On Potentially Unwanted

I have been busy the past few months because of these PUAs (Potentially Unwanted Apps). Honestly I consider myself lucky because yours truly was an old-school AV veteran that survived the good ol’ spyware wars (circa 2003) so connecting the dots for this technical challenge will be considerably an easy task.

As I have not posted anything for this blog for the last 9 months, I want to post my personal insights on this PUA issue. I am not sure on where to start, so maybe I will post some basic Q&A on PUAs and do series of blog post just like what I did with vulnerability assessment.

Here we go:

What are PUAs?

Potentially unwanted application or applications (PUAs), classified as grayware, refer to applications installed in a mobile device or a computer that may pose high risk or have untoward impact on user security and/or privacy. It may also contribute in consuming computing resources. It may be unwanted by the user even if it is installed with users’ consent. Most often than not, PUAs do not explicitly and completely state their functions and purpose. The impact the application causes may either inadvertently or simply be a part of its design. PUAs are created by legitimate or illegitimate software publishers.

What are the common PUA behaviors?

Here are some notable PUA behaviors:

  • Bundling – There are applications that, when installed in a device or a computer, installs other applications (bundled software) that users may not want. The primary application that installed the additional applications often trick users during the installation process with options that allow the installation of the bundled software. Applications like these may also come bundled with other grayware.
  • Advertising – displays excessive advertisements, causing interruption or annoyance to users.
  • Information collection – applications that collect information without users’ consent.

PUAs can be complex and may contain other unwanted behavior such as:

  • Exaggerated or bogus notifications
  • Lack of control for users
  • Runs unwanted processes or applications that consume computing resources
  • Provides unconventional way of uninstalling the application

Source: Trend Micro PUA Security Definition Page

Some questions that I plan to give more insights in the succeeding posts

  • Is PUA equal to Malware?
  • Is PUA an endpoint problem?
  • What changed from the threat landscape of 2003 vs today?

On Vulnerability Scanning – Part 2

Thus do many calculations lead to victory, and few calculations to defeat: how much more no calculation at all! It is by attention to this point that I can foresee who is likely to win or lose.
Sun Tzu, Art of War

This is the 2nd part of my Vulnerability scanning post.

A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an infosec class in one of the universities here. He said this vulnerability scanning is an educational project for them.

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

On the first part of the post, I focused on the planning, high level objectives and scoping of the project. This post discusses the feedback on the other items.

Is it legal to perform a vulnerability scan from external source?

Most of vulnerability scan and assessment tools that I know of have legal implications. The legal complexity mainly depends on the which country or jurisdiction “Company X” operates. At the very least the students should know applicable laws in their respective countries. At the end of the day, it will be the lawyer and/or legal expert who can say if its legal or not so I may not the best candidate to answer this question.

Do I have recommendation on how should they do the vulnerability scanning?

For the vulnerability scan I directly participated, the usual setup is that entity being scanned and assessed provided consent and scans were made inside their network. So the key concepts here are consent and internal scanning. The target of my scans are within a defined network, and what is vulnerability being  searched have are clearly identified. The purpose of our vulnerability scan exercise is to notify and let IT admins address the “vulnerable” machines and mitigate risk of malware infection.

Their initial scope points to doing website scanning to “Company X” who is operating in “Country W” territory. They will do white hat (most probably website vulnerability scan), but the boundary between white hat (and grey hat) and black may not be clear. So for our examples sake, I reminded them that they should know the law of country W, for example if it will be in the Philippines maybe they should review Cybercrime Prevention Act of 2012 (RA 10175) and Electronic Commerce Act (RA 8792). Overall  this can be a very tricky situation especially if they will not engage Company X and do proper disclosure.

On motives, I told him to answer a simple question:

What will be the difference of the scanning they will do with what other malicious groups  (e.g. hackers) will do?

If they cannot differentiate theirs versus the bad actors in the net, then they may be inviting trouble.

Scrutinizing their initial plan I found out some interesting point : “Company X” operates in “Country W” is not entirely true. “Company X” is part of “Country W” government branch offices. So we got testers who are “Country W” citizens, operating in “Country W” territory doing vulnerability testing against “Company X” who is part of “Country Y” government. To summarize: original plan is inviting bigger trouble.

