Android security suffers the slings and arrows of outrageous fortune

Android security suffers the slings and arrows of outrageous fortune

Summary: Android's overwhelming popularity may be its undoing. Malware against Android exceeds threats against Windows. The threats are bigger and more is at stake than ever before.


The Android platform is experiencing a phenomenon that Windows users have known for years: malware onslaught. As I showed you in my recent, "Should security concerns slow BYOD trend? Probably.," article, Android devices are being targeted at an alarming rate. In fact, this Android malware threat has grown so quickly that some security researchers and security analysts predict that more than one million high-risk Android apps will enter enterprises this year. 

The two primary factors leading this Android landscape decimation:

  1. Android's popularity.
  2. Its open source code.

I'm afraid that it's true. Android's popularity and open nature are also its undoing.

Malware writers and proliferators look for two things in their quarry: a large attack surface and low-hanging fruit, such as exposed source code.

Malware is malicious software that can take many forms: viruses, worms, trojan horses and spyware.

Although the Windows source code isn't exposed, Windows had a lot of low-hanging security vulnerability fruit ripe for the picking and a huge attack surface. Android's sheer popularity, familiar Linux underpinnings and exposed source code makes it easy prey for those bent on creating software-based havoc for millions of innocent users.

Infonetics conducted a survey that covered enterprise mobile security and found that,

  • Approximately 1/3 of the respondents allow BYOD.
  • More than 2/3 said "rogue" devices are driving new mobile security efforts.
  • More than 3/4 said they have purchased or have researched mobile security software.
  • Almost all enterprises will experience major security incidents by 2015.

The number one factor that enterprises are using to base their mobile security solution purchases on is cost.

Allow me to editorialize and maybe even "preach" for a moment on this topic.

If security threats are raising your awareness, why is cost the number one factor in your decision making? I know that costs have to be watched as carefully as front door security but seriously, you need to cut corners in some other areas and not in security. Perhaps you should cut out the catered lunches, trips to Las Vegas conferences, private jets, boxed seats at sporting events and other corporate fluff and perks before you go "cheap" on security.

Security is not the place to be penny wise and pound foolish.

OK, I'm stepping down from my soapbox.

One easy thing to do for mobile security is to require that anyone who attaches to a corporate network do so via a SSL VPN. The VPN guarantees that communications between the device and the corporate network are encrypted and can't be hijacked. VPN software is generally free and included on some mobile platforms.

A recent study conducted by Verizon's RISK Team and several international police organizations yielded some interesting results on malware and security breaches:

  • 98% of all breaches were externally sourced.
  • Only 4% of security breaches were internally linked to employees.
  • 58% of data theft is tied to "hacktivist" groups.
  • 81% of breaches involved some form of hacking.
  • 69% incorporated malware.
  • 79% of victims were targets of opportunity.
  • 96% of attacks were not highly difficult.
  • 94% of data compromised involved servers.
  • 85% of breaches took weeks or more to discover.
  • 92% of incidents were discovered by third parties.
  • 97% of breaches were avoidable through simple or intermediate controls.
  • 96% of victims subject to PCI DSS had not achieved compliance.

I want to draw your attention to the statistic that states "69% incorporated malware." That means that more than 2/3 of the current attacks launched are using some form of malware. That is not a small bit of information. It means that malware, that is malicious software that can take many forms: viruses, worms, trojan horses and spyware, is making its way into your company's devices.

The other interesting statistic that you should ponder is that "92% of incidents were discoved by third parties." Third parties such as security consultants, software vendors, hardware vendors and service engineers are finding the breach before anyone in your company does. Additionally and related, 85% of breaches took weeks or more to discover.

The threat is real. But it isn't just a threat, it is real data being stolen, real data being destroyed and real costs impacting your business.

If you're allowing BYOD in your company, implement security measures now. Hire a top notch security consultant and check your current status. Chances are very good that your data has already been compromised. If it has, you need to know.

