Google has made a controvertial claim today that many in the security industry are going to be scratching their heads over or immediately contesting.
Today at the Virus Bulletin security conference in Berlin, Google security researchers Adrian Ludwig, Eric Davis, and Jon Larimer presented a paper called “Android – practical security from the ground up”, where they offer statistics on the spread and effect of Android malware based on data collected by Google from actual users.
Quartz’ Steven Max Patterson attended the conference and was able to capture some very interesting findings.
Google’s researchers estimate that less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. In the slide at the top of this post, the team presented the multiple layers of protection that malware has to bypass to reach its target.
The researchers went on to claim that some of the most intensely publicized malware discoveries from the past have only affected one in a million app installations. In the future, to prevent such “extremely exaggerated” reports Google will share its data with security researchers.
That's very nice of them to offer to share their data, but we have some of our own. For instance, there are over a half a million Android apps we know to be malware, which make up about 10% of all apps we've ever seen - including quite a lot of apps found on Google Play.
We don't like FUD (fear, uncertainty, and doubt) tactics, and we don't try to needlessly scare people into making a security investment. Actually, we're so confident users will realize the value themselves that we offer a free version of WSA-Mobile. And the odds speak for themselves - if you're an average user who downloads 10 apps, probably 1 of them is malware.
Maybe what they are considering malware is something other than what we (and most people) consider malware, or maybe they are going, quite literally, off of the number of installations rather than the number of apps. If so, 10 million downloads of a single good app could be weighted against 1,000 downloads of a piece of malware that is caught and pulled from the store in short order, but that way of looking at it seems misguided. An individual user is not going to download the same app a million times, but he will probably download at least 10 apps.
If the purpose of their report is to ease concerns about the security of their platform, they will likely accomplish just that, but doing so could come at the cost of their users behaving less mindfully about security and ultimately hurting themselves with malware. As such, the report strikes me as irresponsible.
The facts are the facts, and opinion is opinion. This post is a little of both. What does everyone think? Is Google right or wrong? What did you get out of this report and what, if anything, do you disagree with? I'd like to open this up for discussion and also invite some of our Threat Researchers to comment to provide a more official stance from Webroot than I can provide myself. (@Grayson @Rakanisheu @NathanC )
I,myself,am extremely distrustful of anything Google.I only keep Chrome on my machine for evaluation purposes.I will not go on anti Google rant as it is not related to the topic directly.I find the figures very hard to believe,but what i can say for certain is i have seen,and worked on, many infected Android machines.It takes almost no effort for myself,or anyone else for that matter,to author a malicious app and get it listed.Having said that,i do not buy into the legitimacy of these figures as i am always fielding questions from people in my weekly travels to and from work,regarding issues with their phone.I would charge that Google are almost as arrogant and misleading as Apple in regards to figures related to malware infection,etc..I doubt the figures as most people i come across now are totally ignorant security wise and are quite easily fooled into downloading and installing a malicious app.I find the figures rather self serving and believe them to be nothing but smoke blown up our rears and meant for quick and undisputed consumption by the masses.