What is worse on Android? Malware or PUAs?

Filed Under: Android, Featured, Malware, Mobile, SophosLabs

The number of newly discovered malicious applications for Android is growing at a rapid pace. Just by looking at the number of unique samples seen by SophosLabs this year, we see a 41x increase over the entire 2011. And we are only in September.

Android malware discovered yearly

Interestingly, the Andr/Boxer family accounts for almost half of the newly discovered samples. Boxer is a SMS toll fraud malware, specifically targeting Eastern European markets so it does not pose a huge threat to the users in the rest of the world.

Android malware families

By contrast, actual detection reports sent to SophosLabs by the users of Sophos Mobile Security paint a different picture. The impact of Boxer family is much lower than the number of samples we discovered.

The top two reported detections are for potentially unwanted applications (PUAs). The most reported one, PJApps, is a detection for applications cracked and served through an alternative market app called "Black market". The Black Market application was, for a long time, hosted on Google Play before it was removed, indicating that the Google Play vetting policy could be improved.

Black Market Application

The second most reported detection, NewYearL, is for applications that bundle an aggressive advertising framework Airpush. Together, these two PUAs account for almost half of all of the detection reports.

Top Android detections

When users ask us about the sources of malicious apps, considering the exponential growth of Android malware discovered, we usually say that most of the malicious apps are hosted on non-reputable sharing sites and alternative markets. So, you are likely to agree that the safest source of apps is the central Android market - Google Play. With a caveat: make sure that apps you intend to install are installed by many users and that their reputation is good.

Of course, occasionally there has been, and will continue to be, be malicious applications which will be able to circumvent the Google vetting process and Google Bouncer. As malicious apps become more complex, we will inevitably see more complex malware which will be able to hide its malicious functionality for a longer time period, allowing it to infect a larger number of devices.

Unfortunately, among 600,000 or so apps hosted on Google play, there is a large number of applications created by keen developers who've made a decision that the best way to make money is by bundling many advertising frameworks with their apps. Some of the advertising frameworks play nicely, others are quite aggressive. They place links for the sponsored apps to the launcher area, display adverts even if the app is not running and even send potentially identifiable information back to the advertising server.

Although behavior like that cannot really be classified as malicious, for a long time users have felt that Google's action is required to improve the control over advertising frameworks bundled with applications. And indeed Google has recently taken steps towards strengthening the Android developer's policy concerning the ads in apps.

In an email to all registered developers Google specifically mentions changes to the ads policy:

Additionally, we are adding a new section that addresses ad behavior in apps. First, we make it clear that ads in your app must follow the same rules as the app itself. Also, it is important to us that ads don’t negatively affect the experience by deceiving consumers or using disruptive behavior such as obstructing access to apps and interfering with other ads.

The policy change is certainly welcome and reflects our opinion that aggressive advertising degrades the user experience of the platform. Unfortunately, policies also have to be enforced and it will be interesting to follow how will this change actually reflect to the apps in Google Play.

I'd also be keen to see your votes in the following poll, and do leave a comment below if you have thoughts you would like to share.


, , , ,

You might like

11 Responses to What is worse on Android? Malware or PUAs?

  1. Abigail · 1115 days ago

    Personally it's none of the above. My primary consideration is do I consider the permissions required by the app appropriate. For example, Facebook's application wants access to the phone state, identity and contact data. Contact data I can understand as it populates the pictures of contacts from it's own sources but I'm not happy with them trying to scoop my IMEI number. Their access rights prior to my check today were worse when they also required full read and write access to the messaging system. Angry Bird's is another example of an application that has permissions beyond the remit of itself. Even your own application Sophos Mobile Security I feel steps out of the bounds requiring by default access to SMS. Again whilst I understand the need for such access I feel that the requiring feature should be an add-on and not a prerequisite.

    • Kevin Breen · 1115 days ago

      As i understand it the Sophos Application requires SMS access for the Remote Lock, Wipe Locate Feature.

  2. MahHead · 1115 days ago

    I find it curious that at current results, download location outscores cost of app. This is probably a result of people voting how they wish they behaved vs truly behave. In a world where apps are pirated absurd rates on the android platform. Getting an app for free wins every time.

    • Machin Shin · 1115 days ago

      You really have a poor view of people to think everyone just steals instead of buying. I for one know that I can get apps for free and choose to buy them. I think that will be true of a lot of people here.

      Why would I pay for something when I can get it free? Simple, there are more cost then just the up front price. I also take into account things like, how much effort is involved in getting the app and what are the risks involved with getting it each place.

      Paying for the app cost a lot less than dealing with my phone getting screwed up by some pirated version. Most apps cost $1. It is well worth a dollar to save me the time involved in pirating it and the risk involved as well.

  3. danny6114 · 1115 days ago

    I've recently become infested with ads that appear as soon as I unlock my screen and can find no way to ascertain which app is causing this. I would be eternally grateful for any suggestions on how to alleviate this torment. I'm not a long time user of smart phones so simplicity would be necessary. Thank you.

    • Cathy Mullican · 1110 days ago

      I suggest installing something like Avast or Sophos Mobile Security. Should find and clean up the problem.

  4. elrond · 1115 days ago

    In answer to your poll, "What is THE most important consideration when you install an app on your Android device?" the most appropriate response for me would be security permissions.

    • Eva Rose · 1112 days ago

      I totally agree with the security and permissions. If an app does give an option to users to manually select which permissions are granted, then it's a winning strategy. After all, users own their device and have all the rights to know what's being read and written onto it.

  5. Jack · 1115 days ago

    Maybe it's because none of the above is an appropriate answer as the first respondent stated. Mine may even be different. Just have an 'other' with an entry and add up the first groups that are the same for inclusion into your output. Maybe you would be surprised. As for the apps, I use an iPhone, as I had an Android and trashed it because most applications crashed very quickly with no notice of what happened or why. I had an app (iPhone) that wanted access to Facebook for inclusion, after I said no, it stated that I had to log into Facebook to deny access to the app before I could continue. I don't even use Facebook and I didn't give it any indication that I wanted it to have access. I've found that most apps seem to ask too much and don't make it a full day without making it to the trash can. And what about us that don't have SMS working? Does that make your app not work? Do you say that on your installation page? I don't know haven't even tried to use your app! I don't text and to pay 10 bucks for the 3 or 4 times a month I use it must make that data rate outrageous! It's so cheap to them it should be free! I asked my carrier if I'm charged for someone texting me, they said they don't charge for them texting me so I had to say what if someone else texts me? They said it cost me 10 cents each and 50 cents if the send me a photo! What a rip off!! They give little to no information as to the requirements of an app. They also should state how much memory it uses for the app itself, I've thrown them out for that also...

  6. @richardhack · 1115 days ago

    Wow... I looked at the title and thought: "PUA? Pick Up Artists are a problem on Android?"

    Never mind...

  7. Cathy Mullican · 1110 days ago

    RIght now, "how much internal storage will it use?" is a big factor. Permissions matter, but I find many users leaving reviews don't seem to have researched what they mean, so the their objections seem paranoid to me.

    I get a lot of apps from the Amazon app store, mostly their free app of the day; if I"m just searching for something, I usually start with the Play store.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.