Study: Google Play-based Android apps with malware up 388 percent in two years

Google chairman Eric Schmidt may believe his company's Android OS is "more secure" than Apple's iOS but this week a study from a security firm claims that the number of Android apps from the Google Play store that contain malware has risen dramatically in two years.

The report from the RiskIQ firm claims that in 2011 there were just 11,000 malicious apps in the Google Play store, but that number increased 388 percent to 42,000 malware apps in 2013. The firm adds that Google only removed 23 percent of those apps in 2013, versus 60 percent in 2011. A whopping 12.3 percent of all apps in the Google Play store contained malware in 2013, according to RiskIQ. Google has yet to respond to the firm's claims.

RiskIQ says they were able to come up with this data using their own technology that simulates real world users interacting with Android apps, claiming that it reveals malware that normally would not show up using standard techniques. Android personalization apps tend to be the ones that are used the most to mask malware, according to RisklIQ, followed by apps in the entertainment and education/book categories.

Source: RiskIQ | Android apps image via Shutterstock

Report a problem with article
Previous Story

Bing Maps Preview app for Windows 8.1 adds 15 new 3D cities

Next Story

Fitbit stops sales of Force wristband and issues recall after skin rash reports

60 Comments

Commenting is disabled on this article.

In the 5+ years I've been running Android phones/tablets, I have yet to encounter "malware". I simply do not believe these outrageous claims made by biased "researchers", who typically have some ulterior agenda. Follow the money, who is paying for their "research"? What are they selling?

fuzi0719 said,
In the 5+ years I've been running Android phones/tablets, I have yet to encounter "malware"

I haven't had to deal with malware on one of my systems in at least a decade. Therefore, malware doesn't exist anymore on Windows.

fuzi0719 said,
In the 5+ years I've been running Android phones/tablets, I have yet to encounter "malware". I simply do not believe these outrageous claims made by biased "researchers", who typically have some ulterior agenda. Follow the money, who is paying for their "research"? What are they selling?

I am sure there is a lot of malware out there for Android. I dont think it is as big a deal as people are making it out to be tho.

I see the idiot brigade is attacking my comment. I never wrote that I didn't think malware exists. I simply do not believe it is as prevalent as these "researchers" imply, at least not in the US/Europe. In nearly every previous case, the funding for their "research" can be traced right back to the same sources: Apple and Microsoft.

Well its the same like saying that there are a billion virus and malware for Windows. Its true probably but doesn't mean all users have it.
If they include spyware in their search for malware, the numbers will skyrocket immense. But then WP8 has tens of thousands of malware apps as well.

techbeck said,
I have yet to see malware on an Android device.

Good luck waiting for someone to code "MALWARE IS NOW ACTIVATED" in an app for you!

As long as it keeps growing it will be targeted. It was same with Windows. But for most users, nothing to worry about.

The solution to this problem is super simple for Android users. Don't install software from unknown Devs.

Android is the "Windows" for the mobile world. However, unlike Windows, it's not that easy to have malware installed on Android, unless the user actually willfully and intently does it him or herself. Seriously......you gotta be a numbskull to downloand and install a Justin Beiber wallpaper on your Android Phone. Just the same if a person were to go to a malicious website on a Windows computer.

This is not really a big deal at all and can easily be done with a Windows Phone. The problem is, like the argument for Windows PC's, hackers or malicious code developers don't care to target Windows Phone because of it's unpopularity.

LOL...."Android personalization apps".......LOL, that's the Justin Beiber or Miley Cyrus wallpapers. That's funny.

That's true. I've only ever heard of malware in relation to wallpaper apps and junk like that. It's so easy to look at the comments on the Play Store and find out what's good and what's not.

I've heard this argument. It was used for Windows as well. "Don't install this, don't install that, be careful, etc."

That's easy for us to do. I never had malware/virus issues in over 30 years of using computers, but a lot of people aren't going to know what's safe and what's not. Some people still fall for the Nigerian prince emails and "click here, your PC has a virus" scams.

