Google Inc. (GOOG) has fought the mobile war against Nokia Oyj. (HEX:NOK1V), Apple, Inc. (AAPL), and Microsoft Corp. (MSFT) (among others) and it has won — at least in terms of OS market share.
I. Almost No Android Malware in the U.S.; a Whole Lot in China
Roughly four out of every five devices sold around the globe today run a version of Android. And Android is now the world’s largest tablet platform as well, in terms of unit share.
But Android also has a massive malware headache. A new report from Finnish security firm F-Secure claims 97 percent of the fast-growing field of mobile malware is Android exclusive. But here comes the twist — virtually all of that malware comes from smaller Asian and Middle Eastern third-party app stores.
Such mobile market. Very malware. Wow! [Image Source: F-Secure via Forbes]
On the official Google Play app and media store’s apps section, only 1 in 1,000 apps was found to be classed as malware. That’s slightly higher than other platforms like Microsoft’s Windows Phone Store and Apple’s iOS App Store, but it’s not that much higher. Normalizing for market share, and it appears Google’s official offerings are no less secure than Apple’s or Microsoft’s — a pretty impressive feat given that its market share is nearing almost-monopoly proportions.
Google Play is nearly malware free.
Amazon.com, Inc.’s (AMZN) Appstore — a popular third-party app store — was not examined, but it is also thought to be fairly secure. So that means that the Android Americans know and love is probably about as secure as Windows Phone or iOS.
II. App Store Country Restrictions, Lack of Content, Developer Support Add to Problem
But the story becomes wildly different when you go overseas to Asia.
One third-party app store — Android159 (it exists, but we’re not sure of its location) — had roughly 33.3 percent of its apps outed as pirated copies of Google Play apps rebundled to contain malware. But many other larger regional third-party app stores had somewhat lower, but still alarming high malware rates.
Baidu.com, Inc. (ETR:B1C) app portal — one of the most used third party app stores in China — had an 8 percent rate of malware. That means more than 1 in every 13 Android apps from Baidu is malicious and dangerous. Two of China’s fastest growing app stores — AnZhi (5 percent malware rate) and Mumayi (6 percent malware rate) — were also very dangerous. Other Chinese app stores (liqucn — 8 percent rate, eoeMarket — 7 percent, StarAndroid — 6 percent, appkke — 7 percent rate, and angeeks — 8 percent rate) are also peddlers of pestilence in the mobile space. The bottom line here is that most Chinese customers have a more than 1 in 20 chance of downloading a malicious app.
Chinese apps stores are overrun with Android malware. [Image Source: F-Secure via Forbes]
It’s no coincidence that many of the app stores in question come from China. Not only does China have the world’s biggest population of smartphone users, Google also does not allow its users official access to paid apps [source] — a pretty sizeable snub. Only a handful of other countries — e.g. Iran and Syria — are exiled from app access, and in those cases the exile is often at the orders of the U.S. government. China is a special case perhaps because of its rocky relationship with Google (which has remained silent on the cause of the snub).
For Chinese users perhaps the safest option is to get a repackaged version of the Play Store with a spoofed country code (if they can find a safe one). This approach is fairly popular and accounts for roughly 6 percent of app downloads in China. That’s pretty impressive, given no official support is coming from Google. But it’s also worrisome considering that 94+ percent of Chinese users are grabbing apps from insecure sources.
F-Secure’s list of most-repackaged-for-malware Android apps [Image Source: via Forbes]
A secondary issue is that while Google’s Play Store is (relatively) secure, its regional support doesn’t make certain kinds of content available.
For example in Japan you can get TV shows on the Play Store, but you can’t get music. In Germany you can get Music from the Play Store, but no TV shows. Google offers virtually no support to developers in African nations, and many African nations only have access to the basic app store, no media content. You can download movies off the Play Store in Brazil, but go to Argentina and Google won’t let you download them. And Brazil and Argentina both lack Google developer support.
Lack of support drives developers to make native language apps available at third-party app stores, as does lack of content. And almost as a rule these app stores have more than 1 in 20 apps be a pirated app bundled with nasty malware surprises.
III. How to Support the Unsupportable?
There’s no easy answer of how to improve this difficult scenario. Forbes writes:
Google lags a long way behind Apple when making its app store available around the world. The most notable omission is China, where Apple has made significant progress in recent years.
While that may be true in the case of China — home to the world’s biggest population of mobile malware, virtually all of which is on Android — the list of nations Google allows paid app downloads from is actually quite lengthy.
[Image Source: TechWeb]
This makes the situation less black-and-white. Even if Google makes the Play Store available to the Chinese, it will remain vulnerable in other regions. As the world’s most used mobile OS its products are being used in places like Iran that U.S. companies are not allowed to do business in, hence it has no way of controlling security in these regions. Further economic and political factors lead to users in many regions purchase devices with no-longer-supported versions of Android. Here, Google again has no way of fixing the problem as prior to KitKat it had no way of forcing an update to any part of the operating system.
About the only way U.S. customers see much risk is in the well discussed issue of lacking updates to newer versions of Android — a problem commonly termed “fragmentation”. F-Secure writes:
While the various enhancements released in each update incrementally improve the security of the platform itself, actual per-user security is highly variable, since the fragmented nature of the Android ecosystem between various device vendors makes it basically impossible to ensure a uniform security level across all users. For most users, this means their device security ends up being largely in their own hands – both figuratively and practically.
With the new Android v4.4 KitKat, core apps will get updates even after manufacturers and carriers abandon support.
The good news here is that as of Android 4.4 “KitKat” a change has been introduced allowing Google to directly update its core services. This should lessen the issue of fragmentation, as all commonly used builds will receive new versions of core apps whenever a security issue is detected. Within a few years the only vulnerabilities to go unpatched will be the more rare kernel-level exploits (which are generally only patched via version updates) or software on extremely old devices that predate KitKat.
For the most part neither problem applies to Apple’s iPhone and iOS — because it’s expensive, even when it comes to resale. And it doesn’t apply to Windows Phone as few in China and the Middle East are using Windows Phone. So say what you will about Google, but it is keeping its customers in U.S. and most largely globally economies relatively safe with some minor exceptions.
The piracy police made one 9-year-old a very unhappy camper
ZMAX will come with a Snapdragon 400 processor and 720p display
UC Davis dares to go where Toyota won't with the Prius
An Apple spokesperson fires back over Microsoft's latest commercials
Engadget gets the scoop on Dell's latest "ultra-portable" notebook