Looking only at the data provided by security firms, the world appears on the verge of a mobile malware apocalypse.
The number of samples—which represent unique, but mostly automatically generated variants of malicious programs—exceeded 5 million in the third quarter of 2014, according to security firm McAfee. Using a different counting method, security firm Symantec classified a similar magnitude—1 million of the 6.3 million mobile apps it discovered—as malware in 2014.
Yet, these data points tell only the darker side of the story. An increasing volume of data supports the idea that Apple’s and Google’s gated communities for mobile software have paid security dividends and kept most monstrous malware at bay.
Apple, Google app stores are most vigilant
Less than 0.5 percent of the 1 billion devices scanned by Google security software had a potentially harmful application (PHA) installed, according to Google’s 2014 Android Security Report, published in April. Potentially harmful applications include spyware, ransomware and fraudulent apps, which Google scans for using a security capability, known as Verify Apps, that runs in the background on modern Android systems. In addition, the company checks mobile apps submitted to the Google Play store, which offered about 1.5 million pieces of software at last count, and removes applications, if they are found to be violating the company’s policies.
The measures mean that, among users that stick to Google’s Play store, less than one device for every 10,000 has a program considered malicious. “I don’t think malware represents a risk,” says Adrian Ludwig, lead security engineer for Android at Google. “I think the damage of mental anguish worrying about mobile malware likely exceeds the potential harm from actually being infected by it.”
Not that cybercriminals and malware developers aren’t trying. Smartphones and tablets tend to have as much, if not more, private data on their users than computers, so attempting to get malware on the devices is logical. No wonder, then, that online miscreants have focused more heavily on infecting mobile devices, using automated techniques to create tens of thousands of malware variants to get around the detection systems—again, automated—used by Google, Apple and security firms.
Yet, for most parts of the world, malware on mobile devices is a non-issue. In a recent report, network security firm Damballa analyzed cellular data and found signs of potentially malicious activity on only 0.3 percent of devices. Business services firm Verizon looked at traffic on its own cellular network and found “virtually no” iOS malware and very little Android malware, according to Bob Rudis, a security data scientist with the company.
“There was a blip here or there, but the reality was that there was nothing of significance to note,” he told the press during an April 2015 call.
Third-party app stores carry the most risk
Most malicious software is found in third-party app stores popular in a few countries that are loaded with pirated versions of software or trojanized applications. While Symantec automatically discovered and analyzed 6.3 million mobile apps in 2014, for example, there are only about 1.5 million apps in the Google Play store and fewer than that in the Apple App Store, according to AppFigures, meaning that two-thirds of applications from other sources make up the majority of data.
Paying heed to the data, three simple steps are recommended for North American users.
1. Use an official app store
The official app stores—namely, Google’s Play store and Apple’s App Store—regularly check uploaded software for malicious behavior. While the checks are automatic and can be fooled, they do act as an initial bar that attackers have to circumvent. The companies will remove programs later found to be malicious as well.
Consumers that load applications to their device only from Google Play, for example, have a 0.1 percent chance of having a potentially harmful application on their device, rather than 0.7 percent for devices that load software from outside of Google.
Loading in applications from other app stores or Web sites, an activity known as sideloading, gives attackers and criminals an opening to install their own code. Many of those app stores do not perform the same security functions as Apple and Google. Russia, for example, is the leader in infected phones, with about 3.75 percent of devices containing a PHA, according to Google’s data.
Using apps outside official stores “is a risky behavior,” Google’s Ludwig says. “Potentially harmful applications are 7 to 10 times more likely to be installed outside of Google Play.”
2. Don’t jailbreak your phone
Mobile devices come with a lot of built-in security. Using programs to hack the devices to remove the carriers’ and manufacturers’ restrictions—an activity known as “jailbreaking”—can lead to freer markets, but also undermines much of the security protecting the devices. The ability to keep applications from accessing protected data and to validate applications are both disabled on jailbroken apps.
Finally, users who jailbreak their devices need to rely on their own technical know-how to protect the devices and their data.
3. Update often
Vulnerabilities have historically not led to increased attacks on mobile devices. Apple’s iOS had nearly 8 times as many vulnerabilities than Android in 2014, but nearly all malware targets Android, according to Symantec’s latest Internet Security Threat Report.
The mobile software space, however, is moving quickly and developers tend to push out bug fixes, including security issues, quite often. For that reason, users should update their software as frequently as possible and always look out for system updates. Updates are typically delayed by all the steps required to update an Android device, said Jon Oberheide, chief technology officer of Duo Security, a mobile security provider.
“Patching is still an issue on mobile devices…but it’s getting better,” he said.