That was the gist of a presentation at last week’s Virus Bulletin conference in Berlin by Google’s Android chief of security Adrian Ludwig, who reported that only 0.001% of apps downloaded by Android users pose any harm to their devices or data.
The Google statistic includes not only apps downloaded from Google Play, but any app installed by a user on his Android device. Ludwig used the finding to argue that Google’s approach to app installation — in essence, anything goes — is a better system than Apple’s walled-garden model, which requires all apps to be vetted before they can be downloaded and installed by users on their devices.
“A walled garden systems approach [to] blocking predators and disease breaks down when rapid growth and evolution creates too much complexity,” the biologically minded Ludwig told the conference, reported Quartz. “Android’s innovation from inside and outside Google are continuous, making it impossible to create such a walled garden by locking down Android at the device level.”
[ How often do you test your security measures? Read Can Your Network Beat Malware? ]
Ludwig continued by likening Android’s security model to how the Centers for Disease Control and Prevention (CDC) tackles real-world infections. “The CDC knows that it’s not realistic to try to eradicate all disease. Rather, it monitors disease with scientific rigor, providing preventative guidance and effective responses to harmful outbreaks,” he said.
Do Google’s mobile malware infection statistics and approach add up? Obviously, the company has an ax to grind: Its Android operating system runs on a massive number of mobile devices. Furthermore, it saves money by not offering Apple’s relatively locked-down, walled-garden approach, even as an optional feature. That said, Google has added automated malware detection scans to its Google Play app store and built better security tools into the Android operating system itself. To continue the CDC metaphor, however, Google also relies on some Android users getting infected and sounding an alert to then save the rest of the herd from any potential pandemic.
Google’s perspective on the real-world threat posed by Android malware — and by extension, the effectiveness to date of its choice of app review and distribution model — has been echoed in other quarters.
A study released Monday by researchers at the Georgia Institute of Technology and security firm Damballa, “The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers,” found that mobile malware “appears in a minuscule number of devices” in the two networks they studied. Those networks belonged to “a major U.S. cellular provider as well as a major U.S. non-cellular Internet service provider.” In particular, just 3,492 out of more than 380 million devices exhibited signs that they’d been infected with mobile malware. That’s fewer than 0.0009%, which is even lower than Google’s finding, although Google’s research encompassed devices from outside the United States, where mobile infection rates have historically been higher.
Why isn’t mobile malware more prevalent? “One possible explanation for the small quantity of mobile malware seen is the difficulty of distribution,” said Damballa researcher and Georgia Tech doctoral candidate Charles Lever in a related blog post. “Google Play provides a strong, first-party market that offers over a million applications, and the iOS App Store offers over 750,000 applications. These markets provide users with a plethora of applications to choose from, in addition to providing malware controls.” In other words, many Android users simply default to using Google Play to gather all of their downloaded apps. Thus, they remain relatively well protected, especially compared to third-party Android app stores, which are by comparison a hotbed of mobile malware and adware.
But the continuing difficulty of getting mobile malware onto a sizeable number of people’s smartphones and tablets means that so far, it hasn’t been worth the effort of criminals who seek financial gain to target those devices, Android and iOS hacking expert Charlie Miller told InformationWeek last month. That’s just one reason, he said, why the actual threat posed by mobile malware — against either Android or iOS systems — is vastly overstated.
“For people like me who are just trying to show off, it makes sense for us to show off using the new technology,” Miller said. “But if you’re a criminal … it’s way easier to attack desktops, and you get the same result.”
What do security researchers do when they discover a vulnerability that might enable an attacker to compromise one of your organization’s applications or systems? The The Security Pro’s Guide To Responsible Vulnerability Disclosure report looks at the changing nature of vulnerability disclosure and how it might affect the way you seek, identify and eradicate vulnerabilities in your own IT environment. (Free registration required.)