Most infections come thru by flash ads from compromised ad servers as well as Java and PDF.

Just visit the site and you are owned. Firefox had invisible iframes so another fake yahoo login covering the real is a problem.

Unless you run noscript, adblock, not run XP as a local admin and other security practices you can bet your PC is owned.

I used to share your same concerns and not run AV software. After my credit card and wow account was compromised I changed. No I d not run software from untrusted websites.

sinetheo said,
Most infections come thru by flash ads from compromised ad servers as well as Java and PDF.

Just visit the site and you are owned. Firefox had invisible iframes so another fake yahoo login covering the real is a problem.

Unless you run noscript, adblock, not run XP as a local admin and other security practices you can bet your PC is owned.

I used to share your same concerns and not run AV software. After my credit card and wow account was compromised I changed. No I d not run software from untrusted websites.


Uhm no.
Most malware comes on systems through social engineering. Not zero-days or any exploit.

And how many are spyware contacting analytics servers on every run to sell your browsing and usage habits to the highest bidders, Wouldn't be tolerated on the desktop or on mobile before the iphone.

Its not tolerated now either but people are slow. I notice more and more are standing up against Google, Facebook and other data-mining-screw-your-privacy companies.

I can easily believe that figure and am not surprised it's not higher even.

People know even less, and probably care even less, about security on their phones than their computers.

I don't know a single person who has any kind of modern phone that has ANY type of malware protection on it!

With the number of apps that have been created and as fast as they are created, and the fact we're talking Google anyway, there's no way anyone is checking them much before they get into the store!

cork1958 said,

the fact we're talking Google anyway, there's no way anyone is checking them much before they get into the store!

Careful, your prejudice is showing.

I think they need to PROVE they're malware apps instead of just making a baseless claim and citing their "own technology".

Otherwise, it's just a bunch of people making claims they can't corroborate. Why do you trust someone who "claims" they're a security firm, without asking for evidence? Anyone could make that claim.

I don't own an Android device but I too would want to see at least an example of a malware app that only their proprietary technology can detect.

Brony said,
It is FUD mainly because they are re-defining what is Malware.

In a way, yes.

But creating a narrow definition for Malware is also disingenuous and hurts users that don't study the specific definitions. Software that can cause harm is not good, no matter how it is technically classified.

Brony said,
It is FUD mainly because they are re-defining what is Malware.

Most of the companies like this are trying to drum up business for themselves, either through selling security products or providing reporting and statistical services. Naturally it's in their interest to whip up hysteria.

In truth though I do believe it's time for Google to start curating the Play Store more seriously. To weed out the poor quality and to prevent any possible malware.

Mobius Enigma said,

In a way, yes.

But creating a narrow definition for Malware is also disingenuous and hurts users that don't study the specific definitions. Software that can cause harm is not good, no matter how it is technically classified.

Android allows to run some apps with ROOT permission and only if the device is configured to do that (locked devices can't run apps that requires root rights). However, applications are not self/auto rooted, the system ask you if you want to run the application with root permission or not.

http://cdn-static.cnet.co.uk/i...ogle-nexus-7/n7root10-b.png

Brony said,

Android allows to run some apps with ROOT permission and only if the device is configured to do that (locked devices can't run apps that requires root rights). However, applications are not self/auto rooted, the system ask you if you want to run the application with root permission or not.

http://cdn-static.cnet.co.uk/i...ogle-nexus-7/n7root10-b.png

Yes I knew this, why are you responding to my post about the definition of malware and malicious software? Malicious software is malicious software. PERIOD.

There are too many ways to get malware on android you can malware and the fact that vast majority of android phones are using an earlier version of android then lastest release does not help.

Hello,

That sounds a little high, but about where it might be. I tried to estimate malware in the Google app store last year based on app removals, and it came in at about 9%. Of course, my figures didn't count apps that were not removed, so that may account for the variance.

