More Android malware FUD is the only thing that is sprouting

More Android malware FUD is the only thing that is sprouting

Summary: Yesterday, ZDNet's Rachel King picked up a malware story from security vendor Webroot. Now questions have arisen about the accuracy of the article, and the tactics and credibility of the vendor.


A coworker worried about Android security sent me a link to an article from Rachel King yesterday called "More Android malware sprouting up amidst 2012 Olympics". People who don't follow Android closely get very anxious about malware stories so I'm constantly having to investigate them and clear up the FUD.

Update 4: For the Webroot's response, read: More on Olympics malware .

This article has several problems, including:

  • It doesn't link to the original report, which can be found here. According to Rachel, the report was sent to her under embargo and published on a timer before the report went public. (Update: Rachel has since added a link)
  • It uses a screenshot which was cropped in a misleading way that makes it look like the malware app had lots of downloads. In fact this is a screenshot for a popular non-malware app called Spotify. Compare the cropped image used in the article, to the fuller version now at (I've copied the images below in case these links go dead.) Update 3: Rachel contacted me to say that the vendor supplied the full image and that she inadvertently cropped it while uploading the article. The cropped one is still up, however.
  • The article doesn't say that the program asks permission to read your contacts list and SMS messages and you have to agree to let it do that or else it won't be able to get your info.  Sometimes there's no accounting for user carelessness.
  • It quotes, or links to articles that quote from, self-serving malware scanning companies that try to scare people into buying their products, which tests have shown don't usually work anyway. Companies send out these press releases, journalists write articles that quote them, and then those new articles are quoted as gospel in later articles. People, please follow the links back to the original sources, and consider their motivations.
  • It makes sweeping generalizations such as: "Android is still an open source platform at heart, which is what makes the mobile OS quite vulnerable in the first place". Open source usually makes programs less vulnerable, not more vulnerable. It also says, "Google Play and the Amazon Appstore don't screen every app available in these digital app stores for malicious code until they are reported". Actually both those stores have automatic screening programs. They don't catch everything but they do help. 
  • Readers of the article were quick to point out some of the problems. For example,
    • "Since your article has a screen shot of a google play store app (with out showing the title of the app), is this the app in question with 92,512 ratings or did you just put that in there for effect?"
    • "The image used is totally out of context and both articles probably more sensational than helpful."
    • "I'd have to question your sources in this case, since it seems to me that McAffee and Webroot (both of whom provide anti-virus and anti-malware services) have quite a bit to gain by writing sensationalist headlines like this to scare people into thinking their Android phones can be as easily virused as a Windows computer, which just isn't the case."
Unfortunately Rachel's story has already been linked, copied, and shared over 10,000 times according to Google Search, and some of the reactions are like "Glad I've got an iPhone" and "Well what do ya know, go figure... MORE Android Malware". 
Here is the original image. In context, it is trying to point out that you should look for clues like the "Top developer" badge before trusting an app with sensitive information:
Full version of image
Just to clarify, Spotify is NOT malware. It's being used as an example of a well behaved app from a trusted developer.
But here is the cropped version that ended up being used in the article. Neither the app name nor the "Top developer" badge is visible. At first glance, I thought it meant the app had been downloaded over 92,000 times:
Cropped version
What are the ethical considerations of publishing material from security vendors that clearly have an interest in whipping up fear of security threats, real or imagined? Should we even accept embargoed information and write about it before it goes live? I'll let you judge that for yourself.
Update 2: Rachel has added two more links to her article as "further reference about malware presence on Android". They are:
 - A study from British Telcom saying that almost every Android device is infected with malware. I guess she missed the update 3 days later about BT backpedling on those claims
 - A study from my alma mater NC State. This one is actually a good read. It points out that the vast majority of malware is found outside the Google Play Store, presumably because of scanning before something is published in the official store and takedowns of anything that gets through. According to the project's web site, their work is supported in part by Google.
Update 4: For the Webroot's response, read: More on Olympics malware 

Topics: Security, Android, Apps, Malware, Mobile OS

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • More Android malware FUD is the only thing that is sprouting

    More scare monger tactics from anti-malware and anti-virus solutions providers.
    • IOS lack of security is the only fact

      There is a least one case where an Apple user lost all data on all Apple devices because he was easily hacked with IOS phone password recovery. All linked accounts were hacked.

