Every quarter Kaspersky releases an IT Threat Evolution report which looks at the state of the digital world in terms of security threats. As part of this report, Kaspersky has a section devoted to mobile threats. In its 2012 Q2 IT Threat Evolution report, Kaspersky reported that from April to June it found 14,923 new malware targeting Google’s mobile operating system, Android. Almost 15,000 new malware in three months is a “threefold” increase from the previous quarter, according to Kaspersky.
Of these 14,923 new malware, 49% are “multi-functional Trojans that steal data from telephones” and are “capable of downloading additional modules from servers run by malicious users”; 24% are SMS-trojans that steal money by sending texts to premium numbers; 18% are “backdoor” malware that allow scumbags to take control of infected Androids; and the remaining 9% consist of adware, spy-trojans, downloader-trojans, “monitors”, and “risktools”.
Kaspersky even included handy charts to help drive the point home:
Scary, right? You should run and purchase Kaspersky Mobile Security for Android before it is too late, right? Whoaaaaaa, hold your horses cowboy. Before you send cash Kaspersky’s way, let’s take a look at what F-Secure has to say about Android.
In its 2012 Q2 Mobile Threat Report, F-Secure, which is digital security vendor similar to Kaspersky, also found new Android malware between April and June. However, F-Secure found 40 new malware (81% trojans, 10.4% “monitoring tools”, 5.2% apps, 1.7% riskware, and 1.7% adware) as opposed to Kaspersky’s 14,923. Now I don’t care how you slice the cheese — there is a huge difference between these two numbers. Why? I can understand a difference of maybe a few hundred or even a few thousand, depending on the total size. But a difference of over 14,000? Something must be up.
According to online security-focused publication The H Security, something indeed is up. What is up is the difference between the methodologies that Kaspersky and F-Secure use.
Kaspersky uses something called “unique sample” technique. Every time Kaspersky finds malware, it hashes that malware and stores that hash in its database as a way to identify the malware the next time it appears. If a malware is found to have the same hash as a hash that already exists in the database, it isn’t new malware; if it doesn’t have a matching hash, it is new. The problem with this methodology is it results in a new hash for malware if anything is changed in the malware, regardless of if the malware is indeed new or not. For example, a lowercase letter in the malware’s code could be changed to uppercase and that would result in a new hash. The malware itself is unchanged but Kaspersky marks it as new because it generated a new hash.
F-Secure, on the other hand, uses a more sophisticated method of tracking malware. F-Secure does not count malware based on hashes but rather looks are malware families and variants. For F-Secure, a malware is not new simply because the case of some coding was modified; F-Secure counts malware as new if it indeed is new (i.e. from a new family or is a variant).
The difference between how Kaspersky and F-Secure track malware is the prime reason why their counts are so drastically different. In Kaspersky’s defense, it isn’t the only company to track malware using the hash method. Indeed many other security vendors do the same and, while I can’t pull specifics off the top of my head, I’ve read reports similar to Kaspersky’s claiming thousands of new malware have hit Android. Still, though — really, Kaspersky? Do you want us to buy your products that badly or is this just poor research methods on your part?
No one is disagreeing that Android is the favorite for mobile malware developers and malware targetting Android is on the rise. The point of contention is just how many new malware is hitting Android and how quickly the threat is rising. I don’t know about you but I personally find F-Secure’s results to more reassuring than Kaspersky’s. It isn’t necessarily that F-Secure found less new malware than Kaspersky. Rather, F-Secure’s methodology, at least on the forefront, makes more sense than Kaspersky’s and is less scareware-like. In my opinion, of course.
Now, if you are worried about getting your Android device infected, you shouldn’t be. First of all, there are plenty of free security apps you can download to protect yourself. Secondly, even Kasperksy admits “the main channels of distribution are unofficial online app stores and affiliate programs”, meaning the malware Kaspersky detected are mostly not from Play Store or other trusted app stores like Amazon App Store. Thirdly, if you follow dotTech’s tips on how to protect your privacy on Android, you are likely to never download malware or an infected app regardless of if it threatens your privacy or your wallet. Feel free to share your thoughts on this topic in the comments below.