Regards,

Aryeh Goretsky

Yikes! 12.3% is quite a lot considering the amount of apps. I use a Galaxy Note 3, but I also appreciate Apples closed fortress when it comes to their apps, keeping my iPhone 5s safe.

Edit: Anyone know where we could find a list of these apps? I'm guessing they are just apps that no one has any business installing in the first place.

JHBrown said,
Yikes! 12.3% is quite a lot considering the amount of apps. I use a Galaxy Note 3, but I also appreciate Apples closed fortress when it comes to their apps, keeping my iPhone 5s safe.

Edit: Anyone know where we could find a list of these apps? I'm guessing they are just apps that no one has any business installing in the first place.

Even better than Apple's 'closed fortress' is the Windows Store. Microsoft has more advanced automated testing.

The iPhone has also had malware from Apple store Apps. 150,000 Apps, and easy side loading, yet WP8 has had Zero malware due to the platform's isolation model.

Mobius Enigma said,

...WP8 has had Zero malware due to the platform's isolation model.

Nothing to do fact fact not many apps yet!

Time will tell.

stevember said,

Nothing to do fact fact not many apps yet!

Time will tell.

Seriously, are you going to say 150,000 is a small sample size of Apps?

Ok then...

I'm a MS fan, very anti Apple. Think W8 has a lot problems but use it anyway.

But the store is still very infant, so time will tell. I do hope your right though.

It is Windows, if what a lot of people on the internet always scream are true (Windows being the most insecure OS in human history). Then WP8 and Windows RT should already have fallen victim to malware and the like.
But it hasn't. As far as I'm aware even today the only way to bypass Windows Store for apps on Windows RT(jailbreak it) was with a Microsoft issued debugging tool.
There's plenty of users already and seeing that WP8 shares the same kernel, IE and more with Windows 8 (and even more features will be shared among W8.1 and WP8.1)...

It's quite save to say that currently Windows is the safest of them all. I've waited a year after owning my 920 before doing my banking on the phone to see IF anyone could break WP8's security (SMS text TAN codes reading etc, which is possible on Android for example). And so far, nothing. Zero... nada!
And the last malwares I got on my computer is either through downloading torrents or Chrome/Firefox. haven't gotten malware from using 1st party Microsoft products in ages. I even have Java and Flash activated in IE11 (Java on a per-site basis though) and nothing has gotten through that either. (I do use EMET and run IE11 in 64bit mode)

Mobius Enigma said,

Even better than Apple's 'closed fortress' is the Windows Store. Microsoft has more advanced automated testing.
150,000 Apps, and easy side loading, yet WP8 has had Zero malware due to the platform's isolation model.

Security in obscurity. Malware writers target the popular platforms, which means Android and iOS. And I don't think any store can claim zero malware because no system is perfect, and that leads to a false sense of security where there isn't any.

From my personal experience, most of the malware I've heard of exists in the wallpaper downloads. Per app permissions would negate the effects of malware, but unfortunately Google's removed that functionality.

Shadowzz said,
It is Windows, if what a lot of people on the internet always scream are true (Windows being the most insecure OS in human history). Then WP8 and Windows RT should already have fallen victim to malware and the like.

1. Native code ≠ Sandboxed VM code.
2. Windows store is curated.

Sandboxed code is very limited in what it can do. That's not to say it can't act like malware though.

To be fair, it's the openness (in terms of installing / running software) of the Windows desktop which has permitted the ten's of millions of malware to exist on it. The Windows store is a move in the right direction to help curb that.

Shadowzz said,

It's quite save to say that currently Windows is the safest of them all.

Not Windows, but Windows Phone 8 / RT perhaps. Partly because of the effect of security in obscurity, and partly because of the two points above.

As much as I prefer open systems, I'm willing to admit that maybe Google should take a more active role in curating the Play Store. For the sake of quality, and for preventing malware from entering.

In addition, Google should build per app permission customisation into Android. It's essential to be able to allow and disallow what functions an app should have access for. That could also be a part of the curation process. Only allow apps in that request permissions for functionality related to their purpose, instead of having wallpaper apps that request to access contacts list, internet, phone etc.

