Android has been around for a few years now and yet the topic of security continues to be the source of some argument. On the one hand you have the argument that Android is not susceptible to virus threats and, provided you are careful about what you download, there is no real need for antivirus software. On the other, you have reports and statistics claiming that malware is frighteningly common and any Android device without protection is sure to get infected. So where does the truth lie? We’ve asked experts from three prominent companies in mobile security — AV-Test, Avast, and Lookout — to help us figure out just how much danger we’re in.

Antivirus is just part of the package

We already took a look at the top security apps on the Android platform and found that they tend to offer a lot more than just antivirus protection. In our security app roundup, we referred to a report by independent security experts, AV-Test, which compared the detection rates of the top Android antivirus apps. AV-Test CEO, Andreas Marx, said that antivirus is important, but a well-rounded security app is better.

“Antivirus is usually only one component of the offered Android protection packages,” said Marx. “So a stand-alone AV is not yet required at all times, but it is a good-to-have feature as part of a bigger package. Such packages often include easy-to-use backup features for user’s data, remote wipe in case the phone gets lost, etc.”

We also spoke to Jan Gahura, Director of Non-Windows products at Avast and he suggested that the real benefit of Avast! Mobile Security goes beyond the antivirus features. When asked about the biggest risk to Android users and the main incentive to download avast! Mobile Security he also concurred that viruses aren’t the biggest risk.

“I’d say that the biggest risk is that someone will get access to your device (either you lose your device or it’s stolen),” said Gahura. “That’s why we have focused on the best anti-theft solution currently available on the market. To have a smartphone in your pocket without a remote wipe possibility is a dangerous thing. It’s even more dangerous than losing keys to your house. Of course someone can steal your private data using a fraudulent application, but that’s certainly the harder way. With avast! Mobile Security, you are shielded from both threats.”

Malware, fact or fiction?

So what about malware? Should we be worried? The key thing to remember about malware on Android is that you have to actually install it. Malware writers will use increasingly clever techniques to try and trick you into doing just that.

“If you only install software from trustworthy market places (like Google Play) and do not use your smartphone very often for web surfing or e-mailing, the OS is still pretty safe,” said Andreas Marx, AV-Test. “The majority of problems arise from the installation of ‘cracked’ applications from 3rd party market places which are often bundled with malicious software.”

As malware writers try to earn money for their bad deeds, they continually look for new ways to get their malicious software installed on your devices. The best recommendation is still to think twice before installing untrusted software or clicking on strange-looking links.

“The Google Play store is a relatively open environment,” said Jan Gahura, Avast. “Even after Google introduced its Bouncer (an automatic analysis tool to approve each application which is submitted to the Google Play Store) malicious applications still exist. Here at Avast we know how hard is to develop such a tool and how easy is to fool it from a bad guy’s perspective.”

That point of view is echoed by Derek Halliday, Senior Product Manager at Lookout, who had some lengthy remarks on mobile security. In his eyes, Android users are far from safe.

“No OS is completely safe, and protection is a requirement across mobile platforms. No matter where you find a critical mass of people, there will always be some bad guys looking for ways to exploit them. Android has exploded in popularity, attracting a lot of consumers in the last few years, so it’s only natural that it’s targeted.”

“It’s not actually a case of Android being particularly vulnerable – Google has taken some great steps toward protecting people and screens all apps entering Google Play – but the basic programming language is Java, and that’s what makes Android more of a target for the creators of malware. No special hardware is required – code can be written on a standard PC – so unlike iOS which requires a Mac, Android code writing is readily accessible to a lot of people across the world. This lower barrier to development attracts more bad guys.”

“In the last 12 months, there has been an increase in for-profit malware across all OSs. We’ve seen increasingly sophisticated threats emerging – for the first time ever, we witnessed malware writers targeting the mobile Web via compromised or infected websites with the NotCompatible threat.”

Is Google Play a hot bed of malware?

The idea that malware-infected apps are proliferating in Google Play is popular and there is some statistical evidence to back it. At the recent NetEvents Americas a BT (British Telecom), security expert Jill Knesek suggested that up to a third of Android applications carried some form of malware (based on a test of 1,000 apps) and that most devices are compromised. It was widely reported, but not true. ZDNet questioned BT on the subject and it backpedaled, saying that it no longer wishes to talk about the subject. The claims have yet to be supported by any released report.

So is all this talk really just scaremongering designed to panic you into installing antivirus software? Chris DiBona, Open Source Programs Manager at Google, certainly thought so when he released an update tackling the topic on his Google+ account back in November, 2011. In it, he argued that: “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and iOS. They are charlatans and scammers. IF you work for a company selling virus protection for Android, RIM or iOS, you should be ashamed of yourself.”

He was talking about traditional virus problems of the kind you might see on Windows or Mac computers. Mobile platforms are not at risk in the same way because of the way they were designed. He makes a distinction between ‘viruses’ which spread themselves and bad apps containing malware, which you have to choose to install.

So what is Android malware?

The vast majority of malware on Android is focused on stealing your information, which is obviously a major concern. Perhaps the worst case scenario at the moment is malware that sends SMS messages to premium rate numbers. There’s no denying that it is dangerous but it’s also like a vampire – in that you have to invite it into your home, or onto your phone. It is not spreading by itself and, if you are sensible, you can avoid it without needing antivirus software.

Unfortunately, as we mentioned before, malware writers are employing ever more sophisticated techniques to fool you. There are apps that clone legitimate apps to fool you into downloading them and apps that are malware free when you first install them, but download malware through the update system.

“Currently, Premium SMS scams are the biggest threat to smartphone users, regardless of OS,” explained Derek Halliday, Lookout. ”They’re relatively simple to set-up, and have the potential to pay-off big. But there are constantly new threats evolving, ranging from aggressive ad networks, through to Trojans and new forms of malware. Mobile phones have become our wallet, contact list, communications, and more. You wouldn’t leave your bank account open to everyone, so why take the same chances with your phone when it contains so much information? But at the same time, you shouldn’t be scared of using all the features on your device – Lookout gives people the freedom to enjoy their smartphone to the full. ”

Pros and cons of security apps

Since many Android security apps combine anti-theft features with backup and antivirus, it won’t hurt to install them, but a pure antivirus solution might not be so worthwhile. In the future, antivirus on Android may move from a ‘good to have’ feature to a ‘must have’ component. It doesn’t sound like we’re at that point yet. Right now, it depends more on how careful you are.

If you’re wondering about the disadvantage of installing antivirus then it really boils down to three things –

  • cost (which you can avoid with a free option)
  • footprint (it will eat some processing power)
  • false positives (it will occasionally identify legitimate apps as malware)

Tomorrow, we’ll take a look at how to stay safe on Android without security apps. These are simple tips for people keen to avoid malware and not so keen on running antivirus software.