware, but in the absence of reliable data that indicate how frequently a malware app has been installed, the threat level can become exaggerated. Reports that reach publication are often extremely exaggerated. To emphasize this point, Ludwig revealed in his analysis that some of the most publicized recent malware discoveries are installed in less than one per million installations.........

http://qz.com/131436...ble-to-malware/

 

Thoughts?

[Guest LilBambi]

Interesting...

 

I think it doesn't tell the whole story. But could be true for those who are not careful what they install on their phones.

[ross549]

what's he saying? that android is badly overrun with malware? that we cant quantify the breadth and depth of the problem? that there is no counting the nr of infections?

 

.13% (as quoted in the article) is still a lot, in this age of billions of smartphones.

 

Adam

[securitybreach]

He is talking about sideloading malicious apps not installing them via the market:

Verify Apps tracks each incident when a potentially hazardous app is flagged, when the user is warned, and when the user chooses to ignore the warning and installs the app. Warnings are an effective deterrent to malware. Only 0.12% of users chose to ignore the warnings and install potentially hazardous apps.

[V.T. Eric Layton]

"...almost impenetrable..."

 

Why doesn't he just come right out and say, "Na-Na-Na-Na... I dare you. I double-dog dare you!"

[ross549]

He is talking about sideloading malicious apps not installing them via the market:

 

True, but hazardous apps have made it in to the Google Play market..... (and the App Store too).

 

Adam

[goretsky]

Hello,

 

I checked a while ago (and this is from memory, so it's a little hazy) on signature creation rates for Android OS and iOS at work, and for a 12 month period, we created something like 1,500 Android OS signatures versus 25 Apple iOS signatures. It's important to keep in mind, though, that the types of threats you see on an Android OS device vary from those seen on traditional desktop OSes like Windows.

 

Regards,

 

Aryeh Goretsky

[securitybreach]

What exactly do you mean Aryeh??

[V.T. Eric Layton]

What exactly do you mean Aryeh??

 

Virii or malware code with either Android or Apple targets.

[goretsky]

Hello,

 

Well, I work for an anti-malware company, and one day was curious as to how many signatures we added for Android OS-specific threats versus those we added for iOS. Turns out the former is much higher than the latter. Of course, this absolutely pales in comparison to the stuff we add for Windows-based malware, but I would take any claims of Ultimate Device Security™ from any operating system manufacturer with a rather large grain of salt. For example, I would like to know if the Google presentation covered apps that include the Leadbolt advertising kit, which some anti-malware programs detect as adware, a potentially unwanted application and so forth.

 

Regards,

 

Aryeh Goretsky

What exactly do you mean Aryeh??

[securitybreach]

For example, I would like to know if the Google presentation covered apps that include the Leadbolt advertising kit, which some anti-malware programs detect as adware, a potentially unwanted application and so forth.

 

I block all ads including app ads using Adfree(requires root): http://adfree.bigtincan.com/about.php

 

That is the pretty much the only app I sideload since Google took all the adblockers from the market.

[ross549]

I've been chewing on this article for a couple of days because it did not sit right with me. Then it hit this morning.

 

A locked down approach has worked for Apple in protecting iOS from malware because it controls both hardware and software towards the goal of maximizing its profits. In contrast Google has used an open model to maximize Android market share in which it licenses Android for free and controls neither the hardware or software ultimately sold to the end customer.

 

The author implies (subtly) that profits are not a major focus of the Android operating system.

 

Frankly, both companies are profit driven ventures, and both have a lot of cash lying around. To imply that Android is not a vehicle to drive more money in Google's pockets is ludicrous. Android is one piece of the money puzzle for Google.

 

Adam

[securitybreach]

Frankly, both companies are profit driven ventures, and both have a lot of cash lying around. To imply that Android is not a vehicle to drive more money in Google's pockets is ludicrous. Android is one piece of the money puzzle for Google.

