As Android's market share continues to grow, it is inevitable that it will become a target for viruses and other malware. Indeed Steve Chang, the chairman of Trend Micro, a provider of security software, cautioned that Android is far more susceptible to malware attacks than iOS.

In an interview with Bloomberg, Chang claimed that Android's open source infrastructure allowed hackers to better understand the underlying architecture and source code. In contrast, Chang gave Apple credit because he believed that they were very careful about malware and that it was "impossible for certain types of viruses to operate on the iPhone." He explained that Apple uses a "sandbox concept" which isolates the platform, preventing viruses from replicating themselves or decomposing and recomposing to avoid virus scanners.

Nevertheless, Chang accepted that iOS is not completely immune to security threats as the user is still vulnerable to social engineering attacks, whereby he or she is tricked into installing an infected app or visiting a malware ridden website.

It seems unlikely that merely having an open environment enables hackers to create more destructive malware. In fact, security by obscurity, which is a security principle that uses secrecy of certain components to achieve security (not to be confused with security through minority), is often criticized by security experts for providing false sense of confidence. The fact that iOS is not open-source and Android is may create an initial bump for iOS hackers, but in the end, a closed system is just as vulnerable as an open one, if not more. An open system like Android benefits from thousands of eyes of security experts all over the world that may examine the source and alert Google of potential vulnerabilities, thus making it more secure overall. No such crowd-sourcing effort is possible with a closed-source project, such as iOS.

It may be Google's lack of a formal app approval process that allows viruses masquerading as legitimate apps to pepper the Android Market, misleading the unsuspecting user into installing them. For example, one of the early viruses on the Android OS appeared to be a media player app that, unbeknownst to the user, would start sending premium-rate messages from the user's phone, leaving the creator of the virus with a healthy revenue stream generated by those messages.

Google acknowledges that Android users must necessarily entrust some of their information to the developer of the application they are using; however, Android ensures that the user can view permissions granted to a particular app and make a relatively informed decision about installing it. On the other hand, Apple's rigid, often draconian app approval policies do have the benefit of filtering out most potential malware.

It is unsurprising Chang has warned users of smartphones to be wary of malware, since Trend Micro offers antivirus suites for both Android and iOS.

image image

Credit: Bloomberg

Abhiroop Basu
Abhiroop Basu is an opinionated tech and digital media blogger. As a doe-eyed twenty-something he started his first blog TechComet to comment on anything tech-related that caught his omniscient eye. Since then he has blogged for Android Police, Make Tech Easier, and This Green Machine. In the real world, Abhiroop Basu is a resident of Singapore and the Editor of The Digit, a subsidiary of The Potato Productions Group.

  • Elvis

    This title is misleading, it makes android sound lime it has more security flaws, when really its the fact that anyone can go look @ what its made of (so they can make it better) that makes it vulnerable... it also means its easier to find a workaround or fix...

    • http://www.AndroidPolice.com Artem Russakovskii

      The essence of title is essentially the same as what Bloomberg has.

      I agree that it's easier to fix bugs in an open source system, but the ridiculously delayed schedule of patches to multiple, some unsupported, versions of the OS makes it close to impossible to actually patch those holes in a timely manner, and that is, IMO, a big problem with Android from the security standpoint.

      If a serious vulnerability is found tomorrow, one easily exploitable, think how long it would take to patch all the phones out there, and how impossible that would be.

  • http://www.christiantechsaz.com/ Aaron

    I don't know that I can entirely agree with this...

    1. While OSX and iOS are based on BSD, being more secure out of the box than most Linux distros, not having an open framework with many devs to help patch and fix holes, simply does not make for a more secure OS. Microsoft has had the same model for years, and they have been awful security wise forever. The only thing MS took from BSD was the network stack. They would've been better off taking everything and modifying it for their needs.

    2. This is coming from someone really trying to push a product to make money. Sometimes creating mass hysteria about something can give people a "push" into purchasing something that really isn't needed that much. If people are being honest and not pirating software, and using reputable software Markets, such as Google's or Slideme.org's for instance, users will have little to worry about.

    3. As a user of Linux for many years, I understand the complexity introduced with JVM's (Java isn't the most secure method of implementation, maybe could've gone with qemu, etc); however, at the core, it is still Linux (the kernel) and that is very secure and is open and constantly being updated (Thanks Linus!). I think that 20,000 devs vs Apple's couple thousand or less devs, can do a better job with security. Apple isn't exactly notorious for being the most secure, constantly leaving holes, such as the recent easy access to the dialer via a simple button press on the lock screen. o.O

    Point is, Android is still in it's infancy/toddler state and is moving forward rapidly. It will soon have these holes patched as it moves forward and will continue to blast iOS and anything Apple and MS. It was nice knowing you Apple and MS. ;)

  • raje

    It is easy to find any bug/security flaw on the open source software very quick, at the same time it is easy to fix. Anti-virus software companies don't earn much money from open source software when compare to proprietary software.

