What is worse on Android? Malware or PUAs?


The number of newly discovered malicious applications for Android is growing at a rapid pace. Just by looking at the number of unique samples seen by SophosLabs this year, we see a 41x increase over the entire 2011. And we are only in September.

Android malware discovered yearly

Interestingly, the Andr/Boxer family accounts for almost half of the newly discovered samples. Boxer is a SMS toll fraud malware, specifically targeting Eastern European markets so it does not pose a huge threat to the users in the rest of the world.

Android malware families

By contrast, actual detection reports sent to SophosLabs by the users of Sophos Mobile Security paint a different picture. The impact of Boxer family is much lower than the number of samples we discovered.

The top two reported detections are for potentially unwanted applications (PUAs). The most reported one, PJApps, is a detection for applications cracked and served through an alternative market app called “Black market”. The Black Market application was, for a long time, hosted on Google Play before it was removed, indicating that the Google Play vetting policy could be improved.

Black Market Application

The second most reported detection, NewYearL, is for applications that bundle an aggressive advertising framework Airpush. Together, these two PUAs account for almost half of all of the detection reports.

Top Android detections

When users ask us about the sources of malicious apps, considering the exponential growth of Android malware discovered, we usually say that most of the malicious apps are hosted on non-reputable sharing sites and alternative markets. So, you are likely to agree that the safest source of apps is the central Android market – Google Play. With a caveat: make sure that apps you intend to install are installed by many users and that their reputation is good.

Of course, occasionally there has been, and will continue to be, be malicious applications which will be able to circumvent the Google vetting process and Google Bouncer. As malicious apps become more complex, we will inevitably see more complex malware which will be able to hide its malicious functionality for a longer time period, allowing it to infect a larger number of devices.

Unfortunately, among 600,000 or so apps hosted on Google play, there is a large number of applications created by keen developers who’ve made a decision that the best way to make money is by bundling many advertising frameworks with their apps. Some of the advertising frameworks play nicely, others are quite aggressive. They place links for the sponsored apps to the launcher area, display adverts even if the app is not running and even send potentially identifiable information back to the advertising server.

Although behavior like that cannot really be classified as malicious, for a long time users have felt that Google’s action is required to improve the control over advertising frameworks bundled with applications. And indeed Google has recently taken steps towards strengthening the Android developer’s policy concerning the ads in apps.

In an email to all registered developers Google specifically mentions changes to the ads policy:

Additionally, we are adding a new section that addresses ad behavior in apps. First, we make it clear that ads in your app must follow the same rules as the app itself. Also, it is important to us that ads don’t negatively affect the experience by deceiving consumers or using disruptive behavior such as obstructing access to apps and interfering with other ads.

The policy change is certainly welcome and reflects our opinion that aggressive advertising degrades the user experience of the platform. Unfortunately, policies also have to be enforced and it will be interesting to follow how will this change actually reflect to the apps in Google Play.

I'd also be keen to see your votes in the following poll, and do leave a comment below if you have thoughts you would like to share.