> The reason why most (consumer-facing at least) malware isn't targeting Linux is because its desktop market share is like 3%.
I don't eat that argument anymore. In the mobile space, Android (Linux) is the biggest player. It is even bigger than windows if both are considered among end-users[1] and I don't see as many people complaining about malware on Android as people complain about it on windows.
Of course, I don't think ms is incompetent with regards to windows security. But there are design decisions that make it historically problematic. The fact that win9x had zero process isolation (although with was possible since i386) and people expect program to continue working on winxp (NT kernel), the fact that centralized software distribution is a relatively novelty on windows (compared to apt which exists since 1998) and many other minor things, like extension hiding, make it an easier target than ChromeOS, iOS, Android, MacOS and GNU/Linux.
I remember people saying "when Linux become as popular as windows, you'll see it being target by malware devs". Well, consider smartvs, infotainment, servers, supercomputers, embedded systems, mobile (specially Android). Linux is bigger than windows for a long time. I don't think its lower desktop market share is the main reason for its lack of malware.
I don't think that's a fair comparison, because Android phones allow the user to download signed apps from a "curated" store by default (I'm using the term curated very loosely here, but Google does make efforts to remove malware from their store).
If, by default, users only downloaded software directly from the Microsoft store, would Windows achieve a similar level of security?
As for smart TVs, infotainment, servers, etc. they all share the commonality that the end user doesn't typically download untrusted software. And if they do, it's typically from a vendor's own store.
> I don't see as many people complaining about malware on Android as people complain about it on windows.
Can't believe I'm seeing such a statement on HN. Android phones are arguably worse on malware-related threat vectors, especially when most OEMs themselves package in the majority of malware on consumer phones to begin with. Even assuming less dumb users, at its best it is an unholy combination of adware mixed with spyware, ridiculous amounts of tracking in the name of "telemetry" and consumer-hostile design choices often literally designed to make the user choose the wrong option. Combine that with how ridiculously easy it is to get malware installed on Android (the most popular apps and games on the Play Store are all adware, installing compromised "modded" apks that "unlock premium features" is just one tap away) and you get a platform that would make any infosec manager cry. At least Windows PCs are controllable by the organization's administrator, how are you going to control people's phones unless you start issuing company phones as well?
What a ridiculous take to even imply that malware on Android is even comparable to the malware dumpster fire on Windows. There is more malware on Windows than there are apps. 99% of what is considered "malware" on Android is often aggressive adware that is benign. Remember when the security pundits were predicting that the Stagefright exploit would infect billions of Android phones? Stagefright didn't amount to anything.
>At least Windows PCs are controllable by the organization's administrator, how are you going to control people's phones unless you start issuing company phones as well?
You mean the same "controllable" Windows PC's that are responsible for nearly 100% of the ransomware, virus and malware infections in corporations? Right.
> As long as some platform is capable and powerful for many things, there will be malware.
Android != GNU/Linux. iOS != MacOS. GNU/Linux, Mac, Windows are far more capable and powerful that mobile platform and therefore far more susceptible to malware. Plenty of Linux-based servers are hacked every day, plenty of scanning bots are targeting Linux-based software vulnerabilities over the internet.
Snapdragon and A series SoCs equipped devices are more powerful than your average corporate PC. The issue with Windows is that it has numerous attack vectors and once you compromise one the others will likely be compromised as well. Additionally, not all Android phones are equal. This is one of the main reasons Stagefright was so ineffective. An OS built by Google is probably not going to be susceptible to an attack that works on a Samsung Android OS build and vice versa. This is further complicated by the fact that not all smartphones are running the same OS version. This explains why writing malware to attack all of Android is so futile. Your malware may work on a Samsung Galaxy S23 running Android 13, but will probably not work on the same phone running a different version of Android.
I don't eat that argument anymore. In the mobile space, Android (Linux) is the biggest player. It is even bigger than windows if both are considered among end-users[1] and I don't see as many people complaining about malware on Android as people complain about it on windows.
Of course, I don't think ms is incompetent with regards to windows security. But there are design decisions that make it historically problematic. The fact that win9x had zero process isolation (although with was possible since i386) and people expect program to continue working on winxp (NT kernel), the fact that centralized software distribution is a relatively novelty on windows (compared to apt which exists since 1998) and many other minor things, like extension hiding, make it an easier target than ChromeOS, iOS, Android, MacOS and GNU/Linux.
I remember people saying "when Linux become as popular as windows, you'll see it being target by malware devs". Well, consider smartvs, infotainment, servers, supercomputers, embedded systems, mobile (specially Android). Linux is bigger than windows for a long time. I don't think its lower desktop market share is the main reason for its lack of malware.
[1] https://gs.statcounter.com/os-market-share#monthly-202206-20...