About two weeks ago, I was sitting in our new Threat Center and we were tinkering around with a website that is part of our tool set to identify indications of malware or infections affecting smartphones across the world.  The website that we were looking at is called Twitterfall.com and it allows a user to perform keyword searches to match against tweets that are being published.  It’s amazing how quickly information hits Twitter and even more amazing how quickly that information is re-tweeted, copied and pasted, and parroted as the truth.

Among others, one of the keywords I chose was “android malware”.  I was immediately presented with dozens upon dozens of nearly identical tweets parroting the sentiment that Vodafone had sold at least one Android handset to a Panda Security employee that was infected with malware.  Obviously, this immediately sparked raging discussions in Android and Apple forums declaring Android a failed iPhone killer.  iPhone fans were ready to begin singing “another one bites the dust” as they saw Android’s attacks being repelled.

But, what was lost in the immediate attempts to castigate Android as an inherent security flaw because of it’s open source philosophy, was the fact that the Android device in question was not infected with malware.  What’s that you say?  Not infected?  That’s right…not infected.  What actually happened was that a Panda Security employee received an HTC Magic device running the Android operating system, from the carrier Vodafone, that had three instances of malware pre-loaded onto the device’s SD card.  The device SD card is wholly separate from the Android operating system.

When the Panda employee connected the device to her PC via the USB cable, she was automatically alerted to the fact that her anti-virus software on the PC had detected the existence of an autorin.inf and autorun.exe that were both being flagged as malicious.  Further analysis indicated that the device was infected with the Mariposa botnet, the Conficker worm and a Lineage (the game) password stealing tool.  This is terrible news, right?  Of course it is…for Vodafone and for HTC.  But is it necessarily bad news for Android?  Not really.

Let’s take a a closer look at what actually happened.  HTC manufactures the Magic device and chose Android to drive the proverbial bus.  HTC likely purchases SD cards from some other manufacturer and may do some level of formatting or configuring of the SD card before or after it has been installed in the Magic device.  HTC then ships the handsets with some Vodafone specific ROM installed on the device, and the pre-installed SD card to Vodafone.  Vodafone then sells the device to a customer.  As an interested observer, I don’t really see where Android plays any factor in this equation at all.

This is certainly not the first time we have seen malware being distributed directly from some vendor or retail center.  Just to level the playing field, let’s focus on the case of iPod’s being distributed with a free SIWEOL.A worm that affected Windows PCs.  Ok, that was a cheap shot.  But the point is that we have seen plenty of cases that indicate that attackers are doing whatever they have to do in order to get their malware in your lives.  We know that USB media drives come from retail stores with malware. Digital picture frames have been the attacker and McDonald’s in Japan had to recall 10,000 MP3 players back in 2006.  There are still more examples of these types of successful attacks that I’ll continue to ignore.

With the exception a very few security centric blogs or analysis pieces that responsibly laid the blame of this attack on a faulty QA process between HTC and Vodafone, too many outlets were ready to call Android the problem.  But, what was lost in the finger pointing was the fact that a proven defense-in-depth strategy is what identified the problem and protected this user (and many others) from becoming a victim of and possibly propagating the affects of the attack.  It also didn’t hurt that the victim of the attack was a security-minded employee of a reputable PC security company.  This particular user was employing best practices and relied upon an anti-virus solution to assist in identifying malicious content.  Bravo!

The only part that Android could have played in this whole story would have been if Vodafone had bundled an anti-virus application with the device’s ROM that was configured to detect Windows-based malware that resided on the device’s SD card.  At the point that this story broke, there would have been exactly zero smartphone AV applications in the world that were capable of detecting this threat.  But, proven PC security mechanisms worked…as they should have.

What should be taken away from this whole debacle (since it wasn’t learned from the previous ones) is that when using technology, both in conjunction or on it’s own, there are limitations to what can be done to protect yourselves.  As a user that may be interested in protecting your personal information or financial assets, it is increasingly important to properly leverage technology to provide coverage where it applies.  In this scenario, the malware that existed did not affect the Android device, so there was no capability to detect it on the SD card.  But, when it did became an issue and could affect the Windows system, there was a capability to detect and defend.

Some might expect an Android anti-virus application to be able to detect this type of malware if it resides on the device.  This is where those limitations I spoke of come into question.  At this point in the game, it’s simply not possible for a Smartphone to effectively handle detection of every PC malware that we know about.  There simply is not enough resources available on the device.  But, the PC can handle it…and in this case, it did.