 

Adam

Well Google makes money from licensing Android to hardware manufacturers and of course, AdSense http://gigaom.com/2012/04/01/why-google-isnt-worried-about-androids-revenue/

[ross549]

Yes, but Google wants to keep you "in the ecosystem" by offering products you might find interesting. In doing so, they can deliver targeted advertising and thereby sell the real product (your profile and behaviors) to advertisers.

 

Adam

[securitybreach]

Yes, but Google wants to keep you "in the ecosystem" by offering products you might find interesting. In doing so, they can deliver targeted advertising and thereby sell the real product (your profile and behaviors) to advertisers.

 

Adam

That sounds like what Apple does

[ross549]

Not really. It is much more geared to the upfront costs of the hardware/software. Apple does iAds, and that is a very small part of the business model.

 

Adam

[crp]

laugh! out! loud! duh!! no screaming eagle sheet that google would remove ad blockers!

that is the funniest thing i've heard in a while!

i have an adblocker for the chrome browser that i installed via the chrome extension web site.

[Guest LilBambi]

Google and apps, Apple and apps, and now Microsoft (search Win 8.1) and apps. Not to mention Ubuntu Dash search (lens).

 

You can disable it in Ubuntu and Microsoft.

[V.T. Eric Layton]

Apps, schmapps. My cellular communication device don't need no stinkin' apps.

[securitybreach]

Apps, schmapps. My cellular communication device don't need no stinkin' apps.

 

I could not live without apps on my mobile device. I barely use it as a phone but I need 24/7 access to email, irc, my feeds and other applications. That and its nice to be able to ssh into my home machines from anywhere (well as long as a I have service anyway). I like having a powerful computer in my pocket (quad core with 2gb of ram).

[V.T. Eric Layton]

You're such a geek.

[securitybreach]

You're such a geek.

 

Who me?

[V.T. Eric Layton]

Don't worry. If you're really lucky, you'll grow into an old obsolete geek has-been.

[raymac46]

Don't worry. If you're really lucky, you'll grow into an old obsolete geek has-been.

 

A Geritol swilling Geri-geek.

[sunrat]

There was an interesting discussion about phone security on RRR-FM, our local community radio station. I recall them mentioning examples of malware banking apps that can actually intercept your SMS verification code and drain your bank account in the seconds you are waiting for the code to come through.

There is no way I would do financial transactions on anything but my Linux computers. And possibly wearing a tinfoil hat.

I currently have 4 apps on my phone apart from default ones - Weatherzone, Flashlight, AirDroid, and Tram Tracker which gives me real time info on what time the next tram is coming and routes etc. No steenking banking apps.

[securitybreach]

Another good reason to log into your bank via the browser, not an app. And if you are going to use an app, only use the official one from the market that is endorsed by your bank; not a third party app.

 

Point being, if you are sideloading apps (manually installing them instead of from the market) then you are asking for trouble. Unless you know exactly where the app is coming from, then you should not install it. The same applies to operating systems. Installing a random .deb file from a filesharing app could get you infected as well.

 

There are a lot of real-time malware/virus scanning apps on the market (Eset, Malwarebytes, Lookout, etc) that scan apps and downloads for malware, spyware, viruses, etc.

 

People should treat mobile devices like computers: if there are malicious files out there that could infect your machine, scan all downloads and only install apps from trusted sources (unless you know exactly what you are doing). Users tend to forget that smarphones are computers and should be treated accordingly.

[Guest LilBambi]

I could not live without apps on my mobile device. I barely use it as a phone but I need 24/7 access to email, irc, my feeds and other applications. That and its nice to be able to ssh into my home machines from anywhere (well as long as a I have service anyway). I like having a powerful computer in my pocket (quad core with 2gb of ram).

 

I use my phone as a phone quite a bit, but the apps are absolutely needed here too.

 

Sideloading can be very dangerous if you don't keep up on what developers are safe. "Oh, that looks shiny!" is not a great recommendation for a safe developer.