Welcome to Android Malware

Android malware has been around for a while now, but it has been somewhat uncertain how prevalent infected devices are. The Wildlist has been used as a measure to show which viruses are prevalent. What is interesting about the first Extended Wildlist in August 2011 is the inclusion of three pieces of Android-based malware. I would have loved to say that this is the first non-PC based malware to make it onto the Wildlist but it’s more complicated than that. There has been some Mac and Linux malware that has received mentions in the Wildlist, but due to the acceptance criteria of the Wildlist, they never made it onto the official list. So based on a technicality you could say that the Android-based malware is the first non-PC based malware to be included on the Wildlist. This is big news in two ways: 

  1. It implies Android is a significant platform with a significant security profile (or lack thereof)
  2. It gives us a measure of confidence that real people are getting infected with Android malware.

You could use this as an opportunity to say that iOS is better than Android, but I would not encourage this view. There are exploits against iOS, but due to Apple’s control over the content of their App Store, the AV industry as a whole — and Commtouch included — has not seen as much iOS malware yet. Even the volumes of malware we have been seeing for Android is a drop in the ocean compared to what we see for Windows-based malware. At Commtouch, we have seen around 300 samples of Android malware over the last year, while we receive between 40 and 150 thousand pieces of malware per day.

This is, however, indicative of a trend. Android is a relatively open environment which is hugely popular and growing at a significant rate. A significant amount of money is being spent to develop products for it and a significant number of users are using these devices for real world transactions involving money.

In 2006, I wrote a blog entry about malware on mobile devices. In it I basically stated what I think is required for malware to become prevalent in this type of environment. I think all my predictions came true for Android.

Modern smartphones and tablets are nearly as capable as laptops and desktops. From a productivity perspective you can do nearly everything you can do on a desktop and laptop on a smartphone or tablet. This includes financial transactions and storing valuable information. If you combine this with the ease of developing software for these devices then you have an environment that is ripe for the criminal element to take advantage of.

From one perspective I think Apple is doing something right: To be able to publish software for iOS you need to pay a small fee and get a cryptographically secure identity (A Code Signing Certificate). If you abuse the certificate by writing malware the certificate will most likely be revoked implying the loss of the fee and the identity. This raises the barrier for writing malware for iOS. It is not a high barrier but it does imply that Android then becomes the easier target whether it is more secure or not. I suspect that if Android becomes a difficult enough target then we may see more focus on iOS. This will happen when the cost of developing malware for Android exceeds the cost of developing and publishing malware for iOS. While the criminals are making enough money from the Android environment with very little expense or risk I predict that the amount of malware we see for Android will just keep on increasing.

What we can hope for in the next year is that the Android ecosystem becomes more conducive to security. We need the users, the authors of applications, the stores and Google itself to educate themselves, become more security aware, and to take steps to make it harder for malware to be introduced and distributed on the Android platform. It would be ideal if Android malware could be limited to small numbers or even hopefully eliminated totally, but this will require each of the relevant parties to take responsibility for its part of the Android environment. The last thing anybody wants is for Android to become as malware infested as the Windows platform.