Android users should never download apps from a third-party app store, apparently. But you should also take Chicken Little reports with a grain of salt.
A staggering 267,259 mobile apps are triggering SMS trojans, exploiting security holes, stealing private data, and building botnets, according to a study released today by network security firm Juniper. Ninety-two percent of them are Android-based, and most of those are due to over 500 Android app stores globally that are known to be hosting mobile malware.
“We anticipate that similar to the evolution of PC-based threats, mobile attacks will continue to increase and become more sophisticated in the coming years,” Juniper mobile threat center director Troy Vennon said in a statement.
Juniper’s Mobile Threats Report analyzed 1.85 million mobile apps, up a third from February 2012, to find malware and vulnerabilities. According to the report overall mobile malware is skyrocketing — up 614 percent in a single year across all platforms — but Juniper says that Android is where the real challenges lie.
Android is the target of choice of thousands of malware authors simply due to the hundreds of non-Google app stores that offer almost no oversight and therefore enable easy distribution, and due to the continuing fragmentation of the Android ecosystem, which leaves users of earlier, less-secure versions of Android vulnerable. A third contributing factor is the fact that more apps asking for more private data.
There are big dollars to be made in getting your shady app installed.
Juniper says that 73 percent of all known malware are FakeInstallers or SMS Trojans. These apps look like legitimate apps from known sources, but they’ve actually been cracked and infected. When installed, they’ll send text messages to premium-rate numbers, harvesting a nice $10 payday for their authors, on average.
But perhaps the biggest reason Android is being targeted is its sheer success.
Android accounts for about 70 percent of all smartphones marketshare, and with 900 million activations to date, there’s a massive pool of users to exploit. While Apple’s iOS platform is huge as well, with 575 million active app-downloading users, it’s not as big, and it’s much harder to access, since Apple maintains strict controls over what makes it onto the app store.
While Google Play is probably one of the safest places to get Android apps, other well-known and credible app stores such as Amazon’s would also be safe. The problem is the 500-plus unknown stores that are allowing malware to thrive.
Most of those, Juniper said, are based in either Russia or China.
It’s worth taking results like these with at least one grain of salt. Juniper sells mobile security solutions, so the company has an opportunity to benefit if the mobile security situation appears grim. That doesn’t mean the company could be falsifying data, just that it’s not always clear what the definitions of malware are in every study.
For instance, Juniper is including apps that a sketchy on privacy — such as tracking your location — that are not necessarily malware.
It’s not immediately clear how many of the 276,259 total malicious apps that Juniper found fall into this bucket.