A coworker worried about Android security sent me a link to an article from Rachel King yesterday called "More Android malware sprouting up amidst 2012 Olympics". People who don't follow Android closely get very anxious about malware stories so I'm constantly having to investigate them and clear up the FUD.
Update 4: For the Webroot's response, read: More on Olympics malware .
This article has several problems, including:
- It doesn't link to the original report, which can be found here. According to Rachel, the report was sent to her under embargo and published on a timer before the report went public. (Update: Rachel has since added a link)
- It uses a screenshot which was cropped in a misleading way that makes it look like the malware app had lots of downloads. In fact this is a screenshot for a popular non-malware app called Spotify. Compare the cropped image used in the article, to the fuller version now at webroot.com. (I've copied the images below in case these links go dead.) Update 3: Rachel contacted me to say that the vendor supplied the full image and that she inadvertently cropped it while uploading the article. The cropped one is still up, however.
- The article doesn't say that the program asks permission to read your contacts list and SMS messages and you have to agree to let it do that or else it won't be able to get your info. Sometimes there's no accounting for user carelessness.
- It quotes, or links to articles that quote from, self-serving malware scanning companies that try to scare people into buying their products, which tests have shown don't usually work anyway. Companies send out these press releases, journalists write articles that quote them, and then those new articles are quoted as gospel in later articles. People, please follow the links back to the original sources, and consider their motivations.
- It makes sweeping generalizations such as: "Android is still an open source platform at heart, which is what makes the mobile OS quite vulnerable in the first place". Open source usually makes programs less vulnerable, not more vulnerable. It also says, "Google Play and the Amazon Appstore don't screen every app available in these digital app stores for malicious code until they are reported". Actually both those stores have automatic screening programs. They don't catch everything but they do help.
- Readers of the article were quick to point out some of the problems. For example,
- "Since your article has a screen shot of a google play store app (with out showing the title of the app), is this the app in question with 92,512 ratings or did you just put that in there for effect?"
- "The image used is totally out of context and both articles probably more sensational than helpful."
- "I'd have to question your sources in this case, since it seems to me that McAffee and Webroot (both of whom provide anti-virus and anti-malware services) have quite a bit to gain by writing sensationalist headlines like this to scare people into thinking their Android phones can be as easily virused as a Windows computer, which just isn't the case."