Android has been around for several years now and yet the topic of security continues to be the source of some argument. On the one hand you have the idea that Android is not susceptible to virus threats and, provided you are careful about what you download, there is no real need for antivirus software. On the other, you have reports and statistics claiming that malware is frighteningly common and any Android device without protection is sure to get infected. So where does the truth lie? We’ve asked experts from three prominent companies in mobile security — AV-Test, Avast, and Lookout — to help us figure out just how much danger we’re in.
Updated on 2-12-2015 by Simon Hill: Edited and updated text, added comments from Filip Chytrý at Avast, Adrian Ludwig at Google, Andreas Marx at AV-Test, and some new links and references.
Antivirus is just part of the package
We already took a look at the top security apps on the Android platform and found that they tend to offer a lot more than just antivirus protection. In our security app roundup, we referred to a report by independent security experts, AV-Test, which compared the detection rates of the top Android antivirus apps. AV-Test CEO, Andreas Marx, said that antivirus is important, but a well-rounded security app is better.
To have a smartphone in your pocket without a remote wipe possibility is a dangerous thing.
“Antivirus is usually only one component of the offered Android protection packages,” said Marx. “So a stand-alone AV is not yet required at all times, but it is a good-to-have feature as part of a bigger package. Such packages often include easy-to-use backup features for user’s data, remote wipe in case the phone gets lost, etc.”
We also spoke to Jan Gahura, Director of Non-Windows products at Avast and he suggested that the real benefit of Avast! Mobile Security goes beyond the antivirus features. When asked about the biggest risk to Android users, and the main incentive to download a security app, he also concurred that viruses aren’t the greatest threat.
“I’d say that the biggest risk is that someone will get access to your device (either you lose your device or it’s stolen),” said Gahura. “That’s why we have focused on the best anti-theft solution currently available on the market. To have a smartphone in your pocket without a remote wipe possibility is a dangerous thing. It’s even more dangerous than losing keys to your house. Of course someone can steal your private data using a fraudulent application, but that’s certainly the harder way. With avast! Mobile Security, you are shielded from both threats.”
Malware, fact or fiction?
So what about malware? Should we be worried? The key thing to remember about malware on Android is that you have to actually install it. Malware writers will use increasingly clever techniques to try and trick you into doing just that.
“If you only install software from trustworthy market places (like Google Play) and do not use your smartphone very often for web surfing or e-mailing, the OS is still pretty safe,” said Andreas Marx, AV-Test. “The majority of problems arise from the installation of ‘cracked’ applications from 3rd party market places which are often bundled with malicious software.”
As malware writers try to earn money for their bad deeds, they continually look for new ways to get their malicious software installed on your devices. The best recommendation is still to think twice before installing untrusted software or clicking on strange-looking links.
“The Google Play store is a relatively open environment,” said Jan Gahura, Avast. “Even after Google introduced its Bouncer (an automatic analysis tool to approve each application which is submitted to the Google Play Store) malicious applications still exist. Here at Avast we know how hard is to develop such a tool and how easy is to fool it from a bad guy’s perspective.”
That point of view is echoed by Derek Halliday, Senior Product Manager at Lookout, who had some lengthy remarks on mobile security. In his eyes, Android users are far from safe.
“No OS is completely safe, and protection is a requirement across mobile platforms. No matter where you find a critical mass of people, there will always be some bad guys looking for ways to exploit them. Android has exploded in popularity, attracting a lot of consumers in the last few years, so it’s only natural that it’s targeted.”
“It’s not actually a case of Android being particularly vulnerable – Google has taken some great steps toward protecting people and screens all apps entering Google Play – but the basic programming language is Java, and that’s what makes Android more of a target for the creators of malware. No special hardware is required – code can be written on a standard PC – so unlike iOS which requires a Mac, Android code writing is readily accessible to a lot of people across the world. This lower barrier to development attracts more bad guys.”
“In the last 12 months, there has been an increase in for-profit malware across all OSs. We’ve seen increasingly sophisticated threats emerging – for the first time ever, we witnessed malware writers targeting the mobile Web via compromised or infected websites with the NotCompatible threat.”
Is Google Play a hot bed of malware?
The idea that malware-infected apps are proliferating in Google Play is popular, but is there any statistical evidence to back it? At NetEvents Americas back in 2012 a BT (British Telecom), security expert Jill Knesek suggested that up to a third of Android applications carried some form of malware (based on a test of 1,000 apps) and that most devices are compromised. It was widely reported, but not true. ZDNet questioned BT on the subject and it backpedaled, saying that it no longer wishes to talk about the subject. The claims have yet to be supported by any released report.
So is all this talk really just scaremongering designed to panic you into installing antivirus software? Chris DiBona, Open Source Programs Manager at Google, certainly thought so when he released an update tackling the topic on his Google+ account back in November, 2011. In it, he argued that: “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and iOS. They are charlatans and scammers. IF you work for a company selling virus protection for Android, RIM or iOS, you should be ashamed of yourself.”
