Android should be proud of its dominate market share, which climbed up to 33% after only four years in the business. With that much success, it’s no surprise that the popular operating system has become the number one target of malware, according to a report from McAfee senior architect Igor Muttik.
Where does this malware come from? Your friendly neighborhood Android Market. In the mobile days of yore, malware was passed from device to device via devices like Bluetooth, which required people to accept transmissions from each other. Now, it’s all about the apps.
While developers love Android Market’s open policy, Apple’s more closed, controlled App Store is much better in terms of keeping your information safe. In fact, according to the report, nobody with an un-jailbroken iPhone has reported an instance of malware.
What makes the Android Market so susceptible? First, people have become desensitized to the long, often complicated permission requests that pop up whenever you’re about to download an app. People want to play their Angry Birds right now, damn it, not read about what private stores of information the program wants to access!
To be fair, this isn’t really the fault of the user; nearly 31% of apps have “greedy” requests that ask for more permissions than they need, usually due to oversights on the developer’s part. If every app you download comes with a long list of invasive permissions, it won’t be long until you regard almost every permission as commonplace and thus not really a threat.
Not to mention the onus really shouldn’t be on the smartphone owner. A vast majority of the people who run the most popular OS in the world aren’t security experts, while, assumedly, many of the people working on Android are.
The fact that hardware manufacturers modify Android for their own handsets doesn’t help Android’s cause, making fixes especially cumbersome and slow. The end result is that 63% of new malware discovered in the last quarter was on Android phones. The only reason it doesn’t dominate the malware category outright (it has 32% to Symbian’s 47%) is that it just hasn’t been around long enough.
So, say you have an Android phone and you’re browsing through the market. You see a popular app and tell yourself “Hey, if that many people have rated it, it must be safe!” Not for long:
Application stores are likely to be manipulated in a manner similar to search-engine abuse, which pushes URLs to the top positions in Internet searches … The same methods could be used both for legitimate software and for malware, which will make it almost impossible to identify attacks on application ranking performed by malware creators.
Okay, so if people are more or less “Google bombing” their malicious apps to the front of the line, at least you know that if you buy a useful app, it won’t be infected? Right? I mean, who would be audacious enough to charge people for an infected app? The people who create malware, that’s who.
We also expect malware functionality (like data-leakage payloads, which steal users’ data) to be embedded into otherwise useful applications. Some of these applications may even be paid for. This would allow malware creators to profit twice—once from charges for the app and once from the stolen data.
Ouch. Unfortunately, there’s not much security software can do if you explicitly give an app access to your phone. The lesson? Buy an iPhone. Or at least pay attention to which apps you’re downloading.