Shadowzz said,

And the last malwares I got on my computer is either through downloading torrents or Chrome/Firefox.

Any Windows app you download could potentially be a rootkit, malware, virus, trojan, keylogger etc. Only an open source peer reviewed repository is the safest. Even popular curated stores like Apple's aren't immune to attacks.

IE is probably the most common vector for malware from my experiences. Installing Firefox + ABP + NOScript helps a lot, but the only way to be truly safe is to put GNU/Linux on the machine, and only use the peer reviewed open source repositories. You would never catch me doing my banking on a Windows machine.

Shadowzz said,

haven't gotten malware from using 1st party Microsoft products in ages. I even have Java and Flash activated in IE11 (Java on a per-site basis though) and nothing has gotten through that either. (I do use EMET and run IE11 in 64bit mode)

I see malware acquired via IE all the time. Even on Microsoft's latest OS's. The ecosystem for malware is too great to just disappear overnight. The only way Microsoft can get rid of malware on Windows is to make installing / running programs outside of the curated Windows store impossible. Unfortunately, that's not going to happen in the near future.

simplezz said,
IE is probably the most common vector for malware from my experiences. Installing Firefox + ABP + NOScript helps a lot, but the only way to be truly safe is to put GNU/Linux on the machine, and only use the peer reviewed open source repositories. You would never catch me doing my banking on a Windows machine.

There's a good rebuttal to the "many eyeballs" theory at http://blogs.msdn.com/b/shawnh...-development-lifecycle.aspx. The comments section is well worth reading too in its entirety.

There just aren't enough competent eyeballs actually on the job.

Mobius Enigma said,
Even better than Apple's 'closed fortress' is the Windows Store. Microsoft has more advanced automated testing.

The iPhone has also had malware from Apple store Apps. 150,000 Apps, and easy side loading, yet WP8 has had Zero malware due to the platform's isolation model.


You're trying too hard to make them look bad bud. The number of incidents, two of which were from research firms, is still extremely low compared to the amount of apps and length of time they've been up and running. No sense in trying to create some sort of fear with that.

I"m not exactly sure why we're having to make this out to be a "tool" measuring contest anyway.

simplezz said,

1. Native code ≠ Sandboxed VM code.
2. Windows store is curated.

Sandboxed code is very limited in what it can do. That's not to say it can't act like malware though.

It is very limited but its expanding. Win32 is just to open to be fully secure. But RT and WP8 show Windows can be very secure. Even including the Win32 API it can still be if you set it up right.

To be fair, it's the openness (in terms of installing / running software) of the Windows desktop which has permitted the ten's of millions of malware to exist on it. The Windows store is a move in the right direction to help curb that.


Not Windows, but Windows Phone 8 / RT perhaps. Partly because of the effect of security in obscurity, and partly because of the two points above.

No, having users in control over the OS paved the way for malware on Windows (or any OS for that matter).

Any Windows app you download could potentially be a rootkit, malware, virus, trojan, keylogger etc. Only an open source peer reviewed repository is the safest. Even popular curated stores like Apple's aren't immune to attacks.

IE is probably the most common vector for malware from my experiences. Installing Firefox + ABP + NOScript helps a lot, but the only way to be truly safe is to put GNU/Linux on the machine, and only use the peer reviewed open source repositories. You would never catch me doing my banking on a Windows machine.


I see malware acquired via IE all the time. Even on Microsoft's latest OS's. The ecosystem for malware is too great to just disappear overnight. The only way Microsoft can get rid of malware on Windows is to make installing / running programs outside of the curated Windows store impossible. Unfortunately, that's not going to happen in the near future.


