More Android malware FUD is the only thing that is sprouting

Yesterday, ZDNet's Rachel King picked up a malware story from security vendor Webroot. Now questions have arisen about the accuracy of the article, and the tactics and credibility of the vendor.

A coworker worried about Android security sent me a link to an article from Rachel King yesterday called " More Android malware sprouting up amidst 2012 Olympics ". People who don't follow Android closely get very anxious about malware stories so I'm constantly having to investigate them and clear up the FUD.

Update 4: For the Webroot's response, read:  More on Olympics malware  .

This article has several problems, including:

  • It doesn't link to the original report, which can be found here. According to Rachel, the report was sent to her under embargo and published on a timer before the report went public. (Update: Rachel has since added a link)
  • It uses a screenshot which was cropped in a misleading way that makes it look like the malware app had lots of downloads. In fact this is a screenshot for a popular non-malware app called Spotify. Compare the cropped image used in the article, to the fuller version now at (I've copied the images below in case these links go dead.) Update 3: Rachel contacted me to say that the vendor supplied the full image and that she inadvertently cropped it while uploading the article. The cropped one is still up, however.
  • The article doesn't say that the program asks permission to read your contacts list and SMS messages and you have to agree to let it do that or else it won't be able to get your info.  Sometimes there's no accounting for user carelessness .
  • It quotes, or links to articles that quote from, self-serving malware scanning companies that try to scare people into buying their products, which tests have shown don't usually work anyway. Companies send out these press releases, journalists write articles that quote them, and then those new articles are quoted as gospel in later articles. People, please follow the links back to the original sources, and consider their motivations.
  • It makes sweeping generalizations such as: "Android is still an open source platform at heart, which is what makes the mobile OS quite vulnerable in the first place". Open source usually makes programs less vulnerable, not more vulnerable. It also says, "Google Play and the Amazon Appstore don't screen every app available in these digital app stores for malicious code until they are reported". Actually both those stores have automatic screening programs. They don't catch everything but they do help. 
  • Readers of the article were quick to point out some of the problems. For example,
    • "Since your article has a screen shot of a google play store app (with out showing the title of the app), is this the app in question with 92,512 ratings or did you just put that in there for effect?"
    • "The image used is totally out of context and both articles probably more sensational than helpful."
    • "I'd have to question your sources in this case, since it seems to me that McAffee and Webroot (both of whom provide anti-virus and anti-malware services) have quite a bit to gain by writing sensationalist headlines like this to scare people into thinking their Android phones can be as easily virused as a Windows computer, which just isn't the case."
Unfortunately Rachel's story has already been linked, copied, and shared over 10,000 times according to Google Search, and some of the reactions are like "Glad I've got an iPhone" and "Well what do ya know, go figure... MORE Android Malware". 
Here is the original image. In context, it is trying to point out that you should look for clues like the "Top developer" badge before trusting an app with sensitive information:
Full version of image
Just to clarify, Spotify is NOT malware. It's being used as an example of a well behaved app from a trusted developer.
But here is the cropped version that ended up being used in the article. Neither the app name nor the "Top developer" badge is visible. At first glance, I thought it meant the app had been downloaded over 92,000 times:
Cropped version
What are the ethical considerations of publishing material from security vendors that clearly have an interest in whipping up fear of security threats, real or imagined? Should we even accept embargoed information and write about it before it goes live? I'll let you judge that for yourself.
Update 2: Rachel has added two more links to her article as "further reference about malware presence on Android". They are:
 - A study from British Telcom  saying that almost every Android device is infected with malware. I guess she missed the update 3 days later about BT backpedling on those claims
 - A study from my alma mater NC State . This one is actually a good read. It points out that the vast majority of malware is found outside the Google Play Store, presumably because of scanning before something is published in the official store and takedowns of anything that gets through. According to the project's web site, their work is supported in part by Google.
Update 4: For the Webroot's response, read:  More on Olympics malware