Attacks in Android’s side-view mirror are smaller than they appear

A growing number of reports and white papers over the past several months — most from security vendors — have announced, sometimes in breathless terms, that Google’s Android operating system is now the primary target of malware attacks on mobile devices. To which some respondents, such as one going by the alias “fotoflojoe,” post sarcastic comments like, “In other news, water is wet and the sky is blue.”

Nobody needs a study to know there are more attacks on Android, they say — any time an operating system or a program like Facebook becomes popular, the bad guys are going to try to exploit it. They contend the reports are little more than thinly disguised marketing hype by the security vendors to scare users into buying their products.

The only people vulnerable to Android malware, they say, are those stupid enough to download apps without checking them out first.

Chris DiBona, Google’s open-source programs manager, said as much recently — claiming on Google+ that mobile operating systems such as Android, iOS, and BlackBerry don’t need antivirus software.

“Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM and, iOS,” he said. “They are charlatans and scammers. If you work for a company selling virus protection for (them), you should be ashamed of yourself.”

So where does the truth lie?

Both sides have a portion of it, according to some experts in mobile security.

It is true, they say, that Android has been growing explosively and is therefore an increasingly attractive target for malware developers. But, like the critics, they say that is obvious, old news by now.

McAfee reported last November that Android was up to 550,000 activations per day, and had passed 200 million activations. The company said Android is on track to be the world’s biggest OS, and that virtually all of the new malware detected in the third quarter was targeted at Android. CNET reported in December on a report from security vendor Fortinet that found a 90 percent jump in Android malware families from 2010 to 2011. Total Defense, a malware detection and anti-crimeware vendor, issued a report more recently that more than 25 times more Android malware was identified in 2011 than in 2010. Kaspersky reported this month that of 340 families and more than 9,000 types of malware for mobile devices, 75 percent of them are aimed at Android.

There is also broad agreement that it is not just Android’s popularity that makes it a target, but also its open environment, which allows bugs to be found faster but also makes it easier for malicious code writers.

The most significant problem cited is that even when Google issues fixes quickly, they may not reach users for months.

ComputerworldUK reported last October that Google had found a vulnerability in August 2010 and patched it almost immediately, but smartphone manufacturers failed to push the patch out to users. Seven months later, in March 2011, malicious programmers launched a Trojan horse called DroidDream, which exploited that flaw and led to infecting more than 250,000 unpatched Android smartphones.

So, the general consensus is that while Android malware is not yet close to the problem it is for computers, it is a legitimate and growing problem, worth the attention of major enterprises.

Gary McGraw, CTO of the security firm Cigital, admits there is a measure of hyperbole coming from vendors.

“But the convergence of computers and telephones is well under way,” he says, “and while smartphones are not a major target yet, they will be. “We have a very strong mobile security practice at Cigital. Demand is high from multinational banks, from providers like Verizon and from chip set manufacturers.

McGraw, speaking from Heidelberg, Germany, where he is giving a keynote address at the European security event Troopers, adds that on the face of it, Android is less secure than an iPhone. “But most people are jailbreaking their iPhones,” he says, “and there is no difference if you jailbreak it.” He describes the iPhone as a “walled garden,” that has more protection but “keeps you in your padded cell. Android says, ‘You have a smart phone, so you must act like a big boy.'”

Kevin McAleavey, chief architect of the KNOS project, agrees. “All sides have merit here,” he says. “Google hasn’t been as good a gatekeeper as Apple in protecting unsophisticated users from peril, but Android users who are savvy enough have access to some great applications that they’d never have access to from Apple.”

The best way for users to protect themselves, they say, is to take reasonable care. And their recommendations mirror a list PCWorld published a year ago, of five tips on keeping malware off your Android phone:

• 1. Always research the publisher of the app. What other apps does it offer? Do any of them look a bit shady? If so, stay away.
• 2. Read online reviews. Android Market reviews may not always be truthful.
• 3. Always check app permissions. Whenever you download or update an app, you get a list of permissions for it. An alarm clock app, for instance, shouldn’t need to look through your contacts.
• 4. Avoid directly installing Android Package files (APKs). Most of the time you won’t know what the file contains until you install it — and then it’s too late.
• 5. Put a malware and antivirus scanner on your phone. Although many people think antivirus scanners on phones are useless, several big-name security companies offer mobile-security options for free.

Or, as McGraw puts it, “Just don’t download random junk.”