Courtesy of Goolge

Until now, Google hasn’t talked about malware on Android because it did not have the data or analytic platform to back its security claims. But that changed dramatically today when Google’s Android Security chief Adrian Ludwig reported data showing that less than an estimated 0.001% of app installations on Android are able to evade the system’s multi-layered defenses and cause harm to users. Android, built on an open innovation model, has quietly resisted the locked down, total control model spawned by decades of Windows malware. Ludwig spoke today at the Virus Bulletin conference in Berlin because he has the data to dispute the claims of pervasive Android malware threats.

Ludwig sees security in biological terms:

“A walled garden systems approach blocking predators and disease breaks down when rapid growth and evolution creates too much complexity. Android’s innovation from inside and outside Google are continuous, making it impossible to create such a walled garden by locking down Android at the device level.”

He stated Google’s mission in defending against malware in terms more closely akin to the Center for Disease Control (CDC) than the PC security industry.

“The CDC knows that it’s not realistic to try to eradicate all disease. Rather, it monitors disease with scientific rigor, providing preventative guidance and effective responses to harmful outbreaks.”

The problem Google wants to solve is that most independent security researchers don’t have access to a platform such as Google’s to measure how many times a malware app has been installed. They are analogous to human disease researchers without a CDC to measure the size of a disease outbreak and coordinate a response. Security researchers are very good at finding and fixing malware, but in the absence of reliable data that indicate how frequently a malware app has been installed, the threat level can become exaggerated. Reports that reach publication are often extremely exaggerated. To emphasize this point, Ludwig revealed in his analysis that some of the most publicized recent malware discoveries are installed in less than one per million installations.

A recent leaked report (pdf) from the Department of Homeland Security (DHS) found that most Android malware was installed via text message. We’ve asked DHS to confirm its findings but have gotten no response at this time. This is what Ludwig had to say:

“An application that a user installs from a link within a text message would be included in these statistics [reported today in Berlin]. Some of the short one to two day increases in ratio of installs per million apps can be attributed to text messaging or email spam campaigns.”

Contradicting these anecdotal reports, Ludwig’s analysis indicates that Android malware is not as significant a threat as has often been reported. Ludwig suggests that combining Google’s data driven approach with the research efforts of the industry will improve Android’s malware defenses going forward.

Google’s security mechanisms have improved Android’s malware defenses and provided Ludwig a platform for collecting and analyzing data from over 1.5 billion app installs. Google publicized its malware research results and explained its malware defense framework to invite industry review and broader participation.

The new security mechanisms appeared about a year ago when new versions of Android started shipping with Verify Apps. Verify Apps intervenes when an app is downloaded, compares it to a large database of malware information curated by Google and warns the user if the app is potentially harmful. Verify Apps is also distributed to older Android versions by including it in updates to the Google Play app that is used to download apps from Google’s app store. Checking and blocking apps is enabled by default requiring a user to choose to disable it in order to circumvent its protection.

Courtesy of Google

Using Verify Apps, Google collected this data outside of the protected perimeter of the Google Play app store from installations “in the wild” where the incidence of malware is higher. Based on the data from tracking over one and a half billion app installs Google obtained convincing evidence that the rate of “potentially harmful apps” installed is stable at about 1,200 per million app installs, or about 0.12%. The classification “potentially harmful apps” include both malware and false positive detections of malware. Often benign software apps have behaviors or characteristics resembling malware.

Courtesy of Google

Verify Apps tracks each incident when a potentially hazardous app is flagged, when the user is warned, and when the user chooses to ignore the warning and installs the app. Warnings are an effective deterrent to malware. Only 0.12% of users chose to ignore the warnings and install potentially hazardous apps.

The research presented by Ludwig includes the classification of the types of threats that are represented in a sample of the 1,200 potentially harmful apps installed per million.

Almost 40% are “fraudware” apps that drain the users smartphone account by making premium telephone calls or sending premium SMS messages.

Another 40% classified as “rooting” apps are labeled as potentially harmful applications by Verify Apps, but they are not considered malicious. Smartphone hobbyists and developers frequently root their devices for many benign reasons such as installing custom Android versions like CyanogenMod or to remove carrier installed apps.

About 15% of the apps flagged by Verify Apps are commercial spyware, a diverse set of monitoring apps that range from tracking internet behavior to improve advertising to the very malicious keyloggers that collect personal information entered by the user and report it to the malware creator. The 6% balance is a diverse set of mainly malicious apps.

Courtesy of Google

This framework for improving Android’s malware defenses is an extension of the open innovation model that made Android successful. Publishing Android source code for public review has improved Android beyond even Google’s resource limits by subjecting it to the review of independent software developers. An example of this is the National Security Agency’s (NSA) research project to enhance Android security named SE-Android (pdf), which has contributed research and software that was merged into recent releases of Android. It’s an insightful example of the power of open innovation because much of the security technology came from another open source innovation project to enhance the security of Linux. Despite public suspicion about NSA surveillance, SE Android is not a surveillance risk because like Android it is completely open to public review.

A locked down approach has worked for Apple in protecting iOS from malware because it controls both hardware and software towards the goal of maximizing its profits. In contrast Google has used an open model to maximize Android market share in which it licenses Android for free and controls neither the hardware or software ultimately sold to the end customer. This model has allowed for rapid innovation that resulted in a large market share but has created the need for the open malware defense framework that Ludwig presented.

Ludwig invited the industry to “raise the bar” from here using more and better data to analyze the threat to the user and respond with more effective measures. Coming from Google, this should be no surprise given its obsession with big data and analytics. Open innovation and open source has helped Android achieve market dominance. According to IDC, Android won 79% of the smartphone market share in the second quarter of 2013. Ludwig makes a convincing data driven case that Android is secure—now we’ll see whether Google can make similar gains in Android security that it has made in market share.

Update: We’ve included comment on the DHS malware report as well as clarified language on “rooting” apps.