Where is the Android DDoS Armageddon?

This January, I won a long-standing bet with my colleague, Pete Silva, about the Android Armageddon. Every year since 2010, industry pundits have been predicting an apocalypse of Android malware that would wreak havoc on the Internet, with DDoS attack bots numbering in the tens of millions. With a billion Android devices now connected to the Internet, there is certainly potential for mischief on a massive scale. However, the predictions have perennially missed the mark.

2015 won’t be the year of the Android DDoS Armageddon, either.

The 2014 Android Security Year in Review report from Google trumpets that only a miniscule amount of malware has been found on Android devices, in spite of the fact that these devices aren’t patched nearly as often as Apple’s iOS devices. It states that “[d]uring October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA [potentially harmful application] installed (excluding non-malicious Rooting apps).”

For those interested in mobile DDoS, the Google report includes just one tiny mention (in a graph on page 27), indicating that just 0.25% of the malware detected outside the Google Play store had DDoS abilities.

So, according to Google, mobile DDoS isn’t a thing. Of course, because Google owns Android, it is in their interest to present its security in the best possible light.

The most recent Verizon report validates Google’s claims even while damning it with faint praise. First, let it be clear that in spite of Google’s lofty claims in their 40+ page report, there is a ton of Android malware out there. With regard to malware, the 2015 Verizon Data Breach Investigation Report states, “Android wins so hard that most of the suspicious activity logged from iOS devices was just failed Android exploits.”

But, according to the report, the vast majority of that malware is adware. Once this “low-grade” type of malware is removed, only 0.03% of mobile devices per week are getting infected with truly malicious malware.

The infosec industry overall seems to have come to terms with mobile security. BYOD, MDM, and EMM were the hot topics in 2011, but they were nearly absent at RSA 2015 this year. In a recent SecurityWeek piece, 2015 Security Predictions–Have They Held True So Far?, Adam Ely writes:

…if you’re paying more than $0 for your MDM, you’re paying too much. Instead, follow Gartner’s best of breed technology recommendations. More organizations are doubling-down on application-level security — adopting a data-centric approach, rather than a device-centric one — to achieve better insight, visibility and security of their data.

That’s not to say there is no security threat at all. We’ve seen malicious mobile malware (such as the bank-related Cridex malware), but those have been agents deployed to assist the real malware running in the user’s PC or man-in-the-browser.

There just haven’t been any notable mobile DDoS attacks. And hey, that’s a good thing. The last thing latency-aware mobile users need is tons of malicious network traffic clogging the core service provider routers.

Getting back to my bet. After the rounds of predictions for 2014, I had bet my colleague that if no mobile DDoS appeared this year, we’d stop talking about it. And it looks like we can.