From AndroidAuthority:
Today at the Virus Bulletin security conference in Berlin, Google security researchers Adrian Ludwig, Eric Davis, and Jon Larimer presented a paper called “Android – practical security from the ground up”, where they offer statistics on the spread and effect of Android malware based on data collected by Google from actual users.
Quartz’ Steven Max Patterson attended the conference and was able to capture some very interesting findings.
Google’s researchers estimate that less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. In the slide at the top of this post, the team presented the multiple layers of protection that malware has to bypass to reach its target.
The researchers went on to claim that some of the most intensely publicized malware discoveries from the past have only affected one in a million app installations. In the future, to prevent such “extremely exaggerated” reports Google will share its data with security researchers.
That's very nice of them to offer to share their data, but we have some of our own. For instance, there are over a half a million Android apps we know to be malware, which make up about 10% of all apps we've ever seen - including quite a lot of apps found on Google Play.
We don't like FUD (fear, uncertainty, and doubt) tactics, and we don't try to needlessly scare people into making a security investment. Actually, we're so confident users will realize the value themselves that we offer a free version of WSA-Mobile. And the odds speak for themselves - if you're an average user who downloads 10 apps, probably 1 of them is malware.
Maybe what they are considering malware is something other than what we (and most people) consider malware, or maybe they are going, quite literally, off of the number of installations rather than the number of apps. If so, 10 million downloads of a single good app could be weighted against 1,000 downloads of a piece of malware that is caught and pulled from the store in short order, but that way of looking at it seems misguided. An individual user is not going to download the same app a million times, but he will probably download at least 10 apps.
If the purpose of their report is to ease concerns about the security of their platform, they will likely accomplish just that, but doing so could come at the cost of their users behaving less mindfully about security and ultimately hurting themselves with malware. As such, the report strikes me as irresponsible.
The facts are the facts, and opinion is opinion. This post is a little of both. What does everyone think? Is Google right or wrong? What did you get out of this report and what, if anything, do you disagree with? I'd like to open this up for discussion and also invite some of our Threat Researchers to comment to provide a more official stance from Webroot than I can provide myself. (