Posts Tagged ‘ComScore’

Looking Inside a Year of Android Malware

August 14, 2011 2 comments

As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.

Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.

First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.

So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.

You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).

If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.

What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.

Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):

So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).

Going back to the initial question there are at least three factors which make Android different:

  1. The application permission model relies too heavily on the user,
  2. The security policy for the market has proven to be weak,
  3. The platform too easily allows to install applications from untrusted sources with the sideloading feature.

As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.

This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.

As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.

Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.

So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.

What if Android Reassembles The Puzzle?

ComScore has just published its Press Release related to February 2011 U.S. Mobile Subscriber Market Share. 69.5 million people in the U.S. owned smartphones during the three months ending in February 2011, up 13 % from the preceding period. As we have become accustomed to a few months, the Android is still on the top, earning 7 percentage points since November 2010, achieving a 33% market share. RIM ranked second with 28.9 percent market share, followed by Apple with 25.2 percent. Microsoft (7.7 %) and Palm (2.8 %) rounded out the top five.

Top Smartphone Platforms:
3 Month Avg. Ending Feb. 2011 vs. 3 Month Avg. Ending Nov. 2010
Total U.S. Smartphone Subscribers Ages 13+
Source: comScore MobiLens
Share (%) of Smartphone Subscribers
Nov-10 Feb-11 Point Change
Total Smartphone Subscribers 100.0% 100.0% N/A
Google 26.0% 33.0% 7.0
RIM 33.5% 28.9% -4.6
Apple 25.0% 25.2% 0.2
Microsoft 9.0% 7.7% -1.3
Palm 3.9% 2.8% -1.1

Considering the market share on a per-vendor base, provides a different interpretation, and explains some strategic mobile choices of the Mountain View giant. Among the OEM,  Samsung ranked at the #1 with 24.8% of U.S. mobile subscribers, up 0.3 percentage points from the previous three month period. LG ranked #2 with 20.9 percent share, followed by Motorola (16.1 %) and RIM (8.6 percent). Apple saw the strongest gain, up 0.9 percentage points to account for 7.5 percent of subscribers.

Top Mobile OEMs
3 Month Avg. Ending Feb. 2011 vs. 3 Month Avg. Ending Nov. 2010
Total U.S. Mobile Subscribers Ages 13+
Source: comScore MobiLens
Share (%) of Mobile Subscribers
Nov-10 Feb-11 Point Change
Total Mobile Subscribers 100.0% 100.0% N/A
Samsung 24.5% 24.8% 0.3
LG 20.9% 20.9% 0.0
Motorola 17.0% 16.1% -0.9
RIM 8.8% 8.6% -0.2
Apple 6.6% 7.5% 0.9

I am not new to this kind of considerations (already faced in a previous post in Italian), but it is clear that the Android Landscape is becoming a little bit too much fragmented, and this risks to be a serious issue for the Android, both in terms of consumers’ perception, both in terms of security. As far as the consumer perception is concerned: many vendors are pushing more and more customizations not only on their own Android ROMs, but even on the services provided to consumer (read vendor-dedicated markets and services). This sounds confusing for the consumer who will inevitably ask why should he consider, inside the same platform, different parameters of choice external to the mere features of the devices (and how they map to consumer’s need). Not to mention also the tragedy of software updates: a new major release of the Android may take also one year to be ported in some devices, because of the wide customizations made by the manufacturers on their smartphones.

As far as security considerations are concerned, customization affects platform (in)stability and, inevitably security, if it is true that the same code must be adapted to run on different architectures, and security bugs are always behind the door.

These factors are probably behind the rumors claiming that Google has been demanding that Android licensees abide by “non-fragmentation clauses” that give Google the final say on how they can tweak the Android code, to make new interfaces and add services, and also behind the (not confirmed) rumors of standardizing the ARM Chip for Android 3.0. If we sum up these rumors with the fact the Mountain View will not (at least initially) release the Honeycomb Source Code, it looks clear that Google is running for cover in order to stem the excessive number of fragments in which OEM vendors are reducing its precious Android.

The Android is winning the market share battle against Apple and RIM, and forecasts for the next years show a bright future for the Android, destined to achieve nearly the half of the market in 2015. So far the Mountain View Strategy has shown to be winning, but the only obstacle, in this triumphant ride, could by represented by fragmentation, which might drive consumers to the monolithic models of Cupertino and Waterloo.

Do Androids Dream Of Electric Sheep?

March 7, 2011 1 comment

Purtroppo no. In questo momento sembra infatti che i sogni degli androidi siano più turbati dal malware che dalle pecore elettriche. Naturalmente i più abili avranno già indovinato il filo conduttore che unisce il titolo di questo post ad un notissimo film di fantascienza e alla sicurezza mobile: nelle ore in cui Google ritirava dal proprio Market le applicazioni infette dal Malware DroidDream, la Alcon Entertainment dichiarava di essere in trattativa per l’acquisto dei diritti di Blade Runner al fine di realizzarne un prequel. Per fortuna possiamo stare tranquilli perchè non verranno utilizzati per un remake (o reboot come si dice ora tra i più modaioli), ma per un prequel (e un sequel) sulla falsa riga di quanto Ridley Scott, visionario regista del film originale, sta realizzando per Alien, altro suo gioiello fantascientifico.

