F-Secure says Android malware is king, but are these reports just FUD? (updated)

Updated 1:16pm PT

Android and iOS may be battling for the smartphone market crown, but its Android that’s the undisputed king of malware.

So claims a new report from security software company F-Secure(PDF), which says Android was home to 79 percent of mobile malware in 2012. Compare that to iOS, which accounted for less than a percent of the pie, F-Secure says.

The situation sounds pretty dire for Android, and in some ways it is. Android is the biggest target since it has the most mobile marketshare, and third party marketplaces list malicious apps that could siphon off information or send premium SMS messages to steal your money. But the use of “malware” here might be overstated. F-Secure stretches the definition of “malware” to include things like Android test tools (which “may be misused for malicious intent by irresponsible parties”) and “potentially unwanted software,” which could inflate the numbers.

It’s worth noting that F-Secure makes its bread by selling software to help counter the sort of threats its reporting. Not everyone feels F-Secure’s analysis is indicative of Android’s overall safety.

For a one take on this sort of stuff, consider this 2011 Google+ post from Google engineering manager Chris DiBona (found via a comment in TechCrunch’s own story on F-Secure’s report):

Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM, or iOS, you should be ashamed of yourself.

If you read an analyst report about ‘viruses’ infecting iOS, Android, or RIM, you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.

Being a Google engineering manager, however, DiBona is obviously biased as well.

The point is that there are clear issues with the F-Secure report and other reports like it. Without firm numbers, clear definitions, and specified threat sources, reports such as F-Secure’s could be considered FUD. But it’s important to note that there are real reports of Android malware, and we can’t outright dismiss them.

I’ve reached out to F-Secure for comment on the criticism, but a PR rep said that the company is “unavailable to respond at this time” due to it being nighttime in Finland, where the company is based. We expect to have more details on these unanswered questions soon.