Put IE in 64bit mode with all its security enabled. And so far the 2 or 3 "exploits" used on IE10-11 only worked on 32bit. Run IE or Windows properly and avoiding getting malware is quite simple. I get it on my system sometimes but its gone before it can even do anything.
And for average users, if you help them/set up their system or whatever. It is easy to make it secure enough for you to rarely help them ever again. Unlike previous Windows's, even Windows 8 can be secure.
Install the applications they require. Prevent them from installing others, keep UAC on, pull it up a bar even. IE in Enhanced Protected Mode. EMET in the background, let users only install through the store... And malware has a lot less chance of getting a foothold on their systems.
I've done this plenty myself and the support requirements in my surroundings have dropped.

Get everyone over to Linux and see what happens. Linux hasn't been through the constant shock and awe of malware and security issues Windows has, you want to press your luck on that if everyone would go Linux to "be safe". Your safety of Linux currently is in the hands of the minority.

Microsoft has conquered the vast majority of security issues years ago, the problem lies with the user mainly. They don't want to be pestered with popups (UAC for example, its more than the popups). Or feel in any way limited. They accept downloads claiming its a "improved HD movie flash player" and click "YES" or "IGNORE" when something bugs them, just to get it to go away.

I visit the most shammy websites through IE, I stopped using anything else if its for banking or something I just don't trust. Throw open a InPrivate window (which removes any way of 3rd party tools to intervene) and off I go. I once thought I was safe with Chrome with it being a minority marketshare browser Until they took a large chunk of it. Several infections further, except for one each of which Windows Defender noticed (2 times it couldnt do anything about it, but it noticed) and I regulary use 3rd party scanners for a checkup and its all clean.

Mobius Enigma said,

Even better than Apple's 'closed fortress' is the Windows Store. Microsoft has more advanced automated testing.

The iPhone has also had malware from Apple store Apps. 150,000 Apps, and easy side loading, yet WP8 has had Zero malware due to the platform's isolation model.

Playing Devil's Advocate here... Does Windows Phone not have any (known) malware/virus/whatever for the same reason Linux and OS X had very little (basically zero that actually effected anyone in the real world) market share and so it is not financially viable for malware writers to target the platform yet?

I am sure it is also due to a very solid and secure framework as well but this is the reason the Windows guys put out for Linux/OS X having fewer malware than Windows a decade ago. Seems kind of fair to use the same measurement against Windows Phone.

ditoax said,

Playing Devil's Advocate here... Does Windows Phone not have any (known) malware/virus/whatever for the same reason Linux and OS X had very little (basically zero that actually effected anyone in the real world) market share and so it is not financially viable for malware writers to target the platform yet?

I am sure it is also due to a very solid and secure framework as well but this is the reason the Windows guys put out for Linux/OS X having fewer malware than Windows a decade ago. Seems kind of fair to use the same measurement against Windows Phone.


I'm sure that the smaller market share is the main reason for the lack of malware.

However I'd pay more attention to the lack of a jailbreak for Windows Phone for a measure of overall security of the system.

But to counter, Windows 8 sold 200million. Thats not big enough marketshare?
Windows 8 has been uncracked so far as well. Only through 3rd party applications. The IE exploits found so far did not work in Enhanced Protection Mode.
WP8 is reaching 10-20% in several countries. Its very popular everywhere but the United States, where for some reason people think its most important to look...with a smaller market, less money to invest... EU is 450million, India 1.something billion, china... But no lets constantly focus on the United States of Murica.... That market is becomming more meaningless every year. EU already surpassed it on spending money for luxery products, and we have half a continent left to improve on their wealth.

Shadowzz said,
But to counter, Windows 8 sold 200million. Thats not big enough marketshare?
Windows 8 has been uncracked so far as well. Only through 3rd party applications. The IE exploits found so far did not work in Enhanced Protection Mode.

1. EPM isn't the default. IE users aren't known for computer literacy, hence why they use whatever the default is, which is IE on most OEM PC's.
2. IE is a first party app and its components are inextricable from the underlying OS, therefore an IE flaw or exploit is an OS one.

Shadowzz said,

WP8 is reaching 10-20% in several countries. Its very popular everywhere but the United States

Which countries are at 20%?

