Thanks to its inherent "openness," the open source Android OS is vulnerable to a variety of security risks, but how often do people you know actually fall victim to Android malware or other attacks?
Is the Android security risk overstated? Is the Android risk really greater than the risks posed by its iOS and Windows Mobile counterparts? And what can users, and the enterprise IT departments that support them, do to better protect their Android devices?
We asked these questions, and more, to a variety of mobile security experts from companies including Cisco, Dell and Lookout. Here's what they had to say:
Android security threat is real
Android malware that affected U.S. users increased by 75 percent from 2013 to 2014, according to security firm Lookout's "2014 Mobile Threat Report."
"That's a significant jump, predominantly driven by an increase in ransomware, a nasty form of malware that locks a person's device and demands money in exchange for reinstated access," says Michael Bentley, Lookout's senior manager of security research and response.
Android devices were the targets of 97 percent of all mobile malware in 2014, according to Pulse Secure's "2015 Mobile Threat Report." And the Android security risk level "increased substantially year-over-year," says Troy Vennon, director of Pulse Secure's Mobile Threat Center. In 2012, there were 238 specific Android malware threat "families," and that number jumped to 804 in 2013 and 1,268 in 2014, according to Vennon.
At least 15 million mobile devices were infected with malware in September 2014, according to a report from Alcatel-Lucent's Kindsight Security Labs. Of those devices, 60 percent were Android smartphones and about 40 percent were Windows PCs that connected to the Web via mobile networks. Windows Mobile, iOS, BlackBerry and Symbian devices represented less than 1 percent of mobile malware infestations.
Symantec's 2015 "Internet Security Threat Report" says 17 percent of all Android apps (nearly a million) are malware in disguise. In comparison, Symantec uncovered approximately 700,000 Android malware apps in 2013.
Android more vulnerable than iOS, Windows Mobile
Android is more vulnerable than iOS because of its OS fragmentation, according to Geoff Sanders, cofounder and CEO of LaunchKey.
"Even when Google releases a security patch, it's ultimately up to the [device] manufacturer to provide this patch to end users," Sanders says. "This puts many more users at risk as their devices age."
The overall risk level for Android is also higher because it's the most popular mobile OS, according to Bojan Simic, CTO of HYPR Corp.
Apple deploys iOS only on its own devices, so the company has "far better control and knowledge of risk," Simic says. Apple's app verification system is also significantly more rigorous than Google's process in the Play store, and it results in less malware, according to Simic.
Windows Mobile users are safer due to the rule of "security by obscurity," Simic says. "Most hackers will direct their efforts where the biggest payoff is, and right now that target is Android due to its sheer amount of users.
Documented high-profile Android attacks
During the past year or so, a number of high-profile Android-based attacks and vulnerabilities made headlines.
Operation Emmental, which targeted 34 European banks, is probably the highest profile attack that used Android malware as a key component, according to Simic.
"The sophisticated attack was used to bypass two-factor security implementations that banks had deployed to protect their users," Simic says. "Throughout the attacks, it is estimated that about $1 billion was stolen."
The WebView bug in Android 4.3 (and older versions) was also widely reported, according to Gleb Sviripa, an Android developer at KeepSolid, and it left around 930 million Android devices vulnerable to potential attacks. WebView let "apps display Web pages without launching a separate app, and the bug could open up affected phones to malicious hackers," Sviripa says.
Google launched security patches for Android 4.4 and above but said it wouldn't develop patches for earlier OS builds. Instead, it encouraged the development community to step in. Google's head Android security engineer said the decision was due to "the complexity of applying patches to older branches of WebKit," according to ZDNet.
AndroidLocker, another very real threat, is "a new malware variant discovered last year by Dell, which mirrored the functionalities of ransomware," says Swarup Selvaraman, senior product manager at Dell SonicWALL. "The malware would lock down mobile devices, claiming to be the FBI, and demand users pay a 'fine' within a certain time to unlock their devices and avoid criminal charges.
In 2014, Dell also discovered an Android Trojan that targeted South Korean banks, Selvaraman says. "When users would download the malware, it would appear in their app drawer as 'googl app stoy,'" Selvaraman says. "If opened, it would show an error message, shut down, and seemingly uninstall itself. However, it was secretly still running in the background, specifically monitoring South Korean financial apps."
Android security threat is real but 'overblown'
The mobile security threat exists, but it is "overblown," according to new research from Damballa. For its spring 2015 report, the company monitored about 50 percent of U.S. mobile traffic (including but not limited to Android). Damballa concluded that mobile users are 1.3 times more likely to be struck by lightning than to have their mobile devices compromised by malware.
"This research shows that mobile malware in the Unites States is very much like Ebola – harmful, but greatly over exaggerated, and contained to a limited percentage of the population that is engaging in behavior that puts them at risk for infection," said Charles Lever, a Damballa senior scientific researcher, in a press release on the company's website.
Mark Hammond, senior manager for Cisco Security Solutions, agrees the Android threat has been greatly exaggerated. "The threat of Android malware is also directly associated with the source. If the average user is sticking with a well-regulated app store, like Google Play, then the risk of malware diminishes significantly."
The mobile malware threat is "really minimal," according to John Gunn, vice president of VASCO Data Security. While many people have some sort of malware on their computers, "few know anyone who has had malware on their mobile device," he says.
Verizon's 2015 "Data Breach Investigations Report" also concluded that "mobile threats are overblown," and "the overall number of exploited security vulnerabilities across all mobile platforms is negligible."
The risk of malware making its way into a native Android app is lower than ever thanks to Google's automated scanning and other new security improvements, according to Terry May, an Android developer with Detroit Labs. Google "reinforced the Android sandbox with SELinux and enhancements to the Google Play services library that can scan for vulnerabilities on the local device and not just the apps in the store," May says. "This means that even apps that have been side-loaded can be scanned."
Less than 1 percent of Android devices had a potentially harmful app (PHA) installed in 2014, and the number of PHAs on Android devices dropped by 50 percent between the first and fourth quarters of last year, according to a Google Online Security Blog post published by Android security lead engineer Adrian Ludwig in April 2015. Less than 0.15 percent of devices that only installed apps from Google Play had a PHA installed last year, Ludwig wrote.
The bottom line is that malware attacks "are increasing because users are spending more time on mobile devices than ever before, the value of the data on mobile keeps increasing, and a single OS (Android) dominates the market, increasing the footprint for attackers," says Domingo Guerra, president and cofounder of Appthority.
However, mobile malware isn't necessarily more prevalent. "Although the number of mobile malware apps is definitely booming, so is the number of good and benign apps," Guerra says