You hear a lot of reports about malware and other undesirable third-party apps these days, especially from security researchers (and people who want to sell you something to make you feel safe). It's undeniable that malicious apps are a problem on an open system, but new data from Google indicates that the amount of actual harm being done might be negligible. QZ.com reports on a presentation from Google's Android Security Chief Adrian Ludwig at the Virus Conference in Berlin. He estimates that .001% of Android apps are able to get past Google's defenses.
That number includes both apps on the Google Play Store and 1.5 billion side-loaded or non-Play Store app installs, at least on devices that also include the Play Store and its Verify Apps feature. (So Amazon's Kindle tablets and other Android-based devices without Google services aren't part of the equation here.) Verify Apps catches about .5% of non-Google Play installs and gives users a warning that they might be harmful. Of that .5%, Google estimates that 40% are community-created "rooting tools" (potentially dangerous, but not really malicious), 40% are fraudulent apps that try to steal money from the user's bill by making premium calls or text messages, and 15% are spyware, with the remaining 6% being mostly malicious apps that don't fall into the previous categories.
Approximately .12% of users choose to ignore the warnings from Verify Apps and install anyway, and Google considers this an effective deterrent for malware. Compared to, say, the User Account Control functions in the latter versions of Windows, it's hard to argue with them. The graph below shows the ratio of side-loaded apps since Google started tracking late last year, with the apps that were flagged represented by the red bar.
Google has a vested interest in presenting Android as inherently safe, and these numbers don't mean that you should be any less careful with apps on or off of the Play Store. But it does indicate that at least some of the media fervor over the lack of security on Android might be somewhat overblown. Adrian Ludwig compared the current state of app security to a biological outbreak in which researchers and media don't have any hard data from the CDC to gauge a real threat. Now that the risk has been quantified, Google and the security community should be better-equipped to deal with the problem.
Source: QZ.com - Thanks, Nick!