Perché comincio il post con questo titolo (che è il titolo del romanzo originale di Philip K. Dick, uscito in Italia con il titolo di Il Cacciatore di Androidi, da cui è stato tratto Blade Runner)? Perché l’aspetto divertente del malware DroidDream risede proprio nel fatto che l’applicazione malevola è attiva dalle 11 di sera alle 8 di mattina, proprio nel momento in cui l’Androide, presumibilmente appoggiato nel comodino, dovrebbe dormire e sognare le pecore elettriche, e con lui il proprio utente che in questo modo non si accorge dei comportamenti anomali del malware, la cui eco non si è ancora spenta, fondamentalmente per tre motivi:

  • In primo luogo, questione su cui si continuerà a dibattere a lungo, il malware è stato veicolato dal market ufficiale, e questo aspetto ha risollevato le perplessità, mai sopite, relative alle politiche adottate da Google per l’inserimento delle applicazioni all’interno del market. Ormai è chiaro che il modello è perfettibile, e da più parti ormai si invoca a gran voce un nuovo modello che innalzi la sicurezza e i controlli, magari rendendo gli sviluppatori rintracciabili mediante una azione combinata di autenticazione forte (ad esempio con certificati) e soglia economica di accesso più elevata.(attualmente a 25 $);
  • In secondo luogo la pericolosità del malware non risiede tanto nella possibilità di inviare informazioni ad un server remoto di comando e controllo (tutto sommato la quantità e qualità delle informazioni è piuttosto modesta), quanto nella capacità di installare software malevolo a piacimento nel dispositivo infetto; e questa funzione sicuramente potrebbe essere utilizzata (monetizzata) dall’autore per scopi ben più gravi (e con impatti ben più seri per l’utente);
  • Infine, ha sollevato qualche perplessità anche il modello di pulizia remota adottato da Google (ma di questo ho già parlato). Mi limiterò ada aggiungere, come ha detto qualcuno, pensate se Microsoft cominciasse a disinstallare le applicazioni da remoto in caso di problemi di sicurezza…

A mio avviso l’aspetto più preoccupante dell’intera vicenda risiede nel fatto che gli Androidi si stanno diffondendo pesantemente in ambito enterprise. Se da un lato gli eventi di sicurezza degli ultimi due mesi ne sono la conseguenza (se si innalza il livello dell’utilizzatore, indirettamente si innalza anche il valore dei dati e le possibilità di lucrarci sopra), dall’altro è necessario rivedere il modello affinché la sicurezza sia demandata il minimo indispensabile all’utilizzatore: finché si suggerisce di non rootare il dispositivo o di non installare applicazioni che non provengano dal market ufficiale, è un conto. Ma nel momento in cui si chiede di controllare qualsiasi cosa, anche nel caso in cui essa provenga da sorgenti certe, allora la questione si fa veramente più delicata.

Il mio sesto senso e mezzo mi dice che sentiremo ancora parlare di problemi di sicurezza per l’Androide anche se in realtà sino ad ora, gli scivoloni di sicurezza sembrano non turbare in alcun modo i sogni (questa volta di gloria) dell’Androide che si conferma. secondo le ultime rilevazioni di ComScore, il re del mercato d’oltreoceano.

Secondo le ultime rilevazioni difatti, l’OS mobile di Google ha scalzato RIM dal trono del sistema operativo più diffuso: su 65.8 milioni di utenti statunitensi di smartphone durante il trimestre da novembre 2010 a gennaio 2011, (+8% rispetto al trimestre precedente), all’Androide è andato il 31.2% del mercato, ai danni di RIM scesa al secondo posto con il 30.4  % (in calo del 5% rispetto al trimestre precedente) e di Apple, sostanzialmente stabile con il 24.7%). A Microsoft un misero 8% (speriamo che il miliardo di dollaroni, che, si dice, Microsoft abbia versato a Nokia all’interno dell’affare del secolo sia stato ben speso). Chiude la classifica dei magnifici 5 Palm, ridotta ormai al lumicino con un misero 3.2%, in attesa dei frutti derivanti dall’acquisizione di HP.

Top Mobile OEMs: 3 Month Avg. Ending Jan. 2011 vs. 3 Month Avg. Ending Oct. 2010
Total U.S. Mobile Subscribers Ages 13+
Source: comScore MobiLens
Share (%) of Mobile Subscribers
Oct-10 Jan-11 Point Change
Total Mobile Subscribers 100.0% 100.0% N/A
Samsung 24.2% 24.9% 0.7
LG 21.0% 20.8% -0.2
Motorola 17.7% 16.5% -1.2
RIM 9.3% 8.6% -0.7
Apple 6.4% 7.0% 0.6

L’Androide non si ferma anche se il peso della frammentazione dei produttori (con conseguente necessità di garantire compatibilità e stabilità su una vasta gamma di piattaforme), comincia a farsi sentire (anche in termini di sicurezza). Speriamo che da questo punto di vista l’Androide non venga contaggiato da un altro temibile virus: la sindrome di Redmond.


Get every new post delivered to your Inbox.

Join 3,710 other followers