Yesterday, we released our regular quarterly security roundup. If you look at the key insights in our new online version, one thing that you will see is the predominance of insights around Android and mobile computing. In fact, my reading of the insights in our report is that just as you’d be crazy to run a Windows PC on the Internet without security protections, we’re now at the point where you’d be crazy to run Android on the Internet without security protections. The threats that Android faces now are broad enough, serious enough, and mature enough that we have to consider it the equal (if not the greater) threatened platform to Microsoft Windows.
While we have been tracking the growth of threats to Android for some time, I’d argue that three key things that we call out in this report show that Android has reached this tipping point:
- Volume of malware and threats on Android
- Discovery of multiple critical vulnerabilities affecting nearly all Android currently out there
- Migration of mature malware and threats from PCs to Android
The growth of malware on Android itself isn’t a new thing. We’ve been tracking these threats regularly every quarter for some time. Our CTOs annual predictions included one that he believes we’ll cross one million pieces of malware on Android by the end of the year. What is new this quarter is how fast the problem is growing. In our report we show that in the first six months of 2013, Android malware volume doubled. It increased 350,000, a number that it previously took three years to reach. All signs indicate this trend will continue to increase, so Android malware will likely cross the one million mark ahead of the end of 2013.
What is very new for Android is the problem of unfixed vulnerabilities that broadly affect the installed base. With attacks against the “Master Key” vulnerability and the “OBAD” attacks exploiting administrative access vulnerabilities, we now see active attacks against vulnerabilities that in aggregate affect nearly all Android devices. This situation is made dire by the fact that Android fragmentation and a lack of commitment to updates by handset makers and carriers means that many (if not most) of these vulnerable devices will never be patched and so always vulnerable to attack. (The problem of handset maker and carrier support for subsidized Android phones is huge one that I outline more broadly in my article “Why I won't buy another subsidized Android phone (and why you shouldn’t either)”). We can expect more vulnerabilities to be found in these older versions. And we can expect Android malware authors to get better at attacking vulnerabilities on this platform as they port their expertise from Windows to Android.
This brings us to the last major trend we outline: the migration of mature malware and threats from PCs to Android. Malware authors these days are often mature, professional quality software development operations. And like all smart software companies, they adapt to make their wares available to as broad an audience as possible. Just as companies have adapted by expanding their offerings from applications on Windows to apps on Android, so have malware authors. This quarter in particular, we’ve seen mature and successful threats like FAKEAV and banking Trojans make the leap from Windows to Android. In fact, if you look at our graphic comparing Windows and Android threats you’ll see that in just three years Android threats have come to match the breadth of types and complexity facing Windows (and that took Windows over 20 years to accomplish).
When you take these all together: the volume of threats, the presence of permanently unfixed vulnerabilities, and the breadth and complexity of threats, it’s clear that Android is as much a target now as Windows. And more importantly, the trends show this continuing. Android may not be as much a target as Windows yet, but the time is fast approaching.
This doesn’t mean that people shouldn’t use Android, any more than people shouldn’t use Windows. But it does mean that the same best practices and security mindset that people have evolved to use Windows safely on the Internet needs to be applied to Android now. Chief among these is making putting a security package on your Android devices a standard practice. This is especially important for Android given the lack of fixes for vulnerabilities for many devices. If you’re like me and stuck on a version of Android abandoned by your maker and carrier: no patches will ever come to protect you, your security software is your only protection. Put simply, these days, you’d be crazy to run Android without a security package.