So I suggested that they do internal testing with Company X, get Company X consent and at least do responsible disclosure of the vulnerability if they find something. More on responsible disclosure can be read here

Is security “Company Y” providing a secure online vulnerability assessment tool?
I haven’t tried “Company Y”, but I know they are indirect competitor to my current company, so it might not be the unbiased feedback giver. I saw “Company Y” folks in RSA conference, and they seems cool and tech savvy. In RSAC, we always say, “we (RD guys) are all friends here when we are in RSA as it is the marketing dudes on the booths who are the one battling out the marketing mumbo jumbo. And “we are all part of a bigger ecosystem”, but in reality, there is really “Coopetition”. Coopetition is a portmanteau of cooperation and competition.

I suggested to them that they register at “Company Y” website, read the EULA/Disclaimer if their Free Online VA tool and assess “Company Y” tools capability. Just take note that in infosec nothing is really “free”.

On Vulnerability Scanning

“The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand”
Sun Tzu, Art of War

A friend of mine asked me if I can give my advice about vulnerability scanning. He is enrolled in an information security class in one of the universities here in Manila. He said that vulnerability scanning is some sort of an educational project for them. The questions and the topic provided good opportunity for me given that:

  • I like to help my friend (he is a trusted contact)
  • This is an interesting security topic (for your geeky Product Manager)
  • My ideas here might be useful to other people (for your friendly blogger Product Manager)

So I decided to anonymize the details of our Q&A session and post the sanitized feedback here in my InfoSec blog. Rememberall your infosec post are belongs to us

Here are his questions:

  • Is it legal to perform a vulnerability scan from external source?
  • Do I have recommendation on how should they do the vulnerability scanning?
  • What are the standard parameters/elements of the vulnerability scanning that they should used in this vulnerability assessment exercise?
  • Their group agreed to do scanning on the “Company X”. Again, any advice on possible legal and other complications?
  • Is security “Company Y” providing a secure online vulnerability assessment tool?

First, I shared my standard disclosure; where I work, my designation, and my areas of expertise (Malware, Tech Product Management and related domains). Next is the disclaimer: Any information/insights I will share should be considered personal opinions. I also joked that I should not, in any way, be held legally liable for my opinion and insights 🙂 . Seriously setting this disclosure and disclaimer is, in my opinion, should be a best practice for infosec folks when sharing these types of information outside of our official work functions (maybe this one is a good idea for a future post).

My feedback:
I told him that I prefer to skip the first 2 questions (the legal and how-to/technical aspects of Vulnerability Scanning (VS). My suggestion to their group is to take some steps back and focus on the overall picture of the task and do overall planning of the “vulnerability scanning” project. Planning is the key!!!

Hackathon101<Image Credits: Willow Brugh/ Wikimedia Commons>

I then explored their project by probing with more questions. Like:

  • What do they (students) like to achieve?
  • What is the goal of this academic exercise?
  • What do they plan to do with the results?
  • Do they plan to make the results public?

Vulnerability scanning is a big topic. Planning and scoping it down will help them on this academic exercise on infosec. I also pointed out that they should put safety boundaries at the start to avoid potential technical and legal problems along the way.

To get the things started, I gave them some examples:

  • Do they plan to do port scanning?
  • How about website vulnerability  scans?
  • Does web application vulnerability sounds cool for them?
  • Maybe check Company X’s (Product ABC) vulnerability?

Examples like the ones above; along with the high level objectives and scope of the project will help them shape the project and is critical to the success.

Wow post is more than 500 words already 🙂 I plan to do this topic post in 2 parts and post the 2nd part soon

I hope you find the insights on Vulnerability Scanning helpful.

Until next blog post…

On Infosec and Tech

“It is a fool who repeats the same actions expecting a different outcome”
Grom Hellscream, Lord of the Clans

No, this will not be another blog reboot or a blog revive try. We all know what happened in 2012 and 2013 🙂 and as the mighty Grom Hellscream of the Warcraft lore once advised (see reference above) I want to do something different this year and hopefully it will have a different outcome.  So what I plan to do this 2014 (and onwards) is to put all my InfoSec and Tech posts here at AVSecurityProductManager.com.


<Image Credits: Stofstik/Doge Meme Creator (Android app)>

Most of those InfoSec and tech posts will revolve on usual topics: malware, security, spam, and related insights so the blog is still headed in good direction. Ideally there should be some mash up with product management and maybe some project management from time to time. And if there will be some mix and mash with other topics of interest (like games, mobile, social media) that will be like hitting the jackpot :)) .

