Google data shows threat of Android malware is massively overblown

by: Bogdan PetrovanOctober 3, 2013

google verify apps defense (1) Qz

Malware is a topic that critics of Android often like to bring up in discussion, sometimes attaching ominous sounding statistics such as Four Out of Five Malware Menaces Choose Android. Contributing to the atmosphere of distrust, security firms regularly issue reports describing far-reaching security vulnerabilities or malware outbreaks that put the users’ bank accounts and private data at risk.

But in many cases the danger posed by Android malware is greatly exaggerated, and Google has some data to prove it.

Today at the Virus Bulletin security conference in Berlin, Google security researchers Adrian Ludwig, Eric Davis, and Jon Larimer presented a paper called “Android – practical security from the ground up”, where they offer statistics on the spread and effect of Android malware based on data collected by Google from actual users.

Quartz’ Steven Max Patterson attended the conference and was able to capture some very interesting findings.

less than 0.001% of all app installations lead to harmful effects to the user

Google’s researchers estimate that less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. In the slide at the top of this post, the team presented the multiple layers of protection that malware has to bypass to reach its target.

The researchers went on to claim that some of the most intensely publicized malware discoveries from the past have only affected one in a million app installations. In the future, to prevent such “extremely exaggerated” reports Google will share its data with security researchers.

Google was able to gather this data thanks to Verify Apps, the anti-malware service that debuted with Android 4.2 and later moved to Play Services, thus extending to devices running older versions of the OS. 95% of all devices have the Verify Apps service turned on by default, claims Google.

95% of all devices have the Verify Apps service turned on by default

The company collected data on 1.5 billion installations, and found that users went through with the installation of potential harmful applications (PHA) in just 0.12% of cases. Note that the installations include apps downloaded from the Play Store and from alternative sources, as well as apps that were flagged as PHA but are actually harmless.

google verify apps defense (2) Qz

Finally, here’s a breakdown of the types of apps that actually go through Android defenses: 40% are fraudware (for instance, apps that send premium rate SMS), 40% are rooting apps that are not actually malicious, 15% are spyware, and 6% are miscellaneous.

Of course, even a penetration rate of 0.001% can result in many occurrences of malware, when billions of apps are installed every year. And it’s likely that some forms of malware and vulnerabilities are outside of Google’s data collection scope. With that said, this data does put the periodic security scares in a new light.

To finish off with a piece of advice, try to restrain yourself to the Play Store, keep Verify Apps on, and don’t just click through those security warnings.

  • MasterMuffin

    now we should just rememer to reply the url of this article to every iTroll saying how “droidz r laggy malware nestz rofl”! >:|

    • TechDevil

      Hahaha! I’m going to follow your comments from here on out, you sir, are a genius! You win my like!

    • Maher Salti

      all Operating systems that are open for all to install what they want are obviously prone to viruses/malware etc. But if you obviously know from what sources you’re installing imo there is no need for antivirus software..

      I only install from sources that I trust and from the play store. don’t have blackmarket or anything like that installed.

    • Seth Forbus

      I’d rather have the freedom to install whatever I want than the sense of safety the stale ios system can provide.

    • TheWenger

      No, you would have to wait until a popular, non-android focused news/blog site posts a story.

  • TechDevil

    People who are afraid of malware and shit can install Norton and other anti-threats on their devices anyway. Truthfully, I have zero respect for anyone who doesn’t buy an Android device based on malware.

    • On a Clear Day

      People don’t buy the iPhone because they are informed consumers; they buy it because they don’t want to have to make themselves informed consumers.

      Thus, their willingness to buy into the fragmentation B. S. as well as malware “threat”. In the end though – as evidenced by Apple’s stock’s precipitous drop from $700.00 to around $400.00 – the truth will win out and has started to affect the market’s perception of Apple even if the public is a little slow on the uptake.

  • Paul Wilks

    I’m pleased that this has been produced and I’m happy to share it. Previously, pretty much ALL the research comes from scare-mongering security companies desperate for you to buy their products. There was little or no independent (and therefore objective) research. As I suspected, the security companies were laying it on thick.

    I’ve said this before and I’ll say it again; I review Android apps and games. Most directly from the Google Play Store and occasionally some directly from developers. I’ve written over 1000 individual reviews and have downloaded many thousands more since I got my first Android and I have not once found a single app that included malware. There’s been a few spammy apps here and there, but nothing harmful.

    Yet the security companies consistently banged on about these ‘threats’ and now, it would seem, their data was subjective and exaggerated for the sake of their own marketing.

    Sure, you could argue that Google is fudging data to suggest their platform is more secure than it is, but I’m more inclined to trust this than the security companies who so badly want to scare you with foggy statistics.

    • TechDevil

      Truer words have never been spoken. It’s all hyped up for the security companies to make their annual profit. It’s a shame, though, as the less-technologically-experienced people will actually get scared by it. :(

    • Matthew Apostolou

      Couldn’t agree more!

    • On a Clear Day

      The security companies like any purveyor of any product know that to exist they have to find at least dream up some marginally credible, justifiable excuse for their existence to cause their prospective customers to think they truly need them; like politicians, they have no trouble obfuscating and skirting the line of demarcation that separates truth from falsehoods as long as they can incorporate plausible deniability when later their spurious claims have the light of reason and fact shined upon them.

      Being of like mind we can also note that Apple – a company known for its undying affection for hype over substance in most of its claims to fame – employs this technique with steadfast impunity total lack of compunction – constantly raising the horrid spectre of “fragmentation” and malware to help keep those who question little – and proud of it – in their fold.

