Android Fails in Mobile Malware Research - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
Commentary
12/20/2012
10:33 AM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Android Fails in Mobile Malware Research

There are many more malware-infected Android devices out there than you might think. It's all because the Android ecosystem and Google Play store are more friendly to malware and exploits than iOS and the Apple App Store or Windows 8, Windows Phone and the Windows Store. There's some, but not much reason, to think things will improve for Android in the near future.

What about Windows? Microsoft's Windows Store sells apps for Windows 8, Windows RT and Windows Phone. All of this is a bit young and market share is small enough that it's possible nobody has even tried to submit malicious code, but Microsoft has gone to some trouble to prevent it. The software giant has credibility in this, as over the last 10 years it has transformed desktop and server versions of Windows from security jokes to industry leaders.

Microsoft provided me with these links for app security provisions:

Windows 8 implements all of the techniques in Windows 7 to protect against malware and some new ones, most importantly (as I see it) a new generation of SmartScreen. SmartScreen is a reputation system. For some time it has been used by Internet Explorer to determine whether a web site is known to be safe, unsafe, or if it has never been seen before. Windows 8 extends this reputation system to files generally. See the screen capture below:

Because of the enormous installed base of Windows and Internet Explorer, the reputation system has great credibility. Windows 8 also comes with a version of Windows Defender to act as an anti-malware solution if you don't have a third-party product installed.

Apple's rules and procedures for developer identity verification and vetting of programs ("We review all apps to ensure they are reliable, perform as expected, and are free of offensive material") are famously thorough and strict. Microsoft's developer ID requirements and procedures are also fairly thorough.

Google asks few questions and I see no evidence that they verify anything meaningful. In fact, by keeping fees the lowest in the business, minimizing identification requirements and making a joke out of code signing they have created the perfect low-cost/low-consequence environment for writing malicious code.

Strong controls keep malware out of Apple's App Store and weak controls in Google Play invite it in. Trail of Bits found 30 malicious app campaigns on Google Play and none in the App Store. Source: Trail of Bits

It's simply too early to tell whether malware and other malicious app behaviors will be a problem for Windows Phone, Windows RT or Windows 8 apps. But it's certainly not too early to reach a verdict on Android: Google has failed to implement sufficient controls and malactors have rushed in to take advantage. The overall numbers may be low as they represent only a small percentage of installed base, but they're big in absolute terms. Be careful out there.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll