Nokia says third-party Android app stores need to raise their game to improve overall Android security.
Android’s flexibility makes it the top target for cybercriminals. Image: Nokia Technologies
Nokia’s 2017 Threat Intelligence Report offers a reminder why it’s a good idea to limit app installs to the Google Play Store, even if it’s not perfect.
Nokia found that 68 percent of all devices that were infected in the past year were running Android, followed by 28 percent running Windows, and around three percent running iOS.
The figures are based on data collected from Nokia’s NetGuard, a security product deployed at mobile network operators and used to monitor network traffic from over 100 million devices across North America, Europe, the Middle East, and Asia Pacific, but not India and China.
Nokia also found the proportion of Android devices that were infected per month was on average 0.94 percent this year.
That’s slightly higher than Google’s estimate in its 2016 Android security review that 0.71 percent of Android devices had “potentially harmfully applications” installed in Q4 2016. Infections fell to 0.05 percent on devices that only install apps from Google Play
Nokia says the overall mobile device infection rate was 0.68 percent, while the figure was around 0.2 percent for Windows devices connected to mobile networks, either via a dongle or tethered to a phone.
“The Android platform is the mostly highly targeted by cybercriminals,” Kevin McNamee, director of Nokia’s Alcatel-Lucent Kindsight Security Labs told ZDNet.
Despite regular reports of trojanized apps slipping past Play Store security checks, McNamee says Google is in fact doing a far better job of keeping it clean than two years ago and now offers better malware protection with Google Play Protect.
“Google has done an excellent job with Google Play Protect and they’re really securing the app infrastructure for the Android devices. The main threat vector for Android phones is trojanized apps. In the Android space Google has tried to address this by doing a good job securing Google Play,” the Nokia exec said.
“The unfortunate thing is that third-party app stores are so common in the Android space that nearly all third-party app stores need to bring security up to Google’s level to improve overall Android security.”
Nokia estimates the number of Android malware samples has grown by 53 percent over the past year though to July 2017. It now has a collection of 16 million samples.
The most prevalent smartphone malware detected in networks that Nokia monitors all targeted Android. The top was Android adware called Uapush, followed by the Jisut Android lockscreen ransomware that Eset researchers found targeting Chinese users.
The Marcher Android banking Trojan was the third most commonly seen malware, which is usually hidden in fake versions of popular apps, such as Netflix, that are distributed on non-Google app stores.
As Nokia highlights in the report, Google Play only represents four percent of installs in China where the app market is dominated by local players like Tencent, Qihoo 360, Baidu and Xiaomi.
End-user devices aren’t always the victims and can also become attackers. Nokia’s report notes the massive WireX Android DDoS bot discovered this year that harnessed 150,000 devices to attack content delivery networks. Google, Akamai and security researchers worked together to take the botnet down and remove 300 apps from Google Play.
Nokia’s Threat Intelligence Lab also recently investigated an “accidental DDoS” in which a single phone caused problems at an unnamed device manufacturer after suddenly sending 50,000 52-byte TCP packets per second.
Over a one-minute period the phone had sent two million packets to the manufacturer’s web server. The disruption suggested the manufacturer was under a DDoS attack, but Nokia discovered the flood of traffic was due to a flaw in a software update.
“It is significant that a software flaw could cause a single smartphone to generate so much traffic,” Nokia notes.