Android malware is rare, but some choose it deliberately

Google's recently released numbers on Android malware include those who root with custom ROMs.

image alt text

Google just released its latest numbers of potentially harmful apps (PHA) installed on Android devices. Based on data from 4 billion app installations, only 0.18% of users go forward with an app installation after being warned that it may be insecure, according to Google. Interestingly, though, that 0.18% includes some very Android-savvy users.

Google fights malware using three technologies: virus scanning, app behavior monitoring, and big data predictive analytics. Apps are scanned both in the Google Play app store and at installation, using App Verify. First introduced with Android 4.1 and backwardly compatible with most older versions of Android, App Verify is a "belt and suspenders" approach that double checks Play downloads and defends against PHAs when users download apps from sources that may not scan for viruses as thoroughly.

Once installed, App Verify monitors apps’ behavior and alerts users and Google if an app has executed an operation that might be a threat. This helps detect polymorphic malware that eludes virus scanning by appearing to be a benign app and modifying itself exploit a threat afterward.

The malware attack data collected by Google and the Android security team is combined in a map reduce cluster and analyzed for clues that predict the sources of future attacks. This is a fascinating subject, but it would require waterboarding to get an Android security engineer to talk about it in detail.

But some people actually embrace PHAs, and their app installs are included in the 0.18% of PHAs. The only way to bypass a locked bootloader or install a custom Android ROM like Cyanogenmod is with a root exploit, which will be detected as a PHA. There are many reasons to run a root exploit on one’s own Android device.

Many carriers ship smartphones with unwanted apps, often called bloat, that can’t be uninstalled by the user. The best way to address the bloat problem is to install a benign custom ROM that will nevertheless be detected as PHA.

Carriers also prevent some types of app from working, such as those that legally enable tethering or convert the smartphone into a Wi-Fi hotspot. Rooting the Android device to circumvent a locked bootloader and install this type of app will circumvent the carrier’s prohibitions.

Sometimes Android device manufacturers build great hardware, but their versions of Android are simply not appealing to in an individual user’s eyes. For instance, many Verizon customers would love to buy a Nexus 5 because stock Android KitKat runs on powerful hardware, but can’t because it is not available on Verizon’s network. The LG G2 is very similar to the Nexus 5, and comes from the same manufacturer. The G2 has a cool UI, but it is proprietary. A user who wants the Nexus 5 can install a stock Android KitKat custom ROM on the G2, and will have great hardware with the software that he or she wants.

It’s getting easier to install custom Android ROMs. CyanogenMod’s installer has simplified installation for some devices, putting a custom ROM within the reach of more users. Perhaps Google’s rate of PHAs might go up the next time it reports, with the increase attributable to non-harmful roots and ROM installs.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10