Android-based malware: the good, the bad and the ugly

When it comes to mobile devices, it's well known that malware writers like to target Android. But a threat report published by security firm F-Secure puts in perspective why Android malware attacks often flop and why Android itself is no pushover.

In a look back at 2013, the bi-annual report notes that there is "hugely disproportionate attention being directed at the Android platform," with 97 per cent of the new malware threats related to all mobile operating systems targeted at it by the end of last year. However, F-Secure says Google is fighting back with security enhancements to Android. "Each new version released by the tech giant has included a number of security-related changes that help mitigate the effects of malware."

F-Secure points out that in Android 4.3 (Jellybean), "a prompt was introduced to verify activity when the Messaging app sends a large amount of text messages in a short time," as a way to combat SMS messaging fraud. There have been other improvements, but the overall situation with Android today is that security is extremely "variable" because of the "fragmented nature of the Android ecosystem between different device vendors."

+ ALSO ON NETWORK WORLD: Android takes 62% of tablet market in 2013 +

This variation in vendor implementation "makes it basically impossible to ensure a uniform security level across all users," according to F-Secure. This means Android device users have to make their own decisions about device security, deciding what kind of security software to use or what apps to run.

According to F-Secure, the good news on Android is that unlike desktop-targeted malware, there is very little Android malware that targets actual vulnerabilities in the operating system. The most notable Android flaw found early last year was the so-called "Masterkey vulnerability" and a handful of programs later found on third-party app sites included an exploit for this vulnerability.

But there have been very few apps exploiting the Android operating system because so far the Android platform had relatively few vulnerabilities. According to F-Secure, only seven vulnerabilities were publicly announced related to Android in 2013 while the Apple iOS platform saw 90 in the same time period.

F-Secure suggests that most malware authors at this point seem more inclined to simply find ways to trick the user into giving them access to the device rather than having to find and design complicated exploitation methods based on vulnerabilities. The Metasploit penetration-testing tool, for example, lists few exploits for the Android platform a hacker might use. But still, if someone wants to go to a lot of trouble, F-Secure points out they can buy attack code created by other people from sites such as Inj3ct0r.

The top three Android malware "families" are considered to be SMSSend; GinMaster; and Fakeinst. The most common types are Trojans that rely on malicious additions injected into the packages of clean, legitimate programs, especially popular gaming and casino apps, which are then distributed in various apps stores. According to F-Secure, these malicious apps often have "a new name reminiscent of the clean app." These malicious apps, typically tied into botnets, essentially represent a new twist on social engineering since they "take advantage of the user's overriding desire to install and use a popular app to gain the permissions needed to execute their malicious behavior." Most of the mobile threats seen in 2013 were financially motivated.

In its report, F-Secure identified the top 20 most popular apps in the Google Play Store and investigated the rate of "trojanization" of these apps, most of them popular games. The good news is that F-Secure found the least likely place that a user would encounter a trojanized app was in the Google Play Store, at a low .1% of the samples examined.

That's because Google Play Store is most likely to "remove nefarious applications, so malware encountered there has a short shelf life," F-Secure says. However, the Android user would be far more likely to find these trojanized apps in the large Android app marketplaces AnZhi, Mumayi, Baidu and eoeMarket, which mainly cater to the mainland Chinese user population.

The worst though, apparently, was a market called Android159, where a third of the samples examined turned out to malware.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.