“Smartphones are, however, becoming increasingly more interesting for cybercriminals.”
He was talking about traditional virus problems of the kind you might see on Windows or Mac computers. Mobile platforms are not at risk in the same way because of the way they were designed. He makes a distinction between ‘viruses’ which spread themselves and bad apps containing malware, which you have to choose to install.
Google’s official position hasn’t changed much in the intervening years, as reported by The Sydney Morning Herald:
“I don’t think 99 per cent plus users even get a benefit from [anti-virus],” claimed Adrian Ludwig, lead engineer for Android security, talking at Google I/O 2014, “There’s certainly no reason that they need to install something in addition to [the security we provide].”
“If I were to be in a line of work where I need that type of protection it would make sense for me to do that. [But] do I think the average user on Android needs to install [anti-virus]? Absolutely not.”
So what is Android malware?
The vast majority of malware on Android is focused on stealing your information, which is obviously a major concern. Perhaps the worst case scenario is malware that sends SMS messages to premium rate numbers. There’s no denying that it’s dangerous but it’s also like a vampire – in that you have to invite it into your home, or onto your phone. It is not spreading by itself and, if you are sensible, you can avoid it without needing antivirus software.
Unfortunately, as we mentioned before, malware writers are employing ever more sophisticated techniques to fool you. There are apps that clone legitimate apps to fool you into downloading them and apps that are malware free when you first install them, but download malware through the update system. Avast discovered three malware apps in Google Play just last week. The most widespread was a game called Durak which had been downloaded more than five million times according to Play Store stats.
Avast has detected over a million pieces of malware targetting mobile devices, according to Malware Analyst Filip Chytrý, but he admits that’s a relatively small threat when compared to the billion plus pieces of PC malware they’ve discovered.
“Smartphones are, however, becoming increasingly more interesting for cybercriminals,” Chytrý suggests, “…because users tend to store so much more of their personal data on them than on their PCs, such as photos, videos, SMS, emails, and banking/shopping apps.”
What are the threats?
“Premium SMS scams are the biggest threat to smartphone users, regardless of OS,” explained Derek Halliday, Lookout. “They’re relatively simple to set-up, and have the potential to pay-off big. But there are constantly new threats evolving, ranging from aggressive ad networks, through to Trojans and new forms of malware. Mobile phones have become our wallet, contact list, communications, and more. You wouldn’t leave your bank account open to everyone, so why take the same chances with your phone when it contains so much information? But at the same time, you shouldn’t be scared of using all the features on your device – Lookout gives people the freedom to enjoy their smartphone to the full. ”
We asked Chytrý of Avast whether there’s anything else we should be considering and he told us “One threat that many people seem to be ignoring completely is that of using open Wi-Fi networks without protection. In a survey, we found out that 76% of American smartphone and tablet users are at risk of privacy loss and identity theft via public Wi-Fi networks, as they prefer to join free, public Wi-Fi networks, many of which do not require registration or a password, to avoid data overages or simply for convenience’s sake. Only a mere six percent use a virtual private network (VPN) to protect their mobile devices. Therefore, hackers can easily access the data transferred via open Wi-Fi, including a user’s photos, videos, banking information, emails, chat messages and browsing history. People should take responsibility for their own privacy and start using a VPN solution when connecting to open Wi-Fi networks.”
Is the problem getting worse?
“At the time you first contacted me back in August 2012, we counted around 85,000 known malware samples for the Android platform. In total.” explained Andreas Marx of AV-Test, “As of today (2-14-2015), we’re receiving this amount of samples within just 2 weeks.”
He went on to explain that the vast majority of malicious apps are discovered in Asia, particularly China where there’s no Play Store, and in Russia. He stands by his original advice about avoiding 3rd party sites or alternative sources for your apps, because more than 99 percent of malicious apps were not distributed via Google Play.
More than 99 percent of malicious apps were not distributed via Google Play.
When we asked for recommendations Marx mentioned Bitdefender Clueful Privacy Advisor, a free app which provides detailed analysis of Android apps that you can check before you download. Handy, not just for identifying malware, but also for privacy concerns and intrusive advertising. Marx says it’s common for apps to be well-behaved for the first few days, delaying malicious actions to reduce the chance of you spotting the link.
He also mentioned the importance of keeping the Android platform and your apps up to date to get the latest security improvements.
Pros and cons of security apps
Since many Android security apps combine anti-theft features with backup and antivirus, it won’t hurt to install them, but a pure antivirus solution might not be so worthwhile. Your safety depends more on how careful you are about what you download and where from, what links you tap in emails and online, and the networks you connect to.
If you’re wondering about the disadvantage of installing antivirus then it really boils down to three things –
- cost (which you can avoid with a free option)
- footprint (it will eat some processing power)
- false positives (it will occasionally identify legitimate apps as malware)
If you’re not sold on the need for an antivirus app and you want more advice take a look at how to stay safe on Android without security apps. These are simple tips for people keen to avoid malware and not so keen on running antivirus software.