Has Android Malware Tripled in Recent Months? Not So Fast

Did 14,900 new malicious programs appear in the second quarter, or just 40? It all depends whom you ask.

There never seems to be any shortage of Android malware reports circulating in the news, and today one came out that sounds alarming indeed.

"Android Under Attack: Malware Levels for Google's OS Rise Threefold in Q2 2012" was the title of the press release from antivirus vendor Kaspersky announcing it, in fact, and right on cue headlines are popping up across the tech media echoing that dire warning.

But is it really as bad as all that? Probably not. In fact, as pointed out by security-focused publication The H on Thursday, data from competing firm F-Secure paint a very different picture for the very same time period. In fact, rather than a tripling of Android malware in the second quarter, F-Secure found only a modest rise.

How to explain the difference? It's all a matter of methodology, according to The H, which calls F-Secure's approach "more sophisticated."

Bottom line? Don't start panicking just yet.

'Over 14,900 New Malicious Programs'

"The number of new malicious programs targeting the Android platform has almost trebled in the second quarter of the year," Kaspersky wrote in its announcement.

"Over the three months in question, over 14,900 new malicious programs targeting this platform were added to Kaspersky Lab's database," it added.

The complete version of Kaspersky's Q2 IT Threat Evolution report is available online.

Over at F-Secure, however, the findings are pretty different.

'A Much Better Measurement'

In a comparable report (PDF) also covering the second quarter, F-Secure reported finding only 40 new malicious Android application package files (APKs), amounting to a 64 percent increase over the previous quarter.

Nineteen of those 40 were new families, while 21 were variants of existing ones, F-Secure said.

The difference behind the disparity is that Kaspersky's data apparently represents what are called "unique samples"--which could easily be generated "by replacing an 'A' with an 'a' in the code," The H notes--while F-Secure bases its own numbers on malware families or variants.

While the unique sample approach is easy to implement, it's also "practically worthless," the publication asserts. F-Secure's approach, on the other hand, "provides a much better measurement of the real threat compared to the inflated unique samples values," it concludes.

Worth a Closer Look

This is not to say that even F-Secure's mere 64 percent increase isn't worth worrying about, of course.

However, it's clearly worth considering the methods behind the numbers a little more carefully as well. It's all too easy to seize upon alarmist figures when writing reports and headlines, but those numbers don't mean much without a clear understanding of the data itself.

Show Comments