By 
A common and over-used criticism of Android is malware. People love to point to malware as a reason why Android is unsecure and shouldn’t be used. Of course, the malware problem that people love to talk about is not much of a problem at all. Google made that clear with their latest Android Security State of the Union address.
Google published a very lengthy 44-page report that you can read right here, but there are a few bullet points of importance.
- Over 1 billion devices are protected with Google Play which conducts 200 million security scans of devices per day.
- Fewer than 1% of Android devices had a Potentially Harmful App (PHA) installed in 2014. Fewer than 0.15% of devices that only install from Google Play had a PHA installed.
- The overall worldwide rate of Potentially Harmful Application (PHA) installs decreased by nearly 50% between Q1 and Q4 2014.
- SafetyNet checks over 400 million connections per day for potential SSL issues.
- Android and Android partners responded to 79 externally reported security issues, and over 25,000 applications in Google Play were updated following security notifications from Google Play.
As you can see, Android malware is an exaggerated issue. Fewer than 1% of a billion devices had potentially harmful apps installed. In devices that only install apps from the Play Store than number drops to 0.15%. The moral of the story is the same that has been said for years, and it can be said for users on any platform: if you install trusted apps from trusted sources you will have no issues. It’s only when you start downloading from sketchy places that you will run into problems.
[via Google]
1 percent of a billion is 10 million devices…. thats quite a big number…don’t you think?
I was going to comment the same thing. 1% of a billion, in terms of numbers, is actually a lot.
To put it another way, if you and 99 other people won a competition with a prize of a billion dollars, meaning you got 1% of it, I don’t think the first thing on your mind (or the last thing) would be, ‘wow this 10 million dollars isn’t very much.’
Exactly! There is actually an interesting TED Talk about a similar topic, if you’re interested.
https://youtu.be/mAvSoNUgMno
“The strangeness of scale at Twitter:
When hundreds of thousands of tweets are fired every second, a one-in-a-million chance — including unlikely-sounding scenarios that could harm users — happens about 500 times a day.”
Interesting video, thanks!
I’ll be devil’s advocate even though I agree that it’s overblown, can’t ignore math.
.15% from those 1 billion is 1.5 million. Let’s say half those people (being generous as mainly techies or idiots allow 3rd party installing) exclusively use Play Store, that’s still nearly a million devices. THAT’S A LOT.
And for 1% being affected overall, that’s 10 million devices with PHA.
That’s MILLIONS still.
You can’t ignore math, but the story the math tells can certainly be misleading without knowing a lot of context. In the end, the thing most users want to know is, “will I be a victim?” Looking at the numbers alone, it looks like the roll of a 100-sided dice, and that anyone could end up being a victim 1 out of 100 times — and that simply is not the case. Many of the known cases of bad apps are targeted, such as an infected version of a Chinese-language app that is overwhelmingly installed in China. Many of the other known cases are “free” knock-offs of popular non-free apps. The Play Store was never meant to be idiot-proof, and some discretion from the users has been, is now, and will continue to be required.
Also relevant to the math is that the ‘P’ in “PHA” is for “potential.” One million devices have apps that have some potential for being bad. I’d rather play the skeptic and argue that 100% of apps have the potential of being bad, and a select few have actually been proven to be bad. There is almost a guarantee that there are apps (both in the Play store and in Apple’s app store) that are bad, but have not yet been identified as being bad. No amount of care taken by app store admins will reduce the potential of bad apps to zero, because they are always working with incomplete knowledge. We learn new things about app security all of the time, and some of the people that learn the new things will take advantage of that knowledge before the rest of the world has a chance to discover it.
I’m actually impressed that we may have the rate of infected devices down to 1%, given the fast-moving and incredibly diverse set of Android users. Having followed the information security industry for years, “millions” is a relatively tiny number to make such a statement about.
Kudos to Google ..on other news windoze virus increases by 10 fold
The battle never ends.
Rather than numbers, look at cause and effect. The difference between 8.5 million and 1.5 million is installing from unknown sources.
If we’ve known anything about malware rates, we’ve known one thing for years – piracy is the number one malware infection vector in Android. And the numbers here suggest that that has not changed.
And it’s not about 1.5 million – it’s about 1. If you’re infected, 1 is the biggest number in the world.
Join our forums, learn more about the latest in malware and what you may consider to protect yourself. Or what to do if your browser has been hijacked – the newest craze we’ve been seeing and definitely on the rise, even for people who try really hard to do Android right.
Security is everyone’s business.
And of course there was pretty much no malware in the first place.