McAfee [MFE] report released on Nov. 20 charts a steady increase in malware attacking Google’s [GOOG] Android operating system.

After an unusual spike in 2012, new Android malware is again on the rise. Between the second and third quarters of 2013, Android malware grew by one-third, bringing the company’s total number of known samples to 680,000. 

The findings come as federal agencies are increasingly moving toward mobile technology to cut IT costs. Android has become the favored operating system because its open-source code means that it is easier to manipulate and customize than its Apple [AAPL] iOS competitor. By the same token, Android’s flexibility makes it an appealing target for hackers. Nearly 80-90 percent of all mobile malware is aimed at Android, according to McAfee.

Android suffered a major vulnerability this year with the “Exploit/MasterKey.A” malware. This bug allowed hackers to circumvent the digital signatures for installed applications. Without a signature to verify an app’s authenticity, the fundamental way in which apps establish trust is gone, according to Ryan Brichant, McAfee’s Director of Strategic Technologies. 

Google released a patch for the Masterkey exploit after it was revealed at the Black Hat conference this past summer. The company said there are no apps in its official store that contain the malware, but users should be wary of third-party downloads.  

Another Android vulnerability is cropping up in apps after they are downloaded. McAfee identified hackers’ growing preference for “two-part malware”–in which the app itself is benign, but it later asks the user to install an update containing a bug. For example, McAfee noted that one app entices users with an X-ray feature. A message later pops up telling the user to install an update so they can share the X-ray scanner with their friends. The update turns out to be malware. 

Despite these vulnerabilities, the Department of Defense approved Android mobile phones for use in May. The information assurance branch of the National Security Agency (NSA) is working on a project called Security Enhancements for Android (“SE Android”) to identify security gaps inherent in Android. The project is experimenting with modifying the operating system down to the kernel to make it more secure for government use.

The push to Android will affect more than just civilians. The Defense Advanced Research Projects Agency (DARPA) has been experimenting with battlefield connectivity using Android-based technologies. DoD has previously expressed interest in providing tablets to all deployed soldiers. Even contractors and tech firms are looking to Android for their new wave of military ready apps.

McAfee’s Brichant said DoD is aware of the problem and that there are solutions available. For the military in particular, he said the current approach is to limit the device’s functionality to only what it needs to do. The IT administrator can whitelist or blacklist apps, so that the device is “locked down like an ATM”–which can only perform its basic functions of depositing and withdrawing money. 

“We’re definitely on the right track,” Brichant said, adding that McAfee is also “seeing a lot of three-letter agencies reaching out to us.”  

Charles Croom, Lockheed Martin’s [LMT] vice president for Cyber Security Solutions, was more skeptical of DoD’s chances for success with what the tech world calls “change control” of devices.

“They believe they can lock it down and protect it. That strategy has yet to be proven,” he said. 

Croom said Lockheed Martin, which is one of the government’s largest IT suppliers, does not use Android because it is open source and because it is not routinely patched.