Thanks to Rowland Yu of SophosLabs for providing the research for this article.
A recent SophosLabs statistical analysis comparing the ratio of malware to potentially unwanted applications (PUA) across Windows, Mac and Android illustrates a trend we’ve been seeing for some time: attackers are heavily focused on Android devices.
The analysis also shows the bad guys using PUAs to slip past security sensors and penetrate Android and Mac devices.
When we pull back the lens on the bigger picture, Windows continues to be the most-targeted of all operating systems, SophosLabs researcher Rowland Yu said. But the ferocity against Android is clear.
Follow the money
In an email exchange, Yu reiterated a point we’ve made in the past: the more open the system, the more susceptible it is to malware:
On the other hand, if the system has its own app store such as Mac and Android – or undergoes a system or human review – then malware writers will use PUA instead of malware.
Malware writers see PUA as a way to more easily bypass security systems and achieve the same end goal they have with other malware – making money, Yu said.
By the numbers
A look at the raw volume of samples analyzed by SophosLabs in 2016 painted the following picture:
- Of everything targeting Windows, 6% were PUAs while 95% was straight-up malware.
- Of everything targeting Android, 75% is pure malware and 25% were PUAs.
- Of everything targeting Macs, 6% was pure malware and 94% were PUAs.
While malware is designed to do harm, PUAs fall more into the nuisance category: annoying apps that run ads and pop-ups until you finally uninstall them.
Android malware examined
In the SophosLabs 2017 malware forecast released in February, the researchers explored the specific malware designed for Android devices.
SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.
When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%). The top 10 are broken down in this pie chart:
Defensive measures
Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure, especially when it comes to the apps they choose.
- Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
- Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
- Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
- Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?
If you use a Mac, our recommendations typically include using a real-time anti-virus, even (or perhaps especially) if you have managed unharmed for years without one, and promptly downloading security updates as Apple releases them.
Similar advice applies to malware and PUAs targeting Windows. Apply patches immediately and be careful of attachments and links delivered via Outlook.
Wilbur
I used to use the Sophos’ free stand-alone anti-virus on my Mac but apparently you have changed it to a cloud-based service rather than a program running on my computer. How does this work without sending all my data off to the cloud to be analyzed? For those of us with slow DSL connections (1.5 Mbps tops in my case with no other options ) any additional network traffic is not a Good Thing.
Or am I misunderstanding the way the new Sophos Home works? Can it be run as a stand-alone application on my Mac?
Bill Brenner
Stand by, Wilbur. I’m consulting with our Sophos Home team to get you a more detailed answer. Thanks!
Paul Ducklin
The “cloud” part is mainly to provide you with a web-based management console (you can now manage up to 10 computers via one Sophos Home account) so that you don’t need to run a server of your own to keep track of the options you have set on each computer.
The actual core of the Sophos Home for Mac product *still gets downloaded, installed locallyand regularly updated on your Mac*, just like now. In other words, if you have 1GB of local files that you want to scan, they’re all scanned locally, just like before – we don’t upload 1GB’s worth of data into the cloud to scan it remotely. (That would be a privacy problem as well as a bandwidth problem – for us as well as for you :-)
There *are* some parts of the product (such as Live Protection) that do real-time lookups in the cloud, and therefore generate network traffic, but they don’t upload entire files…in fact, those features are already in the product you are using now.
In short, the cloud part mainly relates to the GUI, which now runs in your web browser.
As far as virus scanning and real-time protection goes, Sophos Home is still a program running on your computer, and you should find the network load of the new-style Sophos Home to be pretty much identical to what you are seeing now. (That was my experience, anyway – in terms of network traffic it was six of one, half-a-dozen of the other.)
Wilbur
Thank you, your explanation helps a lot.
Anonymous
I had been an Android user until I switch to iOS last year. The fact that installing antivirus on your mobile device really bugs me. Although I use Sophos AV on my Mac.
Usul
“[…] the more open the system, the more susceptible it is to malware […]”.
Further down you write that Windows was targeted by 95% pure malware, which is contrary to the statement above. I’m not saying it’s wrong but I think your attempt of presenting a simple and understandable statement failed. It is not that simple and there are further attributes to be taken into account.
You mention that the numbers (btw – 95% Malware, 6% PUA = 101%; mistake or overlap?) are taken from a 2016 analysis. Are you able to share the analysis with your readers?
Many thanks, Usul
Bill Brenner
Hi, Usul.
Regarding the “95% Malware, 6% PUA = 101%” part, there is some overlap. Regarding the question of the full 2016 analysis, that is something I’m working to make available. To your point about me contradicting myself, I think you’re right and that what I should have said was “the more open the ecosystem.”