For the past month or so, I've been posting Android Security Threat of the Week stories to this blog. I starting doing so because it seems like every week a new Android security flaw or related issue pops up. This is not the case for other mobile platforms, including iOS, BlackBerry and Windows Phone. And as such, the Android vulnerabilities (mostly) seem newsworthy to me. (Check out a few of my recent posts if you're interested: 1,2,3)
This week, while doing research for my next Android security post, I came across a report on CIO.com sister site CSOonline.com that weighs both sides of the Android security debate: The view that the Android threat is very real; and the standpoint that it is overhyped and "little more than thinly disguised marketing hype by the security vendors to scare users into buying their products."
Just last week, I found an Android virus on my Motorola Atrix 4G smartphone for the first time, or at least my McAfee Mobile Security app identified a virus. And I'm a security-conscious mobile beat reporter. (My device was performing very poorly, so I decided to reset it to stock settings, therein removing any potentially harmful software or viruses and ensuring a clean install, etc., and now it's running much more efficiently.)
The CSOonline post cites--but doesn't link to, so I dug up the URL--a Google+ post from Google Open-Source Programs Manager Chris DiBona, who has some particularly strong opinions about mobile security software vendors:
"Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM and, iOS," DiBona posted. "They are charlatans and scammers. If you work for a company selling virus protection for (them), you should be ashamed of yourself."
Security expert, I am not, and I'm the first to admit it. But I do know a thing or two about smartphones and the mobile landscape, and I can say without a doubt that the Android threat is very real. Overhyped, yes, definitely. But it's better to be paranoid about real threats than to shake them off as nonexistent. And that's a fact.
I also take comfort in my McAfee Android security app, since it helps me to remember to be vigilant. How is that a bad thing?
Should you run out and buy a paid mobile antivirus product? No, not necessarily—you can find a number of free Android security apps, including the free version of McAfee Mobile Security and Athigo's Android Mobile Security Advisor, just to name a couple.
But to say that the only folks who need worry about Android malware are "those stupid enough to download apps without checking them out first"—those are the CSOonline author's words--is absolutely ridiculous.
Do only stupid people need to worry about Windows security? Because the majority of common Windows threats also come from bad downloads that users are somehow tricked into installing. And let's face it, the majority of Android users aren't very "sophisticated" and it probably wouldn't take a particularly clever ruse to dupe them into installing a potentially harmful piece of software.
Threats targeting mobile devices increased by more than 600 percent between 2010 and 2011, according to Kaspersky Lab, with 65 percent of new malicious mobile applications targeting Android. It's safe to say the Android threat is real. And while I do think Android security companies may try to play up the threat to sell more software—that's part of their job after all—Android users should be aware that the bull's eyes on their mobile devices are only getting larger, and mobile security software can help them remain vigilant.