Android Malware, believe the hype.

…or “Just how much Android malware is there anyway?”

Mobile malware can no longer be ignored!

The security industry has an embarrassing problem. For several years it became a matter of course for the big names in security to warn annually that ‘next year’ was to be the year of mobile malware. “Look out“, we said, “mobile malware, it’s coming…“; but it never did. It remained elusively over the threat horizon. In reality, every year since Cabir in 2004 we have saw appearances and developments in mobile malware (originally for Symbian, J2ME and Windows CE) but it simply never reached critical mass or moved beyond the mischievous.

Now that the problem is well and truly here (the last two years have both been called “the year of mobile malware” at several points) we have a problem persuading the world at large that we are not crying “Wolf!” yet again. There is a distinct scepticism paired with a strong belief that the security industry may be selling a solution to a problem that doesn’t exist, or if it does then it only exists in far off countries and little used app stores. So, in the interest of clarity, here are a few numbers that hopefully will go some way towards putting that scepticism to bed, once and for all.

Trend Micro’s Mobile App Reputation Services [PDF] proactively sources and analyses Android apps from around the world. We give them reputation scores in three discrete areas; Maliciousness, Resource Utilisation and Privacy. Here are the numbers, hot of the presses this 8th March 2013, bear in mind these numbers change every minute, upwards…

We have thus far analysed more than 2 million apps, a not inconsiderable sample size when you consider that the entire Google Play offering is around 700,000 apps, and here’s the brutal truth.

  • 293,091 Apps classified as outright malicious and a further 150,203 classified as high risk. It took Microsoft Windows 14 years to attract this volume of malicious code!
  • Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play. It’s not just Chinese and Russian app stores.
  • 22% of apps were found to inappropriately leak user data, over the network, SMS or telephone. The leaked data most often includes IMEI, ICCID, Contact data and telephone number. A few apps were even found to leak data using the microphone and camera (along with several other kinds of private data).
  • In addition, 32% of apps were classified as “Poor” in terms of battery usage, 24% “Poor” for network usage and 28% for memory usage.

It’s no surprise that BlackBerry have opted to integrate our Mobile App Reputation Service in their Blackberry World, stopping those malicious apps from ever reaching their customers. It would be heartening to see more app stores taking the safety of their customers so seriously.

7 thoughts on “Android Malware, believe the hype.

  1. widya

    Hi Rik , If you are not talking about malware or malware families with this post, can you explain why you say “It took Microsoft Windows 14 years to attract this volume of malicious code!”?

    How long was the timeline of Trend Micro’s Mobile App Reputation Services collected and analysed the apps?

    Reply
  2. skeptic

    Someone has identified their target market. This seems to be a pretty clear case of conflict of interest. (It’s not as if you have an app… or 12 on the Play Store: https://play.google.com/store/apps/developer?id=Trend+Micro ). If there are no viruses then no one will either install or buy (“Premium (Paid) Features” after ” – 30 day free trial”) antivirus software. Why on Earth should we trust these stats? It’s not as if you are an independent review or consumer advocacy agency.

    Reply
  3. Michael Heller

    Also, are we to believe that every single app in the Play Store was checked in this study? If not, how many of the 2 million apps checked were directly from the Play Store?

    Reply
  4. Michael Heller

    A few questions on these findings:
    1) As far as the “Rooter” and “Spying Tool” categories of malware, do these only count apps that do not advertise that functionality, or doesn’t disclose it in the permissions when installing the app?
    2) How long was the timeline of the study?
    3) Were “malware” apps checked to see if they were removed from the Play Store and how quickly they were removed?

    Reply
    1. Rik Ferguson Post author

      Hi Michael,

      Thanks for the comment, this is not data from a “study” rather data which is collected and analysed by our Mobile App Reputation Service, one for the core technologies that make up Trend Micro’s Smart Protection Network. As such this is, and has been, an ongoing effort to analyse apps as they are released though any major channel. We collect and analyse apps, giving them a reputation for maliciousness, privacy and resource utilisation, that data is then made available through the Mobile App Reputation Service either to our own endpoint security products, or as a service to people running an app store who wish to vet the uploads proactively. We do not subsequently recheck with the app store in question whether a sample classified as malicious has been removed or not but if an app is updated we *do* also check subsequent updates in case a developer has either fixed or introduced a security or privacy issue. Finally, the total number of apps sourced specifically from Google Play exceeds the number of apps currently available there, whether we have checked every single app in the Play store *right now* I couldn’t categorically state, but that is certainly our ongoing aim and to date more than one million of these apps were sourced from google play directly.

      Reply
  5. alex

    Please distinguish between malware samples and malware families. Do you count a Trojan 500 times depending on his packer or c&c configuration?!?

    Reply
    1. Rik Ferguson Post author

      Hi Alex,

      No distinction necessary here, I am talking simply about the total number of apps we have analysed, and the amount that were subsequently classified either as malware or as high risk. I’m not talking about malware or malware families with this post.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>