But I will be more realistic this time and try to populate this website first and observe if I can reach my 1 post per month target for this blog and see where this will lead us.

Wish me luck with this new endeavor!

Repost: RSA Conference 2014: The Way Forward

A repost of my previous article on RSA Conference 2014 for the Security Intelligence Blog.

RSA Conference 2014: The Way Forward

by Menard Osena (Senior Product Manager)

I attended the RSA 2014 Conference in San Francisco, which has held about two weeks ago. This year the conference offered new insights to today’s threat landscape, which will help us all plan for and protect users in 2014 and beyond.

Largest Security Conference of 2014

The attendance numbers for RSA are always impressive: this year had more than 25,000 attendees, 400+ sponsors and exhibitors, with more than 550 speakers. Such was the number of vendors that two large Exposition Halls – one each in the Moscone Center’s North and South buildings were used for vendor exhibits. The various sessions – including most of the technical track talks I attended – were in the Moscone West hall.

Earlier my colleague JM Hipolito shared her own thoughts about RSA; here is what I found most interesting there.

Opening Keynote: Finding a Path Forward in an Increasingly Conflicted Digital World

The Executive Chairman of RSA, Art Coviello, delivered the opening keynote. He gave his first public comment on the RSA and NSA controversy, as well as the need to separate the NSA’s offensive and defensive functions. But what I will remember most on his keynote is his call to governments and the security industry as a whole to adopt four guiding principles to help maintain a safer Internet for everyone:

  1. Renounce the use of cyberweapons, and the use of the Internet for waging war
  2. Cooperate internationally, in the investigation, apprehension and prosecution of cyber criminals
  3. Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected
  4. Respect and ensure the privacy of all individuals

He also reiterated the need for the security industry and governments to work hand in hand to create a safer digital world that will benefit this and the generations to come.

All of the guiding principles are all equally important, but I would like to highlight the first and second ones as being the most important.

The topic of cyberwar and cyberweapons is very sensitive, but I found the correlation between cyberweaponry and nuclear weapons compelling. I totally agree with Coviello’s statement that “we must have the same abhorrence to cyberwar as we do nuclear and chemical war.”

As for cooperation in prosecuting cybercrime, this is a topic where Trend Micro’s positions are well-known. We’ve frequently spoken about the need for researchers and law enforcement agencies to work together to prosecute the actual “threat actors”, as we believe that this is the most effective way to catch cybercriminals.

These partnerships allow researchers and police to combine their strengths and ensure that
Our efforts have netted effective results, most recently being the arrest of the creator of SpyEye.

Bitcoin Is Here: How to Become a Successful Bitcoin Thief

Uri Rivner of Biocatch and Etay Maor of Trusteer co-presented the one technical session at RSA dedicated to Bitcoins. They discussed the basics of cryptocurrency and how one can use it. They also discussed the usual use cases of Bitcoin: from creating a wallet and having your very own address, to filling the wallet with Bitcoins using an online Bitcoin exchange.

The highlight of the session for me was the a live demonstration of a hack using a SpyEye variant. In the demo, they performed a man-in-the-browser (MiTB) attack and stole the user’s Bitcoin from his wallet.

They also discussed the top cybercriminal activities that Bitcoin has been tied to. These include phishing attempts to steal Bitcoin-related website credentials, deploying RATs (Remote Access Trojans) to have direct access to desktop wallets, up to using botnets to mine Bitcoins (even though this is no longer particularly attractive).

They also explained why cybercriminals are interested in cryptocurrencies like Bitcoin. Because the cybercriminals believe that cryptocurrencies offers anonymity, they think that these will help in laundering money made from illegal activites. In addition, advanced services available in the cybecrime underground (like Bitcoin fogging services) may enable threat actors to further increase their anonymity tenfold.

In summary, the presenters said that Bitcoin is a new exciting frontier and encouraged everyone in the room to try and delve into it so that they understand its potential. They warned about the increasing phishing and malware attacks related to cryptocurrencies. They also pointed out that online Bitcoin exchanges and online wallets are low hanging fruit that may be a big opportunity for the cybercriminals. (The troubles of many online exchanges recently, including erstwhile leader Mt. Gox, have only reinforced this last point.)

The talk mirrored many of the points we have discussed. In December, we had discussed the possibility of Bitcoin’s then-record prices causing thefts of Bitcoin wallets. We had also earlier discussed how users can help secure their cryptocurrency. Overall, we share their sentiments: Bitcoin is the object of much potential, but is the subject of multiple threats as well.

