Verizon: there is no Android malware problem, except for adware

According to new figures from the US’s largest mobile carrier, the Android malware problem is "truly negligible" but adware could become one.

Looking at Android security by the number of potentially malicious apps out there, it wouldn’t be hard to conclude that Android has a malware problem. Kaspersky last year tallied 10 million malicious Android apps, meaning they outnumbered the one million apps available in Google Play by 10 to one.

By other measures though, such as actual infections on devices, the problem is so small that it barely rates a mention.

Verizon Enterprise’s latest report on data breach incidents in 2014 for the first time looked mobile malware, and more specifically actual rates of infection on smartphones using data from Verizon Wireless.

Verizon notes that mobile devices have never been a preferred avenue for hackers to breach the enterprise, which explains why it never looked at the threat posed by mobile malware.

Based on data Verizon Wireless supplied on “tens of millions” of smartphones, Verizon found that just 0.03 percent of devices were infected with “truly malicious” apps. In absolute terms, the very most infections in any week between July 2014 and January 2015 was 150. in other words, infections — while totally on Android devices — were “truly negligible”.

Verizon doesn’t explain what “truly malicious” means but it does exclude adware apps, which it classed as more of an annoyance since they typically force devices to display unwanted ads and collect more personal information from the device than necessary.

Google itself has several classifications for potentially harmful Android apps (PHA), including generic PHA, Phishing, Rooting Malicious, Ransomware, Rooting, SMS Fraud, Backdoor, Spyware, Trojan, Harmful Site, Windows Threat, NonAndroid Threat, WAP Fraud, Call Fraud.

While truly malicious apps may be minuscule, Verizon did find a potential problem with Android adware. In August last year, the number of smartphones on the carrier with adware peaked at over 60,000, but then dropped to well below 10,000 by January 2015. Overall it found hundreds of thousands of devices were affected by this class of pest. It doesn’t however offer a percentage.

Adware might not be a security threat per se but it is a security and privacy issue that doesn’t improve the Android experience and the bad news for Android is that it could get worse.

Verizon adds a few facts from FireEye’s analysis of 7 million apps, which found that between 2013 and 2014 the number of adware apps had grown from 300,000 to 410,000. And that’s a problem faced by Android users but not Apple’s iOS users, with 96 percent of all malware built for Android.

While Google has since launched Verify Apps — to do hygiene checks on installed apps rather at just at the point of install — it has had trouble keeping adware apps out of the Google Play, which is where it recommends users get apps to avoid PHAs. It does generally quickly remove them after third-party researchers report them.

The Verizon numbers provide an independent counterpoint to Google’s recent analysis of the state of Android security. Google found that PHAs of all classes — from very harmful ransomware to adware — were installed on less than 0.1 percent of devices that only get apps from Google Play in 2014. On the other hand 0.1 percent of one billion devices is one million.

The story for devices that allow installations from outside of Google Play wasn’t much worse, though there was a wide variance between different markets. For example, in English speaking markets 0.4 percent of devices had been installed with PHAs while in Russia the rate was between three to four percent. Meanwhile for China, where third-party stores are the norm, the rate was 0.8 percent.

This article is brought to you by Enex TestLab, content directors for CSO Australia.