      So far Android has proven to be safer, as no similar instance has happened.
      • Pretty lame even for you

        An article discrediting another article misrepresenting Android Malware in which nobody has even mentioned iOS in the talk backs and the best you can do is your own FUD about iOS? I am sorry but that is just pathetically lame. How about you mention the fact that the hacker was able to access the users Apple account only because he was able to get personal information from the user's Amazon account first.
  • ..

    If you believe what you read, see, hear in the media you are a fool.
    Scarface Claw
  • Are you implying that malware reports against MS Windows, Apple OS X and

    Android software by security firms are SELF SERVING and any security concerns or threats are over-hyped and/or flat out misleading in order to promote the sale of their anti-malware products?

    Unbelievable! Who would have suspected that!
  • Thanks for the follow Up

    It is appreciated. Sadly 10,000 links were made.
  • Hypocrisy much

    The author complains about the referenced article making "sweeping generalizations", and then goes on to do the same, just even worser. Like stating, that "open source usually makes programs less vulnerable, not more vulnerable", which is obviously totally false information. Code security generally has nothing to do with the code being open or closed, and no software will be more secure just because it's code is open. Actually, if anything, the opposite is true, because with the code available to everyone a practice called "security through obscurity" can not be used in the program.

    (Please, save me the lesson about "security through obscurity"'s supposed inferiority, because everyone knows the drawbacks of this technique. None the less it still is a form of security, which can add to the overall security of a system. Even though obviously it's not a good thing to build the entire security on it, because then it will fail in one easy step. That however does not change the fact that it adds to the security of the system and lowers its vulnerability as long, as the secret doesn't get out. If that ever happens - which is a big if anyway - it still doesn't make the system weaker, just forces it rely on other security techniques, and takes the security advantage it had for some time over an open solution.)

    That said, it's obvious that there's a marketing campaign going on against Android, to wake the impression that it's security system is weaker than for ex. that of Apple's, while obviously that's not true. But then again, who is to blame for that, especially in the spite of the fact, that Google uses the same FUD tactics to smear its competitors, like Internet Explorer or Windows. Which are also both more secure than Google's own competing products.
    • "Just even worser?" Really?

      I don't know of large groups of viruses and other malware that require access to source code to work. They simply take advantage of security holes in the finished software. My experience tells me that open source providers and users tend to work together to quickly find security holes and patch them. Open source users tend to be geeks that are very much interested in the inner workings of their system (no offense intended, brothers and sisters). Security patches are issued on an almost daily basis, not once a month. If the average closed source user, which is a home user with limited computer literacy (statistically correct), is shown a link that offers them free "whatever", what will they do? If that same user is presented a window that states that a security update is available and will take an hour to download and install, but they will not be able to watch ?tube or play their on-line game during the download, what will they do?

      With Android, much of the security responsibility rests with the end user. Regardless of where the software comes from, the user is given a list of permissions that the software is asking for. If a ringtone maker is requiring access to your location, personal information, or contacts, that should throw up a red flag. In the end, a user that simply accepts all permissions and clicks "install" without thinking about what they are doing deserves what they get.

      Like it or not, security is an inter-active process. The end user needs to accept patches and carefully think about security info that their system is giving to them. If they don't, then they are loading their own gun and handing it to someone they don't know.
      • "Like it or not, security is an inter-active process."

        I wish everyone would start to realise this. Most of the time Users/Consumers never want to take the responsibility for doing something silly (Like believing everything that the internet tells them).

        As a Lan Admin/Support Tech/Developer, I have learned that this is very true:
        "Make something fool proof... and they will invent a better fool."
    • Security of open source

      I can provide a number of citations and studies to back up that claim if you like. What/how many would it take to convince you?
      Ed Burnette
  • Android malware is really true.

