Google’s head of Android security, Adrian Ludwig, has said that people buying anti-malware software for Android will probably get no extra protection over that already provided by Google Play services. The risk of potentially harmful applications ending up on users’ devices is significantly overstated and the actual risk of a damaging app being installed is extraordinarily low. Instead of showing how many users are actually affected reports focus on how many potentially malicious app exist and not whether they are ever installed.
Obviously, anti virus vendors have started responding. Trend Micro’s Rik Ferguson says…
"Over 46% of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play. [Trend Micro have] so far analysed 3.7 million Android apps and updates, 18% of those apps have been classed as malicious and a further 13% as High Risk."
Rik says Google’s estimation of how many apps are malicious might be wrong because their library of malicious and high-risk apps might be limited. You can only detect what you know about.
So who’s right? It’s certainly true that on the desktop and when doing web site security evaluation it’s best to use more than one tool. However, 13% of Play apps high risk? I don’t think anyone has experienced that kind of number. Then again, it depends what ‘high risk’ means. If this includes apps that are poorly written, have severe vulnerabilities and leak private information as opposed to those that are actively written to be malicious then this number might be true.
Meanwhile, if you are interested in the malware threat you might also look at the Virus Bulletin’s very recent article on how malware authors are obfuscating their code. Turning things around, how malware authors are obfuscating their code can also be used to help protect your apps. There’s also more in my recently updated obfuscation article.