Every device that has been connected to your network also needs to be checked for malware and compromise. The numbers that I've given you should convince you that there's a real problem at hand. Android devices are especially vulnerable to malware infections because of the number of App Stores from which users can pull apps. Google Play is reliable but there are many others that are not.

You should have mobile security software in place that dictates which App Stores are allowed. You should also require users to install software on their Android devices that checks for malware. It's also a good idea to have your users encrypt their Android devices.

Here's your bucket list of things to do to help prevent security breaches:

  • Setup MDM/MAM software to manage mobile devices and security.
  • Require VPN connectivity for all devices.
  • Require device passwords.
  • Require device encryption.
  • Require anti-malware software.
  • Implement ACLs and Firewalls.
  • Audit data files.
  • Setup alerts on logfiles.

This list will decrease your exposed attack surface by 90% or more. You can't remove all threats of compromise but you can certainly lower your risk to a more comfortable level.

What kinds of measures are you taking to lower your attack risk? Do you think that using Android devices is too risky? Talk back and let me know.

Topics: Android, Malware, Security


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Whatever Man

    When people can walk up to your iPhone and bypass the security again after a previous exploit was patched, I would say your walled garden is a glass house!
  • It's not popularity as both iOS and Android are popular

    It's all about the garden. Apple's walled garden, while not perfect, has kept a lot off miscreants out. In addition, there's no option to side-load iOS apps, unless one jailbreaks their iOS device.

    Google is more open with apps allowed in Google Play. Thus, the miscreants get their apps into Google Play. In addition, Android allows users to install apps from unsafe sources. Side-loading malicious apps is what gets Android users into trouble.

    P.S. The ticking time bomb for Android is the failure off many OEMs and carriers to apply Android security updates and/or provide upgrades in a timely manner.

    As for the open-source bit, that's a fail too. Just have a look at OpenBSD security advisories:
    Rabid Howler Monkey
    • exactly

      I totally agree with you.
      Ram U
    • popularity

      Ahhh apple fans you never change. Remember the code signing fiasco, safe app that was approved in the appstore that that then checked in with the server downloaded the malicious component and became something which could let the bad guys download you contacts emails etc....I do.
      ZDNET you never change and thats comforting. You will always take whatever opportunity to fearmonger in terms of Android and laude apple, so its easy to know the journalistic integrity is nil when you are the source.
      • RE: popularity

        druter wrote:
        "Ahhh apple fans you never change."

        Am not an Apple fan (what interests me most at the moment is Canonical's entry into mobile devices with Ubuntu). Did you even bother to read my post? I'll repeat the relevant portion to make it easy:

        "Apple's walled garden, while not perfect ...

        You see? I never stated that Apple's walled garden is perfect. It's just superior to Android's garden with regard to safety and security. That said, it's possible for Android users to stay out of trouble:

        1. Peruse app reviews in Google Play before installing an app
        2. Read the privileges requested by apps before installing from Google Play (don't install an app if it requests privileges you don't believe it should have)
        3. Don't install apps from untrusted sources (and leave the default setting be)

        Sadly, many Android users choose to behave as if they're on a Windows desktop PC with UAC.
        Rabid Howler Monkey
    • Partial Agreement

      There are always two models to keep in mind when thinking about computer security, economics and evolutionary. Regarding the latter, it is predator-prey and both adapt to changes in the other population. As to the former, there's a cost/benefit calculation which means that something that is easy is de-prioritized for something that is easier.

      Open source is not a necessary and sufficient factor and OpenBSD is an excellent counter-example. Market share is not a necessary and sufficient factor, and we've been seeing counter-examples to that point for years. (So, is it my imagination or do the same people who har-de-har over "Year of the Linux Desktops" predictions have a few "OS X is now so popular that it soon will share the same number of [new] attacks as Windows" predictions in their drawer? Well, maybe I'm wrong about that.)

