In his latest security advisory, Christopher Budd says that – drawing on Trend’s just-issued quarterly security advisory – just as you’d be crazy to run a Windows PC on the Internet without security protections, we’re now at the point where you’d be crazy to run Android on the Internet without security protections.
The threats that Android faces, he adds, are now broad, mature and enough that users have to consider them the equal – if not the greater – threatened platform to Microsoft Windows.
Budd goes on to say that, whilst his team have been tracking the growth of threats to Android for some time, he argues that three key things that points out in the latest Trend report that illustrates Android has reached this tipping point:
The volume of malware and threats on Android
The discovery of multiple critical vulnerabilities affecting nearly all Android currently out there
The migration of mature malware and threats from PCs to Android
The growth of malware on Android itself, says Budd, isn’t a new thing, as his team has been tracking these threats regularly every quarter for some time.
“Our CTO’s annual predictions include one that he believes we will cross one million pieces of malware on Android by the end of the year,” he says, adding that what is new this quarter is how fast the problem is growing.
“In our report we show that in the first six months of 2013, Android malware volume doubled. It increased 350,000, a number that it previously took three years to reach. All signs indicate this trend will continue to increase [meaning that] Android malware will likely cross the one million mark ahead of the end of 2013,” he explains.
Budd says that what is new for Android is the problem of unfixed vulnerabilities that broadly affect the installed base.
With attacks against the so-called `master key’ vulnerability and the `OBAD# attacks exploiting administrative access vulnerabilities, he explains, Trend is now seeing active attacks against vulnerabilities that in aggregate affect nearly all Android devices.
This situation, says the Trend researcher, is made dire by the fact that Android fragmentation and a lack of commitment to updates by handset makers and carriers means that many – if not most – of these vulnerable devices will never be patched and so always vulnerable to attack.
“This brings us to the last major trend we outline: the migration of mature malware and threats from PCs to Android. Malware authors these days are often mature, professional quality software development operations,” he says.
“And like all smart software companies, they adapt to make their wares available to as broad an audience as possible. Just as companies have adapted by expanding their offerings from applications on Windows to apps on Android, so have malware authors,” he adds.
Budd goes on to say that, during Q2-2013 in particular, he and his team have seen mature and successful threats like FAKEAV and banking Trojans make the leap from Windows to Android.
In fact, he notes, if you look at our charts comparing Windows and Android threats you will see that in just three years Android threats have come to match the breadth of types and complexity facing Windows – something that took Windows over 20 years to accomplish.
“This doesn’t mean that people shouldn’t use Android, any more than people shouldn’t use Windows. But it does mean that the same best practices and security mindset that people have evolved to use Windows safely on the Internet needs to be applied to Android now,” he says.
Chief among these, says Budd, is making putting a security package on your Android devices a standard practice.
“This is especially important for Android given the lack of fixes for vulnerabilities for many devices. If you’re like me and stuck on a version of Android abandoned by your maker and carrier: no patches will ever come to protect you, your security software is your only protection,” he says.
“Put simply, these days, you’d be crazy to run Android without a security package.”