Google Claims Less Than .001% of All App Installations are Harmful

  • 4 October 2013
  • 2 replies
  • 1520 views

Userlevel 7
  • Retired Webrooter
  • 1581 replies
Google has made a controvertial claim today that many in the security industry are going to be scratching their heads over or immediately contesting.
 


 
From AndroidAuthority:
Today at the Virus Bulletin security conference in Berlin, Google security researchers Adrian Ludwig, Eric Davis, and Jon Larimer presented a paper called “Android – practical security from the ground up”, where they offer statistics on the spread and effect of Android malware based on data collected by Google from actual users.
 
Quartz’ Steven Max Patterson attended the conference and was able to capture some very interesting findings.
Google’s researchers estimate that less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. In the slide at the top of this post, the team presented the multiple layers of protection that malware has to bypass to reach its target.
 
The researchers went on to claim that some of the most intensely publicized malware discoveries from the past have only affected one in a million app installations. In the future, to prevent such “extremely exaggerated” reports Google will share its data with security researchers.

That's very nice of them to offer to share their data, but we have some of our own.  For instance, there are over a half a million Android apps we know to be malware, which make up about 10% of all apps we've ever seen - including quite a lot of apps found on Google Play.
 
We don't like FUD (fear, uncertainty, and doubt) tactics, and we don't try to needlessly scare people into making a security investment.  Actually, we're so confident users will realize the value themselves that we offer a free version of WSA-Mobile.  And the odds speak for themselves - if you're an average user who downloads 10 apps, probably 1 of them is malware.
 
Maybe what they are considering malware is something other than what we (and most people) consider malware, or maybe they are going, quite literally, off of the number of installations rather than the number of apps.  If so, 10 million downloads of a single good app could be weighted against 1,000 downloads of a piece of malware that is caught and pulled from the store in short order, but that way of looking at it seems misguided.  An individual user is not going to download the same app a million times, but he will probably download at least 10 apps.
 
If the purpose of their report is to ease concerns about the security of their platform, they will likely accomplish just that, but doing so could come at the cost of their users behaving less mindfully about security and ultimately hurting themselves with malware.  As such, the report strikes me as irresponsible.
 
The facts are the facts, and opinion is opinion.  This post is a little of both.  What does everyone think?  Is Google right or wrong?  What did you get out of this report and what, if anything, do you disagree with?  I'd like to open this up for discussion and also invite some of our Threat Researchers to comment to provide a more official stance from Webroot than I can provide myself.  (@ @ @ )

2 replies

Userlevel 7
Badge +13
I,myself,am extremely distrustful of anything Google.I only keep Chrome on my machine for evaluation purposes.I will not go on anti Google rant as it is not related to the topic directly.I find the figures very hard to believe,but what i can say for certain is i have seen,and worked on, many infected Android machines.It takes almost no effort for myself,or anyone else for that matter,to author a malicious app and get it listed.Having said that,i do not buy into the legitimacy of these figures as i am always fielding questions from people in my weekly travels to and from work,regarding issues with their phone.I would charge that Google are almost as arrogant and misleading as Apple in regards to figures related to malware infection,etc..I doubt the figures as most people i come across now are totally ignorant security wise and are quite easily fooled into downloading and installing a malicious app.I find the figures rather self serving and believe them to be nothing but smoke blown up our rears and meant for quick and undisputed consumption by the masses.
Userlevel 4
I was in attendance at this year's Virus Bulletin however I was attending a Mac hacking talk while Google presented this data. I should also mention the talk by Google was a last minute presentation and as such there isn't an extensive white paper detailing their research or methods used to generate these figures.

Never the less, I would like to add additional perspective to this thread.

What Google reported only looked at compromise caused by the phone itself, things like SMS trojans, spyware apps or malicious banking apps. What they didn't mention is compromise which can occur when using an app with an aggressive ad engine, shady developer, web based attacks or the fact that cell phones are one of the most commonly stolen devices.

The reality is that smartphones hold vast amounts of our personal (and business) data, and cybercriminals are eager to gain access.

Virus Bulletin had a number of presentations looking at Android, ranging from app obfuscation techniques to ad engines to a very interesting talk about hacked web servers which only only redirect when visited by a mobile device (very clever for staying under the radar of traditional web crawling techniques). Then, of course, there is the impact of a device being lost or stolen.

It seems Google wants to sell the message that their OS is completely safe as is and that additional security isn't necessary. I couldn't disagree more based on the points I listed above.

Another point I want to clarify is that Jim mentioned our Android app collection contains more than 10% malicious apps. This is not to say that Google Play contains this many malicious apps, rather if you were to download 100 apps from 100 various alternative markets, you would get infected > 10% of the time. Additionally, the fastest growing segment of unwanted apps are those which collect as much user data as possible for the purposes of targeted advertising, SMS spam or worse. When combining these PUA apps with malware apps, our collection contains roughly 23% of these types of apps, or well over 800,000 samples.

So, clearly, Google is looking at the world through their own special pair of glasses (pun).

Reply