    I am not an android user, but two colleagues of mine who are android users got virus. So what are the odds, just extrapolate.
    • Well

      if we extrapolate from that (I have to say, rather limited) survey, then all android devices are infected with viruses. Wait a minute, I can name 3 people, all on android, that haven't had a virus, does that mean I win and equally if we extrapolate further, that no android devices have viruses? I'm confused.

      Other than your two friends clearly shared the same dodgy pron app, I'm sorry to say, your post means nothing. But thanks for trying.
      Little Old Man
      • Pull your head out of the sand fanboi...

        The Roid app store has been infested with malware since day one. You want proof? Simplely Google "Android Malware" and filter by news. You will fond malware stories going back to the launch of the first iPhone Roids.

        All you fan bois get so butt-hurt that Roid is a festering cesspool of malware and has been since day one. Either that or you bury your heads in the sand and then lash out at anyone who so much as whispers malware and roid in the same sentence.

        Grow a brain and get a clue Roid bois, Roidville is as open as the wild west and there is no sheriff. What that means for every day non techies is that they are sitting ducks in Roidville. They also may not wish to deal with how much of a pain in the butt it is to babysit a Roid device. Yes, I know, you don't consider it a pain in the butt because you like having to tweak your roid and you consider it fun/play. But the general public doesn't know how, why, or when, and all that unknown and uncertanty stresses them out. So to them, Roids are a pain in the butt. To the rest of us techies/nerds who tired of having to constantly tweak something in order to keep it smooth and cool, we got over that phase about a decade ago and have since moved on to better things. We Find Roid to be a pain in the butt too.

        It's nice that you have a shiny new toy and that you can play with your Roids all day and night and that makes you happy. But that does not make it a good device, it just makes it good for a select few who like playing with Roids.

        Now, take your heads out of the sand and say it with me... The Roid store is a festering cesspool of malware. We all know it, but it is the byproduct of not having a walled garden and some of us like it and prefer it and are geeky enough to navagate around the malware.
    • Are you youself just one of those Apple fanboys?

      Or are you just as naive as those who believed that "Asian Android botnet" story?
    • bad apps

      >>but two colleagues of mine who are android users got virus
      Your colleagues had installed an app or apps with a malware. However,
      1) it is different from "inadvertently clicking on a link (in a a web browser), inserting a flash drive in in the pc" way of getting it. This way is notorious in the Microsoft Windows world.
      2) getting a malware by installing a bad app is also very "popular" in the Windows world, due to the lack of secure Redmond's repositories, unlike GNU/Linux and *BSD distros. The reason Android is still MORE secure than Windows is that UNLIKE on a Windows machine you CAN look in the permissions of the app before you install it!!!

      So suggest your unlucky friends to read the permissions of the app before every installation. Really, it is as easy to get suspicious about too much permissions that an app wants as in the veracity of the claim: "You just won $500,000! Please provide your bank and credit card information so we could send you the prize!"
    • "but two colleagues of mine who are android users got virus"

      WINDOWS virus!
    • Details please

      I'd like to know more about the virus your colleagues got. The technical name of the virus or an article about it would be ideal.
      Ed Burnette
  • The purpose of Linux/Android FUD is quite simple...

    ...Linux is not just dominating supercomputers and servers. It has taken also smartphone (68% marketshare in Q2 2012) and probably taking bigger slice after Nexus 7 etc have released.

    Both Microsoft and Apple are very, very scared of Linux. No wonder. With 63% market share of mobiles in era where mobiles are selling 2.2 times more than non-mobile pc's is real red alarm for especially Redmond advocates.
    • Selective analysis

      Android is not Linux. Android runs ON Linux. It's a subtle distinction but an important one. Linus is successful on phones EXACTLY because end users never see it. Android could easily be ported to any other platform and already has been ported (by automated process, nonetheless) to .Net which would let it run on vastly wider range of systems.
      The Werewolf!
      • Kernels never talk directly to users

        And Linux is a kernel. Android is an operating system based on the Linux kernel, just like Red Hat, Debian, Slackware, and numerous other distros.
        John L. Ries