Android-based malware: the good, the bad and the ugly

The good news on Android is there is very little Android malware that targets actual vulnerabilities in the operating system

When it comes to mobile devices, it's well known that malware writers like to target Android. But a threat report published by security firm F-Secure puts in perspective why Android malware attacks often flop and why Android itself is no pushover.

In a look back at 2013, the bi-annual report notes that there is "hugely disproportionate attention being directed at the Android platform," with 97 per cent of the new malware threats related to all mobile operating systems targeted at it by the end of last year. However, F-Secure says Google is fighting back with security enhancements to Android. "Each new version released by the tech giant has included a number of security-related changes that help mitigate the effects of malware."

F-Secure points out that in Android 4.3 (Jellybean), "a prompt was introduced to verify activity when the Messaging app sends a large amount of text messages in a short time," as a way to combat SMS messaging fraud. There have been other improvements, but the overall situation with Android today is that security is extremely "variable" because of the "fragmented nature of the Android ecosystem between different device vendors."

+ ALSO ON NETWORK WORLD: Android takes 62% of tablet market in 2013 +

This variation in vendor implementation "makes it basically impossible to ensure a uniform security level across all users," according to F-Secure. This means Android device users have to make their own decisions about device security, deciding what kind of security software to use or what apps to run.

According to F-Secure, the good news on Android is that unlike desktop-targeted malware, there is very little Android malware that targets actual vulnerabilities in the operating system. The most notable Android flaw found early last year was the so-called "Masterkey vulnerability" and a handful of programs later found on third-party app sites included an exploit for this vulnerability.

But there have been very few apps exploiting the Android operating system because so far the Android platform had relatively few vulnerabilities. According to F-Secure, only seven vulnerabilities were publicly announced related to Android in 2013 while the Apple iOS platform saw 90 in the same time period.

F-Secure suggests that most malware authors at this point seem more inclined to simply find ways to trick the user into giving them access to the device rather than having to find and design complicated exploitation methods based on vulnerabilities. The Metasploit penetration-testing tool, for example, lists few exploits for the Android platform a hacker might use. But still, if someone wants to go to a lot of trouble, F-Secure points out they can buy attack code created by other people from sites such as Inj3ct0r.

The top three Android malware "families" are considered to be SMSSend; GinMaster; and Fakeinst. The most common types are Trojans that rely on malicious additions injected into the packages of clean, legitimate programs, especially popular gaming and casino apps, which are then distributed in various apps stores. According to F-Secure, these malicious apps often have "a new name reminiscent of the clean app." These malicious apps, typically tied into botnets, essentially represent a new twist on social engineering since they "take advantage of the user's overriding desire to install and use a popular app to gain the permissions needed to execute their malicious behavior." Most of the mobile threats seen in 2013 were financially motivated.

In its report, F-Secure identified the top 20 most popular apps in the Google Play Store and investigated the rate of "trojanization" of these apps, most of them popular games. The good news is that F-Secure found the least likely place that a user would encounter a trojanized app was in the Google Play Store, at a low .1% of the samples examined.

That's because Google Play Store is most likely to "remove nefarious applications, so malware encountered there has a short shelf life," F-Secure says. However, the Android user would be far more likely to find these trojanized apps in the large Android app marketplaces AnZhi, Mumayi, Baidu and eoeMarket, which mainly cater to the mainland Chinese user population.

The worst though, apparently, was a market called Android159, where a third of the samples examined turned out to malware.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsGoogleNetworkingsecuritywirelesssmartphonesf-secureJellyanti-malwareWide Area Network

More about AppleF-SecureGoogleIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts