When it comes to mobile devices, it's well known that malware writers like to target Android. But a threat report published today by security firm F-Secure puts in perspective why Android malware attacks often flop and why Android itself is no pushover.
In a look back at 2013, the bi-annual report notes that there is "hugely disproportionate attention being directed at the Android platform," with 97 percent of the new malware threats related to all mobile operating systems targeted at it by the end of last year. However, F-Secure says Google is fighting back with security enhancements to Android. "Each new version released by the tech giant has included a number of security-related changes that help mitigate the effects of malware."
[ Also on InfoWorld: Pre-installed malware turns up on new Android devices. | iOS vs. Android vs. BlackBerry vs. Windows Phone -- see how mobile security measures up in each OS in InfoWorld's breakdown. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]
F-Secure points out that in Android 4.3 (Jellybean), "a prompt was introduced to verify activity when the Messaging app sends a large amount of text messages in a short time," as a way to combat SMS messaging fraud. There have been other improvements, but the overall situation with Android today is that security is extremely "variable" because of the "fragmented nature of the Android ecosystem between different device vendors."
This variation in vendor implementation "makes it basically impossible to ensure a uniform security level across all users," according to F-Secure. This means Android device users have to make their own decisions about device security, deciding what kind of security software to use or what apps to run.
According to F-Secure, the good news on Android is that unlike desktop-targeted malware, there is very little Android malware that targets actual vulnerabilities in the operating system. The most notable Android flaw found early last year was the so-called "Masterkey vulnerability" and a handful of programs later found on third-party app sites included an exploit for this vulnerability.
But there have been very few apps exploiting the Android operating system because so far the Android platform had relatively few vulnerabilities. According to F-Secure, only seven vulnerabilities were publicly announced related to Android in 2013 while the Apple iOS platform saw 90 in the same time period.
F-Secure suggests that most malware authors at this point seem more inclined to simply find ways to trick the user into giving them access to the device rather than having to find and design complicated exploitation methods based on vulnerabilities. The Metasploit penetration-testing tool, for example, lists few exploits for the Android platform a hacker might use. But still, if someone wants to go to a lot of trouble, F-Secure points out they can buy attack code created by other people from sites such as Inj3ct0r.