Has Android Malware Tripled in Recent Months? Not So Fast

Did 14,900 new malicious programs appear in the second quarter, or just 40? It all depends whom you ask.

There never seems to be any shortage of Android malware reports circulating in the news, and today one came out that sounds alarming indeed.

"Android Under Attack: Malware Levels for Google's OS Rise Threefold in Q2 2012" was the title of the press release from antivirus vendor Kaspersky announcing it, in fact, and right on cue headlines are popping up across the tech media echoing that dire warning.

But is it really as bad as all that? Probably not. In fact, as pointed out by security-focused publication The H on Thursday, data from competing firm F-Secure paint a very different picture for the very same time period. In fact, rather than a tripling of Android malware in the second quarter, F-Secure found only a modest rise.

How to explain the difference? It's all a matter of methodology, according to The H, which calls F-Secure's approach "more sophisticated."

Bottom line? Don't start panicking just yet.

'Over 14,900 New Malicious Programs'

"The number of new malicious programs targeting the Android platform has almost trebled in the second quarter of the year," Kaspersky wrote in its announcement.

"Over the three months in question, over 14,900 new malicious programs targeting this platform were added to Kaspersky Lab's database," it added.

The complete version of Kaspersky's Q2 IT Threat Evolution report is available online.

Over at F-Secure, however, the findings are pretty different.

'A Much Better Measurement'

In a comparable report (PDF) also covering the second quarter, F-Secure reported finding only 40 new malicious Android application package files (APKs), amounting to a 64 percent increase over the previous quarter.

Nineteen of those 40 were new families, while 21 were variants of existing ones, F-Secure said.

The difference behind the disparity is that Kaspersky's data apparently represents what are called "unique samples"--which could easily be generated "by replacing an 'A' with an 'a' in the code," The H notes--while F-Secure bases its own numbers on malware families or variants.

While the unique sample approach is easy to implement, it's also "practically worthless," the publication asserts. F-Secure's approach, on the other hand, "provides a much better measurement of the real threat compared to the inflated unique samples values," it concludes.

Worth a Closer Look

This is not to say that even F-Secure's mere 64 percent increase isn't worth worrying about, of course.

However, it's clearly worth considering the methods behind the numbers a little more carefully as well. It's all too easy to seize upon alarmist figures when writing reports and headlines, but those numbers don't mean much without a clear understanding of the data itself.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Katherine Noyes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts