Last month Google published its third annual security report on Android’s security protections, aiming to send a clear message to the world about mobile malware (or Potentially Harmful Applications (PHAs), as they like to call them): devices, apps, and Android users are safer than ever. And the entire Android ecosystem is now more secure.
Sending positive messages is ok, but is good to be realistic as well. That is what makes us all improve. We have squeezed some numbers and facts included on the report, to finally determine that it's hard to believe that actually the Android ecosystem is as secure as Google claimed, as the used terminology is not clear and some showed numbers are not aligned.
It is all about “malware” definitions
According to the report, PHA are “applications that could put users, user data, or devices at risk”. This include among many others trojans, spyware, or phishing apps. That is ok, but, as Google recognized, “we are also less strict in our definition of certain PHAs than some users expect. A classic example is advertising spam, which we define as an app that pushes advertising to the user in an unexpected way, such as on the device home screen or lock screen”. This means Google does not count aggressive adware as PHA, which is the most common problem for Google Play users. There is no evidence of aggressive adware definition included in The Google Android Security Team’s Classifications for Potentially Harmful Applications. How this “advertising spam” or aggressive adware may it be? We do not know. Some “so called” advertising campaigns ended up rooting the device. This definitely makes the numbers go down and it is maybe one of the gaps antivirus companies and Google play with.