Almost all of WP's marketshare is from the loss making 520 and other low end phones. There's no profit in the high/middle-end because there's no users who want WP's. Nokia's virtually giving the 520's away, so they're bound to get some takers who just want something cheap and don't care about the software.

Shadowzz said,

where for some reason people think its most important to look...with a smaller market, less money to invest... EU is 450million, India 1.something billion, china... But no lets constantly focus on the United States of Murica.... That market is becomming more meaningless every year. EU already surpassed it on spending money for luxery products, and we have half a continent left to improve on their wealth.

The reason people focus on the US is because that's where most of the profits are made. Nokia could sell a billion 520's to India and still make a loss because they have to virtually give them away to get people to buy them.

simplezz said,

1. Native code ≠ Sandboxed VM code.
2. Windows store is curated.

Sandboxed code is very limited in what it can do. That's not to say it can't act like malware though.

To be fair, it's the openness (in terms of installing / running software) of the Windows desktop which has permitted the ten's of millions of malware to exist on it. The Windows store is a move in the right direction to help curb that.


Not Windows, but Windows Phone 8 / RT perhaps. Partly because of the effect of security in obscurity, and partly because of the two points above.

As much as I prefer open systems, I'm willing to admit that maybe Google should take a more active role in curating the Play Store. For the sake of quality, and for preventing malware from entering.

In addition, Google should build per app permission customisation into Android. It's essential to be able to allow and disallow what functions an app should have access for. That could also be a part of the curation process. Only allow apps in that request permissions for functionality related to their purpose, instead of having wallpaper apps that request to access contacts list, internet, phone etc.


Any Windows app you download could potentially be a rootkit, malware, virus, trojan, keylogger etc. Only an open source peer reviewed repository is the safest. Even popular curated stores like Apple's aren't immune to attacks.

IE is probably the most common vector for malware from my experiences. Installing Firefox + ABP + NOScript helps a lot, but the only way to be truly safe is to put GNU/Linux on the machine, and only use the peer reviewed open source repositories. You would never catch me doing my banking on a Windows machine.


I see malware acquired via IE all the time. Even on Microsoft's latest OS's. The ecosystem for malware is too great to just disappear overnight. The only way Microsoft can get rid of malware on Windows is to make installing / running programs outside of the curated Windows store impossible. Unfortunately, that's not going to happen in the near future.

You are confusing App isolation with a traditional sandbox. A Sandbox runs in a shared area, App Isolation does not. Processes can touch Sandboxed Apps, Processes cannot touch Isolated Apps.

For example, iOS offers a modest level of Sandboxing; however, their recent keylogging exploit can see what is happening inside these 'sandboxed' Apps.

.....

"IE is probably the most common vector for malware from my experiences."

From your experiences... In reality, more malware infection happens via Chrome, Firefox, iTune/Safari, Flash, and Java. IE9/10/11 have 1 in 50 the infection rate of any of these other pieces of software. (These are real numbers, you can find online.)

The problem with Windows is people like you and other 'experts' install Chrome or Firefox for friends or at work, because you think it is more secure and you are wrong.
(Remember the obscurity arguments you can see above, Chrome is more popular than IE9/10/11 - and this is where Malware authors hit, as it is easier than hoping for a <=IE8 user or trying to find a flaw in >=IE9.

If you want to tighten Windows Security 400%, simply uninstall Chrome


-----

You are confused about how Microsoft Store Apps work and how Microsoft's certification works. There are several level of safe guards in how the code is analyzed by the servers that neither Google or Apple does.

As for the brilliance of open source repositories is ignoring all the pollution that has occurred over the years.

DonC said,

I'm sure that the smaller market share is the main reason for the lack of malware.

However I'd pay more attention to the lack of a jailbreak for Windows Phone for a measure of overall security of the system.

Then you don't understand the security model of WP or how the framework works.

WP has been 'jailbroke', but it is irrelevant due to the security model and how the OS is organized.

Here is a crazy fact. There has been more malware on Android devices than Windows 7 and Windows 8 PCs combined. Microsoft's security model is not just obscurity.