It's no secret that many in the security industry perceive Google Inc.'s Android mobile platform to be plagued by malware, but Android security team lead Adrian Ludwig has made it his mission to eradicate the disingenuous meme of the burgeoning Android malware apocalypse.
Yes, the number of [malware] variants is increasing, but actually, the level of risk is not massively increasingly as a result of those variants.
Marc Rogers, principal security researcher, Lookout
At the recent 2014 RSA Conference, Ludwig roundly refuted the notion that malware is a threat to users of Google Play, the Internet giant's Android app marketplace. He referenced Google's rapid response to the February 2013 "master key" issue that enabled malware to hide in certain apps, updating Google Play within 24 hours and releasing a patch to vendors by late March.
Since then, according to Google, the issue has posed virtually no threat to users. Despite plenty of headlines about the dangers of new mobile malware outbreaks, Ludwig said few are of any consequence, despite what may be a perception of fear and disdain, particularly for Android apps, within the security community.
"Are you wearing a bulletproof vest right now? You ought to be, if you are worried about this," Ludwig lamented. "The things that you would never consider protecting yourself from in the least bit in the physical world … have probabilities way higher than this."
Mobile malware: Volume doesn't equal threat
At first blush, data indicates a near epidemic of mobile malware. Mobile security vendor Lookout Inc. reported that a device in Russia had a 63% chance of encountering malware in 2013, and a device in China 28%. Yet for North American users, the encounter rate is a low 4%.
Yet in response to the perceived mobile malware threat, security vendors have pushed mobile antimalware software as a necessary protection. Much of the subtle persuasion comes in the form of exponentially increasing counts of malware and increasing encounter rates globally, but security experts say such numbers do not represent the true threat.
"It's important to point out that, yes, the number of [malware] variants is increasing, but actually, the level of risk is not massively increasingly as a result of those variants," said Marc Rogers, principal security researcher at San Francisco-based Lookout. He noted that just because a mobile device encountered malware, it doesn't mean the device was successfully infected.
Cisco Systems Inc. also downplayed the mobile malware threat in its 2014 Annual Security Report: While 99% of mobile malware targets Android, only 1.2% of all the Web malware encounters in its data set targeted mobile devices.
"It is still worth noting because mobile malware is clearly an emerging -- and logical -- area of exploration for malware developers," the vendor said in the report.
On one point, there's little disagreement: New mobile malware samples are being churned out at a breakneck pace. By the end of 2013, almost 1.4 million variants of malware had been detected, nearly triple the number at the start of the year, according to antimalware vendor Trend Micro Inc.
Yet the mobile malware explosion doesn't necessarily translate into exponentially increased risk. As measured by network traffic to known malicious servers, last year only 0.55% of Android devices showed behavior that indicated compromise, up slightly from 0.45% the previous year, according to network security firm Alcatel-Kindsight in its year-end report.
"It's easy to churn out malware samples in the hope of getting more people infected, but a victim is only going to download one of those Trojan apps," said Kevin McNamee, security architect and director of Kindsight Security Labs. "Because you automatically generate this stuff, it does not represent reality in terms of the threat level."
Vendors, devices limit mobile malware risk
The reason for the stark disparity between mobile malware encounters and infections is the variety of security layers incorporated into the mobile software ecosystem. While a user may encounter malware on a malicious website, through a link in an email message, or pushed through malvertising, the multiple levels of defenses deployed by the Android security team -- and, yes, by additional security software -- actually protects the device well.
Google's Bouncer tests apps for malicious functionality and, if it's found, flags them as suspicious and removes them from the Play store. Android Verify Apps checks applications when they are installed, and soon will check apps at runtime as well.
This layered security has made it unlikely, but not impossible, to be infected by malware outside the Google Play store. Experts agreed that mobile malware encounters typically result in an infection only if the user's device has already been rooted or set to allow the installation of applications from a non-Google store. Users must first agree to download and install an application and then disable the system setting that allows the installation of application from third-party stores.
Data also indicates users are unlikely to download malicious software from the Google Play store. Kindsight scanned more than 130,000 free apps in the last three months and found 2.3% were judged malicious by five or more antivirus engines on VirusTotal, but most were actually adware. Only 0.14% -- about one in every 700 apps -- were judged to be malware, Kindsight's McNamee said.
"You are probably a lot safer on Google Play, but you are not completely safe," McNamee said. "The malware authors are managing to get stuff through those channels."
Google's Ludwig claimed that 100% of downloads from the Google Play store are safe.
The ultimate issue boils down to a simple question: Can Google (or Apple) be trusted to vet applications and protect the device? Or will a third-party security firm be able to deliver better protection more consistently and quickly?
The success of Apple in keeping the general populace of sordid attackers off its platform suggests that the monolithic model may work. Without a doubt, a persistent adversary will be able to compromise a phone, but against the daily schemes of cybercriminals, an adaptive ecosystem may be strong enough.