Android malware, FUD, and the FBI

A badly written FBI warning about Android malware has been taken to be about Android's security, when it's really about idiot users.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Blown Up Android

The Internet Crime Complaint Center (IC3), a U.S. government task force made up of the FBI and the National White Collar Crime Center, recently issued an Android malware warning. This has been taken by some to be yet more proof of how insecure Android is compared to Apple's iOS. Please. Give me a break.

All the IC3's badly written, vague release really said was that: "The IC3 has been made aware of various malware attacking Android operating systems for mobile devices. Some of the latest known versions of this type of malware are Loozfon and FinFisher." And, what are these?

Loozlon is a Trojan horse that Symantec reports as having less than 50 reported instances. FinFisher is a much more serious spyware program.

FinFisher has been around for years on Macs and Windows PCs as "legal" spyware from Gamma International, a UK security company. Recently it's been ported to all the major mobile devices, including Android, Blackberry, and, yes, the iPhone. It is in no way, shape, or form purely an Android problem.

In any case, both programs aren't classic computer viruses. They require users to go above and beyond the call of stupidity to catch them.

With both, you typically need to open a suspicious looking email, then follow a link, and then agree, in Android's case, to download the unknown Android application package (APK). After that, you have to tell your smartphone or tablet to install it even though it's not in Google's Play Store, ignore the malware warning, and then you finally get to infect your device. 

In short, these malicious programs don't really infect devices. Maliciously stupid users do. Or, in the case of FinFisher, it might be your employer or your government.

The real problem with Android security though isn't malware that requires a fool's active co-operation. No, the true trouble is that Google still doesn't do anything like enough checking of applications for security risks before it lets them go on the Google Play Store. This is one thing that Apple does do better with its app store than Google does.

The good news is that Google finally seems to be getting it act together in stopping these real threats. According to a report, Google will soon be integrating a malware scanner in the Google Play application store. Neither Google, nor anyone else, can stop fools from being fools, but the search giant is finally working more seriously on solving Android's real security problems.

Related Stories:

Editorial standards