Original article: RSA Conference 2014: The Way Forward first posted at Trend Micro Security Intelligence Blog.

I will try to post my personal insights on the four guiding principles and the bitcoin and other cryptocurrency issues here at AVSecurityProductManager.com soon…

Pinterest Email Spam

I got this interesting email spam last week…

Subject: Your password on Pinterest Successfully changed!


Image 1. Suspect email sample

I feel something is fishy (and phishy too) with the suspect email above. I don’t use this email address for social media accounts (Facebook, Twitter, Google+, Linkedin or Pinterest) so it is very unlikely to have Pinterest notification sent to this mailbox. I also find it weird that I need to click something to receive the password. I may be used to the normal website reset password mechanism (change password on the fly) so this suspect email really intrigued me. My AV and InfoSec training kicked in and I did some basic cyber-sleuthing 🙂

True enough, hovering around the Receive Password button as well checking all the links the inside the suspect email, I verified that all links DO NOT go to official Pinterest website but to another unrelated domain instead. URL/links are also strange and very long (contains all caps hexadecimal strings).


Image 2. Screen capture showing more details of suspect email (showing URL/link, link sanitized)

Some InfoSec and product management insights: Email spam is very much alive today. They have evolved a lot; from the traditional good old pharmacy and replica item related offers to a more sophisticated kind of attack. I am not sure if this one was a normal “low-hanging fruit” type of phishing  or a more elaborately laid spear-phishing trap but I think (and hope) it was neither.

Good Practices Affirmation:

  1. Segregate email addresses and usage. Is it _NOT_ advisable not to mix email addresses/mailboxes for work and for social media accounts. I am a full-time InfoSec dude/Product Manager but that does not prohibit me from being active in social media. It’s good that I made it a habit to have another mailbox for my social media related accounts and separate it from work related mailbox
  2. Investigate before you click! Do not trust, always verify!!! Maybe its basic internet safety training or call it paranoia, but I really check most (if not all) of the links/URL I receive from untrusted sources before I click them. Sometimes I use URL-expanding applications (e.g LongURL) to get more details on shortened links. WhoisSiteSafety and other related websites (e.g WoT) are great tools to help individuals if they want check the suspected links and websites further.

Fast forward to July 3 2013…

A colleague posted a blog entry on TrendLabs Security Intelligence Blog.  And so this Pinterest spam was indeed related to Blackhole Exploit Kit (Kridex, Blacole, Cridex).

Darn!!! This email might not be “the usual” spear-phishing after all (and I might really be a target). APT? APT!

Your Security Product Manager is really paranoid 🙂

Until next blog post…

Customer Visit Report Template

I have mentioned in my previous post that one of the most enjoyable activities of Product Managers is doing customer visits. I have created a short Customer Visit Report Template that I used presenting the visit to my colleagues and to the management team. May be useful for other product managers so I’m sharing it here at AVSecurityProductManager.com

Customer Visit Report Template

  • Customer Company Name
  • Customer Visit Participants
  • Date and Place of Customer Visit
  • Customer Background/Profile/Situation
  • Main Report (Customer challenges and other customer visit details)
  • Extra Q&A
  • Customer Visit Insights
  • Action items


Customer Company Name

To start the Customer Visit Report document, you need to state the name of the company that you have visited and add a one or two-liner describing the customer’s nature of business, their industry and other interesting info about the customer. Your Sales Team or Support Team will be a good information source. In the event that Sales or Support folks are not available, the internet will be a good resource too. I learned this via my infosec and social media exposure: “Google/Bing/Search the internet”. Use the company name as search keywords and look for the about the company section. Focus on the department or group that you will be visiting (this should be part of every customer visit prep work that PM’s should do beforehand) to know more detailed info about the customer.


Customer Visit Participants
Who are the people you have visited or met? Which group are they from?
You should list down the people you have visited and met (and their designation to the company). If other people from your company joined you in the customer visit, it will be helpful to list them here too. It is customary to exchange business cards at the start (or end) of the customer meeting and this will be good source of info to recall the names of the customers you have interacted with.


Date and Place of Customer Visit
Was the customer visit done on customer’s onsite location? Or was this part of a customer event that your company arranged? Or maybe done via meet-up as part of industry conference (maybe like RSA Conference). May be a minor detail but it will be helpful in the long run. Should you run into an email by the customer in the future, you can just look at the first page of your customer visit report and say that “Hey I visited you guys on this date…”. Make good impression!


