It seems only a couple of years ago that we were talking about breaking the 1,000 mark in malicious android apps and now we move closer to the million mark according to these DEF CON researchers. The problem is at what point does this spark concern for the 900 million activations of android devices. AVTest recently did a test of 30 anti-virus products and found that very few people run any third-party controls to keep their devices-let alone the stored information stored or transactions-safe. Is it that the numbers still aren’t big enough for people to care? A lack of security awareness is a likely factor if you consider that 17 percent of users still don’t have any security on their PC when they browse the Web. So why are we so slow to step up to security on Android?
There is a simple reason: as smart as phones are, most still see them as just that, a phone, not a micro-computer. If we then look at the implications, while they are micro-computers some anti-virus solutions can still slow the device down and updates need bandwidth.
Is there a different approach? The answer is yes-there are a number of ways.
Tools such as app wrapping allow businesses to define localized security controls to each app, defining how it interacts with the underlying operating system and other apps. Some security suppliers are offering up their own marketplaces to test and then wrap and sign apps for general public consumption. All of this, however, doesn’t really answer the core problem for users: what is each app doing in the background that users don’t know about?
The recent Appthority App reputation report highlighted that 83 percent of the most popular apps are associated with security risks and privacy issues. While some apps may be malicious, others may not be yet put users at risk. For example, from our testing at FireEye, we have found that while installing an app, the user is informed by the app what they will leverage in terms of resource. However, apps can often use more than they disclose.
Consequently, a new mobile security approach is evolving-taking the virtual execution environment concept to the mobile and seeing exactly what each app really does when running and then score it based on the risks that it would create for a typical user. The difference here? Validation prior to install.
Will this replace anti-virus on the device? Doubtful. Long term, each method has it’s own benefit. However, is this an easier, more practical first step to allow users to safety test and use apps without having to monitor all processes and potentially impact performance and require frequent updates? Definitely.