      No one, who really and truly has taken a reasonable amount of time to seriously look into the underpinnings of mobile devices, operating systems and the companies that create the tech, manufacturer and sell it, could take seriously the hype of the malware “curers” or by the same token efforts at differentiation spun up by Apple.

  • satsmine2k4

    Have been high on android for like 4 years now, never had an issue with security… Have been using windows 7 for the same length and my CC details got hacked twice… I laugh at fans of other platforms complaining about Malware on android…

    • TechDevil

      To be fair, they are completely different platforms when it comes to viruses. Viruses for the Windows ecosystem differs from viruses in the Android/Linux ecosystem. I hope sometime in the future, Linux takes over and Windows just fades away.

  • michael sanchez

    I’ve been with android from the start and have never haf a problem, good to see google showing this now maybe the security company’s will stop with the scare tactics.

    • needa

      me either. nor my brother and his kid. nor my mother. nor any other person i know, he knows, she knows.

  • Mystery Man

    They are not referred to as rings like in winders?

  • Q.

    Interesting data, I can’t wait to present it to a WP troll or iTroll.

  • Randy

    Does this account for malware (potentially maskerading as legitimate apps, if not snuck into existing legitimate apps) that **exploits** the permissions granted ‘as expected’ such as to steal a copy of your contactlist, or those evading these control measures to fetch and install executable files not submitted themselves to Google Play (like Facebook Home was able to do)?

    • ratnok

      Both. Read the report.

  • Roj Beraña

    i’ll believe it if it’s done by a third-party researcher

    • needa

      like the third party research company that says 98% of all mobile traffic is done on an iphone/ipad. because that third party company uses the ios advert site to boost the data. so any app that is opened with ios adverts in them…. adds to the stats. i personally dont see a reason as to why google needs to lie on this. malware isnt that bad on android. it mainly comes from kids downloading every free game they can find. play store or not.

      • Roj Beraña

        i personally dont see a reason as to why samsung needs to cheat the benchmark tests

        • needa

          LMAO at you comparing samsung to google in that context.

        • ratnok

          What does that have to do with Google malware testing?

          • Roj Beraña

            the point is you can never trust a company doing a survey/test on their own products

  • Leonardo Rojas

    Being careful enough I’ve never had any issue with malware in Android either, but, I have avast! AV installed and running its shields, and as seems that it’s not affecting performance nor battery life (Razr i), I’m keeping it and even took advantage of their discount offer ($10.5 from $15 a year) and upgraded to their Premium service.

    Now I have all the features like applocking, automatic backups and specially Anti-Theft fully enabled.

    Anti Theft is really useful not only in its nature of helping recover your lost device, but in several other purposes n.n (like stealth SMS forwarding, incoming calls reporting, tracking, etc.) You can check out its SMS and web commands list in a manual found in its site (Help section), be curious and have several ideas for all its functions, specially if you have more than one Sim/number and smartphone, have kids and couple.

    Even the free service is very interesting, and if wanted, the AV can be uninstalled once the Anti-Theft is installed n.n

    Go check it out! n.n

    • ratnok

      Is this spam?

      • needa

        nah. he has 183 comments

      • Leonardo Rojas

        It’s an advice for curious people n.n

    • needa

      im not a fan of antivirus dealios on any of my computers. i actually dont run antivirus on any of my machines. in my opinion they arent necessary. but i dont have kids and i use chrome incognito for anything i might do that could mess up my machines. it has been years since i got any malware also. i do like that back-up option though. i get tired of losing the crap on my phone when i reset.

      • Leonardo Rojas

        The AV in my PC is just a complement, I know I haven’t faced a virus event in years. But, as careful as you can be, there are risks while surfing. Avast AV for PC is free of charge. There’s almost no excuse to not to have an AV running and covering your back. What if some friend of yours brings a pen drive? It can be infected.

        You do have a “kid”: your smartphone n.n Don’t you care for it? You’ll be sorry when it gets lost and you didn’t pay attention to some guy’s advice.
        That, and more can be done. But I’ve already talked about that.
        The automatic backups through Avast’s backup app needs the Premium service to be a nice automatic backup solution, and even so, sadly, it’s restricted to Google Drive only. I’ll be requesting more availability of servers for the backups as Google Drive has no yearly paid subscriptions that I can pay (too expensive). And I find Mediafire is the best server.

        Well, check out that link I left. It can give you ideas, and if you install Avast for mobile it can save you some hundreds of dollars. The paid yearly subscription is $15 only.

  • androidscales

    Windows is the worst os

  • APai

    half the trouble with malware stories are probably sponsored by the anti-virus industry, who look at mobile as the new sunrise industry. run a few stories of malware horrors and personal data on the phone…. get people into AV subscription – millions of phones – profit!!

  • Alex Ohannes

    I’m bookmarking this to use as future ammo in the Great Mobile War of the Appleolypse.

  • seyss

    android developers just dismissed developing the security features to protect your phone to a point where no antivirus is needed, like iOS.

    they just wanted to release a mobile OS ASAP to grab market following iOS success.

    as always, samsung/google are filled with bad nature and unethical people. they cheat benchmarks (as proven lately), pay people to post positive reviews on the web about their products and negative reviews about competitors, and other scams.

    samsung’s CEO Lee Kun-hee (asian dude) was convicted of several tax-related schemes. now compare this guy to US’ Tim Cook. a balanced individual who is highly ethical and moral.

  • BB BB

    I have never had a problem with Android security wise. In fact I love the encryption option, which could be better if it was reversible like on a blackberry with its AES 256-bit encryption. iCloudFinger 7 Airport Bypass video here…