There’s an alarming amount of malicious software targeting Google’s Android smartphone platform, but experts say the problem will only get worse until a large share of Android customers experience firsthand the frustration, inconvenience and damage the
“Android malware is growing at an exponential rate, but until a large and significant user base is affected by malware, I fear we won’t see any major changes in user behavior,” Tim Armstrong, malware researcher for the anti-virus firm Kaspersky Lab, told SecurityNewsDaily.
Chester Wisniewski, senior security advisor with Sophos, put the issue in terms nearly every smartphone customer can relate to: “Most consumers don’t care until they get their first $1,000 phone bill because their pirated Angry Birds has been calling Estonia all month.”
Android malware jumps, customers don’t care
Both Armstrong and Wisniewski were commenting on a new report from Juniper Networks showing that Android malware has jumped 472 percent in the four months since July 2011. Despite this astounding uptick in harmful, corrupt software, Android has captured 52.5 percent of the global smartphone market share, according to
firm Gartner, with more than 440.5 million units sold in the third quarter (July through September) alone.
So Android malware is clearly a problem. But, like car theft, it’s not a real problem until yours is the one that’s stolen.
“The average mom and dad don’t care,” Harry Sverdlove, chief technology officer for Massachusetts-based security firm Bit9, told SecurityNewsDaily. The rise in malware will only become a real issue, he said, when a customer “gets a $300 phone bill from premium-rate SMS messages or their identity gets stolen.”
[How Your Android Phone Data Could Be ‘Gone in 60 Seconds’]
Armstrong echoed Sverdlove’s assertion, and said that a majority of users are simply unaware of Android security flaws because they haven’t been caught in an attack. Yet customers continue to blindly let Android apps access their computer without exercising any of the same precautions they would on a computer.
“Take permissions, for example,” Armstrong said. “For years, we’ve been taught on the desktop to click and click through screens until an application finally installs. Compare this with the permission-request screen of an Android app install. Most users will not take the time to read or understand every permission and its consequences. They’ll just click through to start using the app. EULAs [End User License Agreements] are a good example of this. Who has ever read a whole one?”
Too many cooks in the Android kitchen
Unlike Apple, which makes the iPhone, owns and maintains complete control over the iOS operating system and pushes out updates to all its customers at once, several manufacturers build Android phones, often tweaking the software. It falls on the carriers (Sprint, Verizon Wireless, AT&T and T-Mobile, to name the big four in the United States), not Google, to release security updates to their millions of customers.
“This is a flawed distribution model,” Sverdlove said.
He likened the process to buying a personal computer from Dell, and then expecting Dell to update a Microsoft Windows program.
“I don’t think people realize how chaotic this ecosystem is,” Sverdlove said.
Between carriers, manufacturers and software providers, he said, “There are too many cooks in the kitchen.”
Another cook, or at least another ingredient in this messy recipe, are the app developers and the ease with which anyone can put a flawed product in the Android Market or a third-party app store.
“It’s just too easy at this point to upload virtually anything within an app,” Armstrong told SecurityNewsDaily. “There appears to be no review system at all, so, as users, we are dependent on reviews which come from other users.”
New phones, same old problems
Sverdlove said Android phones, unlike iPhones, are “not end-of-life phones.” Android customers are likely to buy new handsets every 12-to-18 months, as opposed to iPhone owners, who typically keep their phones until the units die.
To that end, the carriers and phone manufacturers are consistently focused on bringing out the next, newest model, not on fixing security flaws that already exist.
“We go out and buy the phone that has the prettiest touchscreen or the best color and we don’t care,” Sverdlove said.
Armstrong and Wisniewski are in the same camp. They both said they would like to see more research on existing software flaws rather than a constant stream of new phones.
“The major issue for Android users is the inability to patch their phones with fixes for known security vulnerabilities,” Wisniewski said.
“Continued improvements on securing and patching the existing models would do wonders for creating a safer experience for users,” Armstrong said. “Unfortunately, carriers and manufacturers need to keep selling new phones, and need new and exciting features to drive this demand, so many times resources are spent in places that do not best benefit user security.”
Ice Cream Sandwich and the future of Android
Even with the release of Android 4.0 (Ice Cream Sandwich), which includes some built-in security measures such Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), both designed to prevent malicious software from damaging users’ phones, the problem is too vast for the new OS to tackle.
“The problem is endemic in the whole infrastructure,” Sverdlove said. “I think the problem will continue. Something has to change in the Android ecosystem, not the OS.”
“I’d love to say there’s a magic answer,” he added. “This is a tough problem [that] requires tough changes. Manufacturers need to prioritize security as much as they prioritize selling phones, and there’s no question in my mind carriers need to step aside.”
Wisniewski told SecurityNewsDaily he doesn’t see the Android Market ever becoming as locked down and secure as the iTunes App Store, but he said he expects Google to partner with security organizations that can alert Google about malicious Android apps.
With other companies like Amazon and Barnes & Noble now in competition for Android customers, he said Google “will need to step up their game.”
This post originally appeared at Security News Daily.