Customer Background/Profile/Situation
In this section, you should share the purpose of the customer visit. Are you here to support your sales guy in closing the deal? Are you putting out fires? Are you here to calm an irate customer? Or is this a confidence visit with a key customer?
Share the background situation (again PMs should know this before the actual customer visit). If you have a product portfolio (like the company I’m working with now) list which products the customers are using, what version of the products, how many seats, other pertinent business details. During the visit, do some competitive intel gathering too (e.g. what competitor products are they using, what versions, are they satisfied, can we complement these solutions? or maybe displace them).


Main Report (Customer challenges and other customer visit details)
This will be the most detailed part for the customer visit report. You can connect the details of the customer background/profile and describe the details on how customer visit went thru. You can put the customer challenges (if they have any) and other customer detailed discussions in this part.
This part can be very free-flow, free-format as each customer visit may have unique scenario and details. This main part will be helping you in providing details of the customer problem and/or solutions back to your team.

Extra Q&A Tips
This part is my personal touch to the main report. I usually ask a template question (describe in this post), especially during my first visit to the customer. I usually ask about the good and the bad about my company or my product.

For the good stuff I usually ask “What they (customers) like best about our company or our products?”. With this question you can discover many revealing answers. And if you are lucky enough you can validate your company’s or groups core competence and strategies directly with the customer. Ask customer to elaborate more to understand your products more.

For the improvement part (the negative ones), you should not ask it as bluntly as what’s bad with our company or product (you may be attracting negative energies if you do it this way). Be gentle and do it politely. Call it euphemism but I usually ask “What they (customer) think will make our company or our product better?”. It is good to know what else you can improve from the customers directly (and not from other intermediate channels within the company). Hopefully with this question, you can also extract interesting answers from the customer and that you can bring it back to your team back home. Just be careful as this part of Q&A may turn into ranting or whining session by the customer. If you are not confident on asking about this “improvement”, skip it and focus on the positive feedback from the customer.


Customer Visit Insights
From the details you gathered above, create some insights about the customer visit. You can share what you learned about the customer, your product and how they interact, etc. You can validate your ideas, projects, strategies, concepts that you have in mind based from the feedback from the customer as well as the visit itself. This customer visit insights part should help you as PM as well as the management team in their respective activities.


Action items
Lastly, list down the action items. Does customer need something (documents/tools/whitepapers) that you have mentioned in the visit but have not delivered to them yet? Do you have to follow up on some items or request made by the customer?
Put action item owners and target dates so that you can properly track it.

I hope you find this Customer Visit Report Template helpful.

I will try my best to come up with other helpful things about customer visits in the near future.

Repost: RSA Conference 2013: On Security Awareness, Hacking Back and Going Offensive Legally

Some re-post from my recent trip to SF for the #RSAC 2013:

RSA Conference 2013: On Security Awareness, Hacking Back and Going Offensive Legally
by Menard Osena (Solutions Product Manager)

Two weeks ago, I attended RSA 2013 Conference in San Francisco and was impressed by the number of participating security vendors. The addition of the Human Element and Breaking Research in the technical track sessions also provided a refreshing stroke to this year’s presentations.

Below are some of my experiences and insights on some noteworthy discussions involving security awareness, hacking back, and going offensive legally.

The 7 Highly Effective Habits of a Security Awareness Program

Samantha Manke and Ira Winkler of Secure Mentem discussed their views on the difference between security training and security awareness. They highlighted the importance of a security culture in companies in enabling employees to apply best computing practices on a daily basis, resulting to long-term security awareness within the organization.

They presented the results of their recent study conducted among Fortune 500 companies in the Health, Manufacturing, Food, Financial and Retail sectors. This study focuses on security awareness campaigns that companies implemented and how effective these were. They came up with key findings that lead them to create their 7 Highly Effective Habits of a Security Awareness Program, which are:

  1. Create a Strong Foundation
  2. (Have) Organizational Buy-in
  3. (Encourage) Participative Learning
  4. (Have) More Creative Endeavors
  5. Gather Metrics
  6. Partner with Key Departments
  7. Be the Department of HOW

My key takeaway for this session is of course the last part.  We, the information security professionals, should be the “Department of HOW” and not the “Department of NO”. We must focus on how to allow users to do what they want safely, not simply saying no to our own customers and further locking down systems.

