Is Android fundamentally compromised?

Android is the world’s most popular mobile operating system. It’s installed on just over one billion active devices (according to Business Insider) and enjoys a 81 per cent market penetration (according to Strategy Analytics). But it’s very success means that it’s the number one target for malicious hackers and malware.

The latest edition of Cisco’s annual security report shows that an incredible 99 per cent of all mobile malware in 2013 was targeted at Android devices. Of this malware, 64 per cent is so-called Trojan programs and 20 per cent is adware. Cisco also found that 71 per cent of all web-based attacks on mobile devices targeted Android.

These web-based attacks don’t target Android devices specifically (only 1.2 per cent take this hardware or OS approach), rather they are more general phishing attacks or forcible redirects to malicious websites. Cisco says weak or nonexistent security policies, coupled with the popularity of mobile apps, are to blame and that “instituting a formal program for managing mobile devices to help ensure that any device is secure before it can access the network is one solution to improve security for the enterprise”.

Last October, Google went on the offensive to try and counter the claim that Android was at danger. Speaking at the Virus Bulletin security conference in Berlin, Google security researchers Adrian Ludwig, Eric Davis, and Jon Larimer presented a paper called ‘Android – practical security from the ground up’. They estimated that less than 0.001 per cent of all surveyed Android app installations lead to harmful effects to the user.

Why the discrepancy? Because, said the researchers, Android features multiple layers of protection that malware has to bypass to reach its target. Saying that 99 per cent of all mobile malware is targeted at Android is one thing, but how much actually penetrates far enough to do damage?

Based on the data from tracking over 1.5bn app installs, Google believes that the rate of potentially harmful apps installed is stable at about 0.12 per cent. Of these, about 40 per cent are ‘fraudware’ apps, a further 40 per cent are ‘rooting’ apps, 15 per cent are ‘commercial spyware’ and the remainder are out and out ‘malware’.

So is Android doomed to follow in Windows footsteps and cause its users just as much grief as they struggle with third-party anti-virus programs and countless patches?

It’s true that the fragmented nature of Android means that there are a large number of mobile devices out there that have existing security vulnerabilities that will never likely be fixed. When it’s left to the OEM or network operator to decide on when and for how long they issue OS upgrades, then you just know you’re dealing with a flawed system whose security is certain to be breached.

It’s left to Google’s own device range, Nexus, to ensure that at least the un-forked core Android OS gets the attention it truly deserves, with the most upgrades and security support.

In the meantime, owners of Android devices from other OEMs have to trust in third parties to maintain the security of their devices – they can’t rely just on Google. Regularly buying a new phone with the latest OS pre-installed is one way to stay safe – but it’s an expensive way and goes against the relatively infrequent upgrade cycles of the majority of Android users, as evidenced by the dominance of older versions of the OS still in active use.

So far, there hasn’t been a major global event that has successfully targeted or damaged older legacy Android handsets. But if there is – and reports like the one from Cisco show that surely it’s only a matter of time – it could well damage Android’s reputation and lead to churn to other platforms, or more interest in the DIY installation of more secure forks of Android.

Telcos shouldn’t think that this isn’t their problem – it most definitely is.

“Service providers and their mobile networks are actually part of the solution as network-based malware detection is the best defence against infection,” said Kevin McNamee, Director at Kindsight Security Labs. “Operators should be using their networks to provide value-added malware security services to subscribers. By leveraging the network to detect infections and pin-point which devices are at risk, they can immediately notify subscribers who’ve become victims and provide instructions on how to eliminate the malware threat.”