Android security boss challenges ecosystem's bad rap

Google’s Android security boss has challenged what he sees as frequent overstatement of malware infection rates on Android devices and the sophistication of the malicious software.

Not as brittle as people think...

Speaking at RSA Conference 2017 in San Francisco, director of Android security Adrian Ludwig said the Android ecosystem is “an order of magnitude cleaner than traditional desktop environments".

“Overall we’re not seeing a ton of devices being compromised, which is interesting and I think very different from what you might hear in the media,” Ludwig said.

“You’ll see a very consistent low malware rate within the Android ecosystem. … [at] about 0.7 percent of devices.”

Ludwig said there was “no good way” to compare infection rates for Android to either of the other two major mobile operating systems, iOS and Chrome OS.

“But you can certainly compare it to the desktop world,” he said.

“This number compares favourably by a little bit to managed desktop devices in an enterprise environment - including Mac OS - where you’ll tend to find about one percent of devices have malware, as opposed to a generic consumer number … in the order of 10-20 percent.

“So at a consumer-level – which is what this comparison is - we’re about an order of magnitude cleaner than traditional desktop environments.”

Ludwig said press reporting of infection rates for Android often converted percentages to “x million” devices.

“A million is less than 0.05 of a percent in the Android ecosystem,” he argued.

“It’s still a big scary number – but in the scheme of the scale of the ecosystem it’s a relatively small number.”

Ludwig also inferred that the capabilities of such malware was frequently overstated.

“You have to … then ask what those [potentially harmful] apps can do?” he said.

While reports speculated “they could be spyware, rooting your device, stealing your data etc etc”, Ludwig said in practice "what we see in mobile is almost all the malware is relatively straightforward”.

He said malware targeting Android users typically relied on social engineering as its mechanism for distribution – “please install this app” or “you’ve got a virus, install my AV”.

“It’s just asking the user to install and the user says yes,” Ludwig said.

“Even once these apps are installed, they’re not taking advantage of vulnerabilities on devices. The vast majority of the time they’re phishing or asking the user for access to SMS so they can do some scamming, or they’re doing click fraud and enabling commercial ad fraud.”

Breaking down a billion-device problem

Ludwig noted the significant challenges in securing the Android ecosystem, which covered not just smartphones but an array of devices including watches and TVs, and many hardware variations across geographies and carrier partners.

“We’re talking about probably 100,000 unique devices out there that have on the order of 1000 or more users of each,” he said.

“We’re talking about an incredibly complex ecosystem.

“The more I think about the scale of it the more overwhelming it gets. How do we break down this incredibly large project of protecting effectively billions of users and make it a little more manageable?”

Ludwig said one way the Android security team approached the challenge was by thinking about what they could do to secure an individual device.

He also said his team was focused both on embedding security technologies into the operating system, as well as baking security into services used by the devices.

“Security technologies that are being embedded into the mobile operating system at this point reach ubiquity in about three to four years, which is stunning when you stop and think about how quickly we’re able to roll out those technologies,” he said.

“But six or so years ago [when] we started thinking about Android security, services were the great unknown.

“Historically platform providers haven’t enabled security services directly into their platforms. We figured with Android this is going to be big and complicated enough that it’s going to be very important that we have real time monitoring and the ability to collect data to understand what’s happening in the ecosystem, so we enabled services.”

Ludwig said security services were “baked into every device that has Google Play and GmsCore applications”. These services include AV/anti-malware, intrusion detection and device management.

He argued services also enabled security capabilities to achieve near-ubiquity in the Android ecosystem.

“Some of the services we’ve been building - on top of the platform from a purist’s standpoint – [are] so uniformly distributed across the entire ecosystem they’re effectively now part of the operating system and part of the platform in a way that developers can take advantage of that,” Ludwig said.

Ry Crozier attended RSA Conference 2017 in San Francisco as a guest of RSA.