      Apple bypasses the carriers to a large degree in its updates. (That would be the Vodaphone people who are now calling me Captain Obvious.) This streamlines the degree to which vulnerabilities get closed. I don't want to FUD up the place, but I think many Android users have phones that cannot be updated because the carriers got in the way. I think this will change, if it hasn't already.

      One thing we should keep in mind, you can lead a horse to an app, but you can't make the horse install it. Don't we see statistic suggesting that while the Android phones are popular, the engagement factor with regards to browsing and apps is less than with the iOS devices?

      Going back to predator and prey, if the prey don't go near the traps, does it matter how many are set?
  • That's

    because they don't publicly shoot these scumbags.
  • The same problem never killed Windows

    Although I think Google needs to address it more aggressively. Cloud storage/synch and remote scan/re-imaging may be part of the solution.
  • More FUD than anything

    I still have to see reports of real attacks, so far I only read a report about a couple of malware applications that were downloaded in significant amounts, but clear by reckless people... and I'm not saying those shouldn't be protected, but sometimes they do get what they deserve - I'm meany :P
    Obviously the size of android is so big that it is a natural target for the "bad guys".

    I don't agree (or at least it must be explained) that open source is worse, if it's true, code is open to the malware makers it's also open to people that is not having bad intentions. Code reviews are an important tool for better code, and open source it's sometimes like a giant code review - sometimes for the bad, others for the good. Does the bad outweighs the good?! I doubt it.

    One thing is for sure, mobile devices are very personal and probably will contain information that is more sensitive than we are used to find in "traditional" desktop PCs. So security must be taken even more seriously.
    • That's Interesting...

      "Obviously the size of android is so big that it is a natural target for the "bad guys"."

      Funny and sad, that 3 or 4 years ago all I heard was that the installed base/market share had nothing to do with malware targeting.
      • Not from me

        Spammers, virus, .... go after the weakest link and where the majority is. It's very obvious for me.
        It's the same as windows vs linux desktop, why waste much time writing malware for desktop linux?!
  • It's painful to see someone in 2013 citing 'open source' as a vulnerability

    Even your advertyrants at Redmond have started touting FOSS. I'm taking you off my tech list for being an obsolete ideologue.

    Sorry, I don't mean to flame, but there comes a point. Stop selling silliness and give up on that yacht.
    • Are you saying his point is incorrect or are you upset on principles?

      The author isn't saying Open Source is more vulnerable than closed source. Just that in the case of Android it is giving more tools to malware writers.

      The Android open source model isn't exactly as open as the linux model is. Plus Android exists entirely as a commercial model to drive consumers to Google services. It can be used for other purposes, but Google is trying their best to squash that. It is a strange beast.
    • Nothing to do with opensource

      It's about platform popularity, plain and simple. What a bunch of FUD.
      Tired Tech
      • Nothing to do about popularity or open source

        It has to do with the POOR quality of the platform.

        Android is a hacked product and Google doesn't even have a SQA group. Updates are released when the developer claims it is ready, and no additional test is done on the source.

        So the problem is Google's lack of quality control and lack of care for the user. Android is a data mining tool for them and to data mine you have to turn off even basic security.
    • Android is not complete open source

      please don't add it to Open Source Movement. Google is nowhere near a real open source company.
      Ram U
      • Re: Android is not complete open source

        Which parts are not Open Source?
  • Android security suffers the slings and arrows of outrageous fortune

    Android security suffers because its linux and linux is pretty insecure by default. Leaves the telnet open as well as taking over 2 years to fix any flaws. That and Google or android developers just don't care about it. All they are concerned with is making money on the sale, after that your on your own.
    • I think you covered most of your standard bases

      But you forgot about "compiling your own", AGAIN.

      And btw, it should be "you're on your own", but we know you are a slow learner in pretty much any endeavor.

      And I pity the fool who gave you a vote. He/she must a step below you, if that is even possible.
      • Oddly enough...

        "And I pity the fool who gave you a vote. He/she must a step below you, if that is even possible." is possible to give yourself a vote.