    • http://www.christiantechsaz.com/ Aaron

      Agreed, look at MS...Enough said.

    • http://www.AndroidPolice.com Artem Russakovskii

      How about roll out that fix to customers? Playing devil's advocate here, but in the case of Android, it would take months, if not never for some phones.

      • http://www.christiantechsaz.com/ Aaron

        That is something Google needs to address, while not every user is willing to root like me to have the latest and greatest or switch to ROM's such as Cyanogenmod with regular updates. They need to possibly implement a local update manager on the phone that can download and install patches from Google's repos.

        • http://www.AndroidPolice.com Artem Russakovskii

          Sure, but until they do something about it, I can see where Trend Micro is coming from. It's a lot easier for Apple to patch a bug than for Google.

  • Phil

    Please explain sandbox...

    Android Security Architecture

    A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.

    Because the kernel sandboxes applications from each other, applications must explicitly share resources and data. They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox. Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. Android has no mechanism for granting permissions dynamically (at run-time) because it complicates the user experience to the detriment of security.

    The kernel is solely responsible for sandboxing applications from each other. In particular the Dalvik VM is not a security boundary, and any app can run native code (see the Android NDK). All types of applications — Java, native, and hybrid — are sandboxed in the same way and have the same degree of security from each other.

  • Bjarne

    How do Apples manuel app approval proces help protect against viruses - as far as I know they check that the app looks good, contains no nudity and don't competes with Apples own apps.

    • http://abhiroopbasu.com Abhiroop Basu

      I assume that they would at least perform a cursory check that there are is no malware. The fact that there is an app approval process suggests that someone actually takes a look at the app before it is released into the app store. One extra step, however minor, is still more than what Google performs.

      I am not saying whether that Google needs to start scrutinising every singly app, but it is likely that having a walled garden makes the app store inherently more secure.

  • http://www.toysdiva.com PixelSlave

    It's not directly related, but does anyone know that there were about 50,000 iTunes account being auctioned off in China for about 15 cents per account?

    I read the news from Yahoo HK a couple days ago:


    It seems that no major US media picked up the news.

  • Elvis

    I think we should all go make lots of viruses for iOS to shove it in their face hahaha

  • AJ

    Seems like the author just put up an attention grabbing headline then pointed out it isn't exactly true. Two different security models both are at risk. I could go write the same article and but title "IOS is less secure."

    • http://abhiroopbasu.com Abhiroop Basu

      The title (as Artem has pointed out above) is essentially what Trend has said with respect to Android/iOS security vulnerabilities.

      We have also provided our analysis on the matter.

  • carbon

    Dear Mr Chang, Trend sucks.

  • Shane

    trend micro let plenty of viruses in our clients network which is why we got a full refund for the licenses and switched to nod32. enough said.

  • http://web.me.com/mart_hill Martin Hill

    Android is far more insecure than iOS by design, though not necessarily because of its open source nature and is already suffering the fallout despite having half the installed base worldwide.

    The proof is in the pudding. It is Android and the Android Marketplace that has suffered multiple malware outbreaks such as:

    - More than 50 Android mobile banking apps in the Android Marketplace each targeted at a specific financial institution whose true purpose was phishing and identity theft.
    - A wallpaper app that was downloaded 4 million times which maliciously forwarded user details to a location in China before being discovered.
    - the Geinimi botnet app that is infecting numerous Android apps on Chinese app stores and spreading around the world.
    - Trojan-SMS.AndroidOS.FakePlayer.a, the Russian "Movie player" app that surreptitiously sent premium SMS texts from unsuspecting users
    - Brand new HTC Magic phones infected with the Mariposa botnet and Conficker and a Lineage password-stealing Trojan that attempt to infect Windows PCs when connected over USB.
    - Mobile Spy and Mobile Stealth
    - SMS Message Spy Pro and SMS Message Spy Lite spyware apps
    - The 45,000 spamware apps clogging up the Android Marketplace (as noted by Appbrain)

    In contrast, despite hosting over a third of a million apps and 7 billion downloads, there have been Zero pieces of malware come through the iOS App Store. A 100% safety record. Not bad, and good reassurance for a public tired of virus-riddled PCs.

    Then of course there is the side-loading of apps with absolutely any nasty thing being possible in Android and no review of apps at all in the Marketplace and we are talking a completely different level of insecurity and exposure.

    iOS requires signed code and enforces strict sand-boxing and provides hardware encryption all of which Android lacks. Instead Android throws up a Vista-like screen of permissions for each app which the average user is not necessarily going to read or understand.
    All developers on the iOS store have far more stringent monetary and ID checks to post apps so the chances of mischief are so much less as to be negligible in comparison.

    ps. Of course if you jail-break your iPhone, all bets are off.


    • ari-free

      The problem is that Apple gives people a major incentive to jailbreak their iphone in order to have all kinds of interesting and cool apps.