Juniper Networks is reporting a shocking 472 percent increase in the incidence of Android malware since July of this year. What's going on, and is Android becoming a malware writer's dream?
Juniper Networks is raising eyebrows in the mobile industry this morning with a new report claiming the incidence of malware targeting Android devices has risen by 472 percent since July of this year. Presumably, that number is augmented by “hundreds” of malware samples the company uncovered in a series of third-party Russian app stores. Juniper describes the Russian malware cache as just the “tip of the iceberg,” believing there may be thousands of more malware apps waiting to be discovered.
Although many security firms still characterize the threat of mobile malware as relatively low, it’s important to know that those firms are generally comparing the number of threats faced by Android and other mobile operating systems to the those faced by Windows — which is the absolute king of malware, assaulted by hundreds and even thousands of new trojans, worms, exploits, and variants every day. Saying a platform faces a low threat compared to Windows isn’t saying much at all.
But Juniper’s figures highlight the growing threat of mobile malware, particularly on Android. How do Juniper’s numbers hold up, what’s to blame for rising Android malware, and how can Android users protect themselves and their devices?
Juniper Networks Android Malware infographic Nov 2011
According to Juniper Network, the amount of malware targeting Android has jumped by 472 percent since July, punctuated by very sharp increases in October and November. Juniper says they were seeing steady increases in the amount of Android malware they intercepted in July and August, which saw incidence rates increase by 10 and 18 percent, respectively. However, in September Juniper intercepted more than double the amount of Android malware it had in July (up 110 percent) and that figure jumped to either 111 or 171 percent from October 1 through November 10. (See Juniper’s infographic for more detail—the infographic claims a 111 percent increase most recently, But Juniper’s text says 171 percent.)
The figures echo similarly alarming percentages from other security vendors. This summer, Trend Micro claimed the incidence of Android malware had increased 1,410 percent from January to July 2011. It published an infographic, too.
Curiously, Juniper provides no hard figures to accompany its percentages, so it’s difficult to know what those percentages mean in absolute terms. It would be nice to compare the number of malware apps out there (and their interception rates) to the number of available Android apps or the number of apps distributed over the same period of time. After all, if a small town of 5,000 people had one serious traffic accident in 2010 and then two serious traffic accidents in 2011, the rate would be up by an alarming 100 percent! However, number of accidents in proportion to the number of drivers — let alone the number of hours driven in the town during the year — would still be very, very low. Juniper Networks does describe the cache of Russian malware it found as “hundreds” of apps, but it’s not clear if those are included in the firm’s 472 percent increase, and offers no other hard figures.
Symantec and Kaspersky similarly offer percentages for recent increases in Android malware, but seem to withhold hard figures — or, at least, I haven’t been able to find them. McAfee is slightly more helpful: In August it reported a 76 percent increase in malware targeting Android during the second quarter of 2011, and gave a specific number of threats it had identified: 44. Just this week, McAfee described the total number of malicious apps in the wild as “approximately 200“—and that’s across all platforms, including Symbian, Java ME, Windows Mobile, iOS, and others.
The number of apps available on the Android Market stands at about 350,000. Although the total number of threat apps is never truly known — even to security researchers — the alarmingly large percentage figures from Juniper and McAfee do seem to suffer from a bit of the small-town problem. Despite some high-profile malware removals from the Android Market (like DroidDream trojans earlier this year), in absolute terms, Android malware still a very small portion of the broader Android software ecosystem.
Types of Android malware
There does seem to be basic agreement on the types of Android malware out there. The bulk acts as spyware and tries to steal personal data, including contacts, location, personally identifying information email, messages, and data stashed in log files and other areas of the device. Spyware can also potentially control an Android device, meaning it could place calls, send messages, restart apps, disable locks, control vibrate alerts, and (of course) access the Internet to send collected data to the malware authors — or download and install new malware packages.
Spyware represents a bit of a longer-term game for malware authors: They’re hoping they’ll get usable (and sellable) information by keeping an eye on users’ phones, and they’ll make their money selling collected email addresses (and potentially financial information) to spammers and cybercriminals.
One form of Android malware that has immediate payoff for malware authors is are SMS Trojans: apps that appear to do something fun or useful, but in the background send SMS messages to premium rate numbers — the same way many voting competitions, music and ringtone services, and other businesses collect money via text messages. Once those messages are sent, the malware authors have their money, and consumers don’t have much (or any) recourse. The bulk of Android malware apps Juniper says it found in Russian third-party Android markets are SMS Trojans.
So even if malware isn’t quite overrunning the ecosystem yet, where is all this malware coming from? Security firms seem to pretty squarely place the bulk of Android malware at the feet of cybercriminals who used to target Java ME and Symbian phones. As those platforms have declined, they’ve moved along to Android, which enables them to leverage some of their working knowledge of Java and is also, conveniently, now the world’s hottest-selling smartphone platform.
In terms of distribution, security firms all agree that third-party Android app stores run a higher risk of malware than trusted sources. A number of Android exploits have been distributed via third-party app stores in Russia and China — heck, one Chinese example of Android malware uses a public blog as its command-and-control center. The appeal of these app stores in their respective markets is obvious: They use local languages, and their selection of apps and new items is going to be much more in tune with local culture than the broader Android Market. Nonetheless, most of those app stores are completely unregulated and unmonitored: Almost anyone can upload anything, safe or not.
That doesn’t let Google’s Android Market off the hook. Although McAfee recommends Android Market specifically as a trusted source for safe Android apps, other security outfits aren’t so kind. Juniper in particular rips into Google’s management of the Android Market:
“These days, it seems all you need [to upload malware to Android Market] is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications,” Juniper wrote in its blog. “With no upfront review process, no one checking to see that your application does what it says, just the world’s largest majority of smartphone users skimming past your application’s description page with whatever description of the application the developer chooses to include.”
Google famously does not review submissions to the Android Market, or require code-signing by a trust authority, although developers must at least code-sign with self-signed certificates. Although Google will remove malicious apps once they’re discovered, realistically that can’t happen until the apps have victimized users.
Android users can take some basic steps to keep their devices and their data safe. Good tips include:
Disable the “unknown sources” option for installing apps in the Android device’s Applications Settings menu. This will help prevent users from inadvertently installing software when, say, accidentally following a malware link in an SMS message, spam, or social networking site. It will also keep the device out of most third-party Android app stores, which seem to be a prime distribution vector for Android malware. However, this may not be an option if users need to sideload custom Android apps for, say, business or work purposes.
Research apps before downloading or buying them. Try to stick with apps that have broad third-party recommendations and come from reputable publishers. Check both an app’s and publisher’s ratings.
Carefully check app’s permissions. When you install an app, Android will present a list of hardware and software components that the app wants to access, including things like location data, a device’s camera, the Internet, storage, system tools, MMS/SMS, and making phone calls. If the requested permissions don’t seem reasonable, don’t allow the app to install. For instance, a game probably doesn’t have any need to access your contacts, and a photo organizer doesn’t need to send SMS messages.
Makers of security and antivirus software will, of course, recommend users download, install (and, hopefully, purchase) antivirus software for Android. However, the jury seems to be out on how useful security and antivirus apps are for Android — at least at the moment. A new study from AV-Test (PDF) finds that almost all free Android malware apps don’t offer significant protection against existing Android malware. Paid Android security packages from F-Secure and Kaspersky fared better, but only managed to detect about half the installed threats tested by AV-Test, although they did very well with blocking malware installation.
The most important thing is probably to be aware that there is malware for Android, and let common sense be your guide. If an app seems to good to be true, it might just be carrying a hidden payload that’s after your money and personal information.