Android Remains Main Target For Mobile Malware Writers Despite iOS Having More Vulnerabilities, Says Symantec

Mobile malware remains a small and nascent issue, especially when compared to the scale of threats crowding around desktop OSes, but the threat that is out there continues to mostly affect Google’s Android platform. This despite Apple’s iOS technically having more vulnerabilities, according to a new report by security software firm Symantec. The difference in threat level is a natural consequence of the two differing mobile ecosystem approaches: Apple’s walled garden vs Android’s open playground.

Symantec identified just 108 new unique threats to all mobile platforms in 2012, 103 of which targeted the Android platform vs one targeting iOS. Symbian was second after Android, with three unique threats identified, while Windows Mobile had one. But when looking at platform vulnerabilities Symantec said there were 387 documented vulnerabilities for iOS vs just 13 for Android. Elsewhere, BlackBerry also had 13, and Windows Mobile had two.

Symantec’s report notes:

Today, mobile vulnerabilities have little or no correlation to mobile malware. In fact, while Apple’s iOS had the most documented vulnerabilities in 2012, there was only one threat created for the platform. Compare this to the Android OS; although only thirteen vulnerabilities were reported, it led all mobile operating systems in the amount of malware written for the platform. Vulnerabilities likely will become a factor in mobile malware, but today Android’s market share, the openness of the platform, and the multiple distribution methods available to applications embedded with malware make it the go-to platform of malware authors.

The root cause of the (small) threat level for Android is typically downloads from third party app stores (i.e. not Google Play) or users directly side-loading apps — something the Android platform allows, via a user-enabled setting, while iOS users wanting to sideload apps or use third party app stores have to jailbreak their device. It’s that open vs closed approach that explains the differing threat level, says Symantec, noting: “Android users are vulnerable to a whole host of threats; however, very few have utilized vulnerabilities to spread threats.”

Symantec does flag up one example in its report of “rogue software masquerading as popular games on the Google Play market, having bypassed Google’s automated screening process” last year. But clearly the vast majority of Android malware lands on devices via the unofficial routes cited above.

In terms of location, Android threats are “more commonly” found in Eastern Europe and Asia, according to the report. China has a thriving market of Android-based devices that dispense with Google’s Play store, which likely explains some of the Asian distribution of Android threats.

Another security issue affecting Android is platform fragmentation, with multiple older versions of the OS potentially creating a risk, says Symantec, along with carrier additions and Android skins — since these can delay the progress of OS updates. So while Google has made changes to Android 4.x to help bolster security, the vast majority of users (circa 90% last year) are stuck using older versions of the platform.

Symantec notes security-focused tweaks made by Google in Android 4.x include adding a feature to allow users to block any particular app from pushing notifications into the status bar (to combat adware); and in Android 4.2 adding a feature to prompt the user to confirm sending a premium text (to combat premium SMS threats).

The report adds:

…at around 10 percent market penetration at the end of 2012, Android 4.2 devices account only for a small percentage of the total devices out there. The Android ecosystem makes it harder to keep everyone up to date…

For most exploits in the OS, Google released quick fixes; however, users still had long waits before they received the fix from their network operators. Some exploits are not in the original OS itself but in the custom modifications made by manufacturers, such as the exploit for Samsung models that appeared in 2012. Samsung was quick to fix it, but the fix still had to propagate through network operators to reach users.

As you’d expect, Symantec is predicting continued growth in levels of mobile malware this year, as tablet and smartphone use continues to grow and attract more malware writers. Specifically it is expecting to see “ransomware and drive-by website infections on these new platforms in the coming year”.

Security companies been charting ‘rising levels of mobile malware’ for years but overall relative threat levels remain low. Still, Symantec said 2012 saw a 58 per cent increase in mobile malware vs 2011, and said the year’s total accounts for 59 per cent of all mobile malware discovered to-date — so while the threat is still small it is now more than doubling year-on-year.

symantec mobile malware variants

Here’s Symantec’s breakdown of the types of mobile threat it identified last year, with information theft being the most common threat. Add in user tracking and more than fifty per cent of the mobile malware identified was trying to steal user info or track their movements:


On Sunday Forbes covered a McAfee report that claimed it had identified 36,699 pieces of mobile malware, 95% of which cropped up last year — a hugely higher figure compared to Symantec’s figure of 108 new unique threats. In its report, Symantec says its figure is smaller than “other estimates on the scope of the mobile threat landscape” owing to other companies’ estimates counting overall threats (rather than new unique threats).

Many estimates are larger because they provide a count of overall variants, as opposed to new, unique threats. While many of these variants simply undergone minor changes in an attempt to avoid antivirus scanners detecting them, Symantec counted at least 3,906 different mobile variants for the year.

But even Symantec’s variant figure — 3,906 — is orders of magnitude smaller than McAfee’s count. Differing approaches to counting malware variants and threats presumably explains the discrepancy. We’ve reached out to Symantec to ask what specifically it includes in its mobile malware count and will update this story with any response.

Yesterday another report into mobile malware, conducted by mobile security software provider NQ Mobile, apparently identified more than 65,000 distinct forms of mobile malware, such as app repackaging, malicious URLs and SMS phishing.

Security companies of course have a vested interest in hyping malware threats, since they are in the business of selling security software, so it’s worth taking the highest figures with a big pinch of salt.