It is thought that the British Prime Minister Benjamin Disraeli said that are three kinds of lies: lies, damned lies, and statistics. With the release of F-Secure's Q3 2012 Mobile Threat Report and a subsequent clarification, both of which are full of statistics, it is time to look at the real truth behind Android malware numbers.
The report reveals that during Q3 “a whopping 51,447″ unique malware samples were detected and that the surge is likely due to “the continued high growth in Android smartphone adoption,” particularly in China and Russia.
51,447 new bits of unique malware for Android sounds scary especially since that is the number for a 90 day period. Do a bit of extrapolation and it means that there are 200,000 new bits of Android malware every year, that is over 560 new malicious apps every day!
But, hold on, we are dealing with statistics here… In F-Secure's clarification it actually points out that of the 51,447: 28,398 were malicious samples and 23,049 were potentially unwanted software (PUA) samples. What does F-Secure mean by potentially unwanted software? What it means is that these apps are not harmful in themselves but they could be used for harmful purposes. For example, one of the PUA's listed by F-Secure is “AccuTracking GPS Tracker” a program designed to turn a phone into a GPS tracker! It has had between 100,000 and 500,000 downloads and has received over 200 reviews on Google Play. One user wrote “I am glad the service is finally on android – we pay $7.99/month for each of our 10 trucks – full real time tracking with history, speed alerts to management, and geofence – this is by far the least expensive option to track fleets of trucks – it is a bulletproof great service.” However, according to F-Secure it is a PUA. The security company does admit that the app is “not malicious in itself” but it does introduce “a potential risk for misuse with malicious intent.”
What's more, Google is hosting 13,639 of these apps on the Play Store. In other words, F-Secure says there are over 13,000 dangerous apps on Google Play and Google doesn't know anything about it! Hmmm… I don't think so… let's drop the PUA statistic for the moment.
That leaves 28,398 malicious samples. Now these could be real, dangerous apps which can steal banking information or send premium rate SMS messages. They are not to be easily dismissed. However, of the 28,398 only 146 were found on Google Play. Now here is the real statistic. Google Play hosted (probably temporarily) 146 bits of malware in Q3.
My assumption is that Google Play isn't serving any of those 146 samples today and that Google's security mechanisms have flushed them out. However 146 malware samples from the official Android app store is 146 samples too many. But it is a far cry from 51,447 unique samples mentioned in the executive summary of the report.
But there is one more statistic that F-Secure mentioned in its breakdown. A sample does not necessarily equal a threat. Let me repeat that, a sample does not necessarily equal a threat. In fact F-Secure go on to say “based on our detections, the number of ‘families' in the wild is actually down when compared to Q3 2011.” Down, not up!
So what can we learn. First don't install apps from dodgy third party sites, stick to places like Google Play or the Amazon appstore. Second always read the reviews of apps before installing them. Third, check the permissions the app needs. Games generally don't need to send SMS messages! And last, but not least, always take statistics with a pinch of salt.
What do you think, is the Android malware situation being hyped? Share your thoughts in a comment below.