Security software companies more and more prey on people’s fear to help sell more products. This shady marketing practice is commonly known as FUD which stands for Fear, Uncertainty, and Doubt. They tend to over-inflate threats to scare people into buying their product, usually through their studies showing startling statistics. These reports are fed to reporters, many whom post the information without any further investigation, helping to feed the frenzy. Many security software firms rely on the fact that many reporters are technically illiterate when it comes to security and count on them not digging into their research methods, or even asking a neutral third party and let them draw their conclusions. The one possible exceptions are VPN companies whose products actually are useful and can help keep you safe online.
“There are three kinds of lies: lies, damned lies, and statistics.” – Mark Twain
VPNs aside, one good example of such scare tactics revolves around mobile anti-virus products. I have written about the mobile anti-virus myth before regarding how these apps do very little to protect you, and in fact, in many cases, they decrease the performance and battery life of your phone. These applications do primary signature-based detection of applications but are not able to do heuristic detection, which means they cannot protect you from zero-day attacks, by the time the malicious app is detected it is pulled from the app stores. In actual cases where malware has been identified it is too late for those who have already installed the malicious application.
Google engineer Chris DiBona stated in a post:
“Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself… If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.”
Many of the actual malware cases we have seen have been applications that are installed outside the app store that affected only a handful of people, but this did not stop many of the folks who make mobile anti-virus products from telling everyone the sky is falling. Other cases have not been malware at all, but merely an application accessing data that it shouldn’t, this is hardly malware, if it were then companies such as Path, Twitter, Hipster and a handful of others would fall under this classification for accessing and uploading users’ contacts without consent.
Symantec Malware Scare
One such scare campaign backfired. When Symantec recently announced that they discovered a malware application they called Android.Counterclank in 13 apps which they claimed was a “a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device” infecting between 1-5 million devices. Are you scared yet? Well fear not, when third parties investigated the “malware” they discovered that it was merely a poorly designed slightly intrusive ad platform. Symantec then back peddled with an update on their blog where they even list the actual data the platform collects, which is no worse than any other analytics or adware platform. Symantec submitted the information to Google; Google responded saying that the applications met their terms of service. However Symantec achieved their goal, more reporters wrote about the original malware story than covered the recant and probably a lot of people downloaded and purchased their mobile anti-virus app as a result.
Anti Malware Useless
Security firm AV-Test conducted a test where they analyzed free Android virus scanners, keep in mind that these tools are using signature-based detection only, the malware used in the test does not exist in any app stores. They found that even those apps that have been identified as malware the detection rate was between 0 and 32%:
It is great that they did detect some of the malware. However, the likelihood of getting these applications are close to zero considering they do not exist in the Android Marketplace and have to be installed. Commerical Anti-Virus applications from F-Secure and Kaspersky identified the 10 sample files as malware, but again this is based on signature detection of known malware applications that do not exist in the Marketplace. The mobile apps need to be kept up to data consistently to ensure that any new malware discovered is added to their database, this requires the vendor to keep their data up to date and will do little to detect any new malware not in their database until it is too late.
Caution Over Fear
So is there no risk when it comes to mobile malware? No, there still exists dangers, but most of them can be avoided by being careful what you download and checking the permissions of the applications that you are installing. If a simple game requests permissions to access your contacts, browsing history, IP address (which can be used for tracking) and calls the odds are that it does not need such permissions and it should not be installed. You can also always use a VPN as a secondary line of defenese. We are living in a world where even brands we trust with our data abuse that trust by invading our privacy and mining data for profit and market share.
There is a possibility that in the future a real mobile worm or virus could wreak havoc on a particular platform or even on a specific subset of IPs. However, this is highly unlikely given the restricted sandbox apps run in on most platforms. If there were such a security hole, it would only be fixed by a firmware update from the manufacturer or carrier, not a third party app.