by Catalin Cosoi, on 01 February 2012
The story that broke in the last few days on what was claimed to be the largest malware wave yet to target the Android platform raised an interesting question: What do we class as malware?
Malware is short for “malicious software designed to disrupt the normal behavior of the device (tablet, computer or smart-phone), gather sensitive information or gain access to other devices”. The apps covered in the report by Symantec, though, could more properly be termed aggressive advertising.
As the range of questionable Android apps – whether malicious or just annoying – will undoubtedly grow hugely in 2012, it becomes more and more important to make sure we are classifying them properly, and educating users as to what they can do to avoid them.
Since we’ve already seen a 4500% increase of malware types for Android in 2011 compared to 2010, it’s clear that the threat is real and that it will continue to expand in 2012. However, these malicious apps we found during 2011 were designed to obtain root access on the device, send text messages to premium rate numbers or extract sensitive information from the device (contacts, text messages, gps location, etc). The apps uncovered by Symantec weren’t doing anything from the above; their main issue was that they were annoying users with unwanted ads.
On the other hand, most of the described apps were clearly stating that in order to use them for free, they will display ads, so the user should have been aware of the future annoyance. Also, they accepted the required permissions upon installation.
It’s mandatory to correctly identify malicious apps. Stating that a certain list of (possibly useful or fun) apps are malicious just because they are annoying will lead to a decrease in users’ trust in the current security solutions for mobile devices, as at a certain point, they can be considered false positives.
It’s a good idea to have an AV solution on your Android device in order to stay safe, and it’s also crucial to educate users how to protect themselves, but from this to actually scaring users into purchasing security software is way too big of a gap. We definitely don’t want the same marketing model as fake AVs.
The threats are out there and people should know about it, but there is a thin line between education and aggressive marketing.
Chief Security Researcher