Security researchers from McAfee say that malware targeting mobile devices is on the rise this year. Actually, it's just malware targeting Google's insecure Android OS that's on the rise. Both iOS/iPhone and Windows Phone remain completely unaffected by this trend and were, in fact, the targets of no malware attacks at all in the most recent quarter.
"We observed the continued emphasis on mobile malware, specifically targeting the Android operating system," McAfee's Threat Report for Third Quarter 2011 reads. "In fact, this quarter Android was the sole target of mobile malware writers. A true portent indeed!"
In the second quarter of 2011, Android was by far the most frequently exploited mobile OS. But in the third quarter, it hit a new milestone by becoming the only exploited mobile OS. (The older Symbian OS, from Nokia, still has more overall malware attacks, but "Android is clearly today's target," the McAfee report notes.)
And malware isn't just exclusive to Android, it's on the rise. McAfee says that Android malware rose 37 percent quarter over quarter and that its success with consumers has made it a convenient target for hackers. And in some ways, mobile malware is even scarier than PC-based malware, because users tend to store much personal information on these insecure, easy-to-lose devices. And because of the wide range of communications capabilities on mobile devices, and the interconnectivity with personal information sharing and social networks, there are even more avenues of attack.
The popularity of Android is leading to another curious change in that overall malware attacks—including those on PCs—are now on the rise again. That makes sense when you consider that there are far more mobile phones and devices in the world than PCs, and that in 2011, smartphone sales will surpass those of PCs for the first time. As a result, McAfee has had to revise its 2011 malware attack estimates upward.
So, does the McAfee report or other studies suggest that the iPhone or Windows Phone is somehow more secure than Android? I do happen to believe that, actually. But Google isn't accepting this premise without a fight. It says that the companies reporting all this activity are, of course, trying to sell you anti-malware solutions that you might not even need. "Virus companies are playing on your fears to try to sell you [fake] protection software for Android, RIM and iOS," Google's Chris DiBona wrote in a Google+ posting. "They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM or iOS, you should be ashamed of yourself."
Though DiBona does make some good points—each of the major smartphone platforms, including iOS, Android, and Windows Phone, utilize sandboxing techniques, for example—it's also fair to say that Android is by far the most laissez-faire of the three when it comes to security. It allows users to bypass a secure, curated online store and install apps from any source. And many apps come with data-sharing exclusions that users simply OK without considering or understanding the privacy or security ramifications. And Android's very nature as an open-source project actually makes it more open to attack than less, since anyone can modify the system.
The problem for Android is that it's more forgiving of users' inability to do the right thing from a security standpoint. And in an age when social engineering is perhaps the most common form of attack, it is this very innocence—combined with Android's tractability and popularity—that makes users even more open to attack than users of other platforms. That is, Android's greatest strength is also its biggest weakness.