Android malware appears to be more widespread than I had thought. I was alerted to that fact recently with a reference to a story in Biztech referring to research done by Dan Guido, Co-Founder and CEO of Trail of Bits. The firm is an independent information security company. (Guido's co-founders are Alex Sotirov and Dino Dai Zovi, both well-known and respected mobile security researchers.)
The stand-out number in the research has to do with the extent of malware-tainted Android devices: "Our research has determined that out of the 300 million Android devices out there, the presence of malware has been discovered on about a million of them. That's a significant number." A million? I'd call that significant.
Trail of Bits conducted the research from December, 2011 to March, 2012. The base number of devices has undoubtedly grown quite a bit since. Has the number of malware-infected systems grown proportionately? Guido says that of course it has, and there's little reason to think otherwise.
First, about the attacks themselves. On Android attacks are almost all privilege escalation attacks using malicious apps that the user has installed deliberately, lured by a web site or an app in an app store. Trail of Bits followed 100 attack campaigns, 30 of which were on the Google Play store.
Privilege Escalation, in the context of mobile technology, is better-known as a "jailbreak." The program exploits a vulnerability in the operating system to change its own privilege level, allowing it to evade restrictions on lesser-privileged programs. Exploits are generally easier to write on Android than on Apple's iOS for a variety of reasons described by Trail of Bits.
Very few specific vulnerabilities were used in the malware found by Trail of Bits, and all of them had available patches. This raises one of the major problems with vulnerability mitigation in Android as opposed to iOS or Windows: Google relies on carriers and OEMs to distribute operating system version upgrades. Google can't force these companies to distribute new versions even if those new versions carry significant security improvements.
In fact, the carriers and OEMs have a strong incentive not to upgrade phones they have already sold: It gives buyers an incentive to buy a new phone because the new phones have all the improvements in the new operating systems, even if their older devices are capable of running the newer versions.
Samsung has acknowledged a serious vulnerability in the Android kernel for their Exynos processors in many of their phones, including the Samsung Galaxy S3. Click here to read more.
Users who want to upgrade their own phones can do so by rooting (the Android term for jailbreaking) them and installing a custom ROM from many sources, such as CyanogenMOD. But not many users have the patience or skills to do this.
Google introduced several important security advances in Android version 4.0 (Ice Cream Sandwich) but, according to Google, as of December 3, 2012, only 34.2 percent of Android devices are running version 4.0 or later. Version 4 was released to the public (and handset makers) October 19, 2011, so it's been around for a while.
Another important tool for mitigating vulnerabilities is Google Chrome, the alternative browser available now on Android. The standard Android browser is not as advanced or secure as Chrome and, as of Version 4.1 (Jelly Bean), it is the default browser on Android.
These advances will make many classes of exploits much harder to execute, but not privilege escalation attacks. For now, the main way to stop them is by vetting them at the store or through reputation systems. Unfortunately, as Trail of Bits explains in depressing detail, the controls on app submissions to the Google Play store are as weak as Apple's are strong:
What about Windows? Microsoft's Windows Store sells apps for Windows 8, Windows RT and Windows Phone. All of this is a bit young and market share is small enough that it's possible nobody has even tried to submit malicious code, but Microsoft has gone to some trouble to prevent it. The software giant has credibility in this, as over the last 10 years it has transformed desktop and server versions of Windows from security jokes to industry leaders.
Microsoft provided me with these links for app security provisions:
Windows 8 implements all of the techniques in Windows 7 to protect against malware and some new ones, most importantly (as I see it) a new generation of SmartScreen. SmartScreen is a reputation system. For some time it has been used by Internet Explorer to determine whether a web site is known to be safe, unsafe, or if it has never been seen before. Windows 8 extends this reputation system to files generally. See the screen capture below:
Because of the enormous installed base of Windows and Internet Explorer, the reputation system has great credibility. Windows 8 also comes with a version of Windows Defender to act as an anti-malware solution if you don't have a third-party product installed.
Apple's rules and procedures for developer identity verification and vetting of programs ("We review all apps to ensure they are reliable, perform as expected, and are free of offensive material") are famously thorough and strict. Microsoft's developer ID requirements and procedures are also fairly thorough.
Google asks few questions and I see no evidence that they verify anything meaningful. In fact, by keeping fees the lowest in the business, minimizing identification requirements and making a joke out of code signing they have created the perfect low-cost/low-consequence environment for writing malicious code.
It's simply too early to tell whether malware and other malicious app behaviors will be a problem for Windows Phone, Windows RT or Windows 8 apps. But it's certainly not too early to reach a verdict on Android: Google has failed to implement sufficient controls and malactors have rushed in to take advantage. The overall numbers may be low as they represent only a small percentage of installed base, but they're big in absolute terms. Be careful out there.