03
Oct
evil_android_thumb

You hear a lot of reports about malware and other undesirable third-party apps these days, especially from security researchers (and people who want to sell you something to make you feel safe). It's undeniable that malicious apps are a problem on an open system, but new data from Google indicates that the amount of actual harm being done might be negligible. QZ.com reports on a presentation from Google's Android Security Chief Adrian Ludwig at the Virus Conference in Berlin. He estimates that .001% of Android apps are able to get past Google's defenses.

image-4-mlod-with

That number includes both apps on the Google Play Store and 1.5 billion side-loaded or non-Play Store app installs, at least on devices that also include the Play Store and its Verify Apps feature. (So Amazon's Kindle tablets and other Android-based devices without Google services aren't part of the equation here.) Verify Apps catches about .5% of non-Google Play installs and gives users a warning that they might be harmful. Of that .5%, Google estimates that 40% are community-created "rooting tools" (potentially dangerous, but not really malicious), 40% are fraudulent apps that try to steal money from the user's bill by making premium calls or text messages, and 15% are spyware, with the remaining 6% being mostly malicious apps that don't fall into the previous categories.

Approximately .12% of users choose to ignore the warnings from Verify Apps and install anyway, and Google considers this an effective deterrent for malware. Compared to, say, the User Account Control functions in the latter versions of Windows, it's hard to argue with them. The graph below shows the ratio of side-loaded apps since Google started tracking late last year, with the apps that were flagged represented by the red bar.

image-2-app-installs-histogram (1)

Google has a vested interest in presenting Android as inherently safe, and these numbers don't mean that you should be any less careful with apps on or off of the Play Store. But it does indicate that at least some of the media fervor over the lack of security on Android might be somewhat overblown. Adrian Ludwig compared the current state of app security to a biological outbreak in which researchers and media don't have any hard data from the CDC to gauge a real threat. Now that the risk has been quantified, Google and the security community should be better-equipped to deal with the problem.

Source: QZ.com - Thanks, Nick!

Jeremiah Rice
Jeremiah is a US-based blogger who bought a Nexus One the day it came out and never looked back. In his spare time he watches Star Trek, cooks eggs, and completely fails to write novels.
  • rakie

    Let me get this straight, if it was only from the play store, that is 1 million harmful apps out of 1 billion apps there.

    If it is from both play store and outside play store, that is 2.5 million harmful apps out of a total of 2.5 billion apps.

    Either way, I believe google should implement a more smart/strict way of allowing apps into its store. Not like apple but a little more secure play store is an advantage.

    The numerous fake BBM apps were noticed by so many people and gave customers a very bad impression about the security of this OS.

    • moelsen8

      bad math. .001% of 1 billion = 10,000. .001% of 2.5 billion = 25,000. that's pretty low.

      • rakie

        my bad. Did not see that %

        and you are right guys. It is 1 million apps not 1 billion

        I think that would equal 10 to 25 apps which is very very low

        Sorry :)

        • http://GPlus.to/Abhisshack Abhisshack

          Glad that you accept your mistake :)

    • daveloft

      Thats 2.5 billion installs, not apps. Google Play has 1 million apps, not 1 billion. If it is 2.5 million apps and that seems like a stretch, 0.001% of that's 25. Of the 1 million apps in Google Play its just 10 apps.

    • Leif Egil Reve

      That would be true if it was 1%, but since it's 0.001%, we're actually down to 15000 and 25000 apps......

    • impulse101

      you failed at math class.

  • #D

    Good. Now Apple users better shut up about Android having viruses.

  • NathanDrago

    I still have to meet a living being that's had any problems at all with malicious apps on his Android phone. I'm totally with Google's figures.

    • Brian

      Of course anyone with even half a brain knows that. It's a shame the sensationalist tech media embarrass themselves so badly by reporting the crud that suggests otherwise.

      That's why you should tip them this news item, make them put their brain in gear before they post the next OMG Android is Malware ridden chaff.

    • JR

      40+40+15+6=101%. Whose figures are those?

      • shadowx360

        Rounding errors....

      • squiddy20

        "Estimates" inherently means "not exact"...

    • Ryan Stewart

      The only thing I have seen was a couple of people run into apps with airpush. While not actually malicious can be really, really annoying.

      But its still really, really easy to prevent. Just look at an apps permissions and rating. If its not popular and/or is asking for something it doesn't need then don't install it.

    • Mahmoud Nabeel

      Actually, unless I have an AdFree app on a rooted phone to update my hosts file, I'll have every now and then a lot of annoying ads in the notification bar having stars icons, where it always take me to websites that might load any malware in the background once you opened the link!

    • Zaatour36

      well, I have an idiot friend who installed "BBM for Android" when it's suppose to launch, and it was an adware.

      and yes from the play store, as many of them are!

      • NathanDrago

        Luckily for him, it's sufficient to push the "uninstall" button ;-)

        • Zaatour36

          well yeah, but still had to run Avast, and uninstalled an bunch of crapware as well as shortcuts and booksmarks.

          man, they should tighten security on the Play Store!

  • mathewmakio

    I think Artem would disagree with this report :D He finds some every week, I'm assuming, easily enough

    • Motto

      Artem is also looking for trouble. Most users don't actively search for bad stuff. This also shows that the biggest scammers and bad apps in the play store are Antivirus apps that don't do squat.

    • Thomas’

      He finds *adware* - technically these do not count as malware, but rather just as an annoyance.

  • Thomas’

    Unrelated to this topic: did the Play Store downloads really grew this fast in May? o_O

    • Ionut Costica

      Those are the installs from outside the Play Store... Still a weird trend, wonder what happened there...

      • http://www.bordersweather.co.uk/ Andy J

        "Verify Apps" was pushed all the way down to devices running Android 2.2 as part of the Play Services updates. Previously it had only been available to Jellybean.

  • MarkG

    Blimey, a mature and fact filled article, versus the snakeoil crud that security vendors peddle.

    I urge anyone that cares to send this to your favourite tech blog/news site as a news tip, as they won't naturally cover it, as it goes against the grain.

    I have sent it to 3 top sites, lets see if they pick it up...

  • Adrian Meredith

    Poor headline, theres a huge fundamental difference between

    "0.001% of apps evade defense and harm users"

    and

    "0.001% of apps ATTEMPT to evade defense and harm users"

    the actual figure is much less than that

  • Pierre Gardin

    Did anybody else notice the strange surge in installs in May 2013 (second slide)?

  • youhrt

    This does not mean anything if the path of attack is NOT through a malicious app , but uses a security hole

  • Scott Hendry

    i see the point of the diagram but it kinda comes across as "<.0000001% actually reach out and grab your face".

  • PhoenixPath

    Of course it's overblown...

    One of the first big media slams of Android malware claimed a ridiculous 400% increase in infections!

    *gasp* (The horror!)

    Of course, that's the only number they gave. Total installs, ratio of the number affected to the number used, growth of the pool, etc...nothing useful was given.

    One infection a month among millions to four a month is a 400% increase....but it still means nothing a statistical error can't account for.

  • Cherokee4Life

    I guess I am not in the "most" category lol

  • ratnok

    "It's undeniable that malicious apps are a problem on an open system"

    It's also undeniable that malicious apps are NOT a problem on Android.

    Thanks for the inflammatory icon by the way.

  • brkshr

    Installs outside of Google Play looks like it jumped up after they banned Ad Blockers

  • MarthaJernigan

    My Uncle Lucas presently got a stunning ringing Mitsubishi Lancer
    Sportback by working part count from a PC... You may perhaps try now BIG44.­c­o­m