While I understand the need to establish dos and don’ts in company security policies, we should raise the bar and let security be a key part of solving business challenges, not an obstacle to it.

On Hacking Back and Going Offensive Legally

During the conference, I attended several sessions discussing intriguing concepts like hacking back and going offensive legally. One of the sessions was Highway to the Danger Zone…Going Offensive…Legally presented by George Kurtz and Steven Chabinsky of  CrowdStrike. The discussion focused on the idea of active defense as a form of offense against targeted attacks affecting companies. They clearly differentiated this concept from hacktivism and online vigilantism. However, Steven Chabinsky, being a lawyer, also expounded on its complexities like the differences of laws and legislation in different countries, making the concept difficult to define as of the moment.

Another session that covered very similar ground was Is it Whack to Hack Back a Persistent Attack?. Trend Micro’s Dave Asprey moderated this session. He was joined by Davi Ottenheimer of EMC Corporation, David Willson of Titan Info Security Group and again  George Kurtz from CrowdStrike. The panelists discussed the active defense/ hacking back phenomenon and its legal, ethical and business liabilities and complexities when practiced over the Internet.


My personal key takeaway from these sessions is the active defense concept entails risks and complications that may spur more problems instead of solving the situation. Instead, organizations, in particular security administrators, should have the correct mindset when it comes to targeted attacks and deploying an inside-out protection.

For now, I would stick with law enforcement agencies and private sector partnership as the best (and safest) path to combat targeted attack, exemplified by the Rove Digital Takedown last year.

Original article: RSA Conference 2013: On Security Awareness, Hacking Back and Going Offensive Legally first posted at Trendlabs Security Intelligence Blog

I will share more insights (mostly from infosec and product management perspective) about Security Awareness, Going Offensive Legally and other technical sessions here at AVSecurityProductManager soon.

I am also thinking about posting some wonky PM topics (booth babes, circus tricks, nearly clueless marketing folks) too so watch out for it 🙂

Blog Reboot for 2013

The Version Two Dot Oh attempt for last year was a flop!

So let me do a reboot for 2013, remove the 2.0 reference and just write something here. Yup, this blog will still be related to product management. I plan to populate this blog with my PM ideas and insights and set limitations (on content/topic/etc) later.

For starters, I did a repost of my previous blog post for Malware Blog, and I will do another one soon to discuss the idea and reason behind that blog post and let us see where this post will lead us next 🙂

Wish me and AV Security Product Manager blog luck and success for 2013!!!

Happy New Year 2013!!!

Repost: How Big will the Android Malware Threat Be in 2012?

To celebrate the 1-year anniversary of my post at Malware Blog, I am reposting this article here at AVSecurityProductManager.com:

How Big will the Android Malware Threat Be in 2012?
by Menard Osena (Solutions Product Manager)

In August 2011, we released our Snapshot of Android Threats, which stated that there was a significant increase in the number of Trojanized Android apps and actual malware targeting the Android platform.

In our 12 Security Predictions For 2012, we mentioned that smartphone and tablet platforms, especially Android, will suffer from more cybercriminal attacks.

In our continuous monitoring of this threat, we soon noticed that the problem was growing at an alarming rate. From a mere handful of malicious apps at the start of the year, it skyrocketed to more than a thousand malicious Android apps by the middle of December 2011. The average month-on-month growth rate for the second half of 2011 was more than 60%.

If this growth rate is sustained this year, then 2012 will definitely be an “exciting” year forAndroid. Why is this so? If current trends hold, we may be able to see more than 120,000 malicious Android apps by December.


There are several factors that are causing this explosive growth:

  • The increasing popularity of Android, as highlighted both by the number of total downloaded apps (more than 10 billion via the official Android Market) and the number of users and activations, as stated by Gartner and Google Senior Vice President of Mobile Andy Rubin.
  • The openness of the Android app distribution model. Unlike other mobile OSes, users are free to install applications without passing through any filtering process. This lowers the barriers to installing malicious apps considerably.
  • The cybercriminal mindset: Bad guys attack where the money is.

2011 already saw a wide variety of threats emerge for Android, as we discussed in our year in reviewAndroid malware is definitely here to stay for 2012.

Original Post: TrendLabs Security Intelligence Blog: How Big will the Android Malware Threat Be in 2012?

Image Credit: blog.trendmicro.com

Additional personal insights to follow here at AVSecurityProductManager.com