The ultimate Android malware guide: What it does, where it came from, and how to protect your phone or tablet

android virus

Although it hasn’t made a huge dent in the tablet market yet — or perhaps we should call it the iPad market — Google’s Android operating system has been the top-selling smartphone platform for a while. That also means it’s a top target for scammers and malware developers eager to steal data and money from unsuspecting Android users. Last year brought some dire statistics, with security firms like McAfee and Lookout claiming sharp rises in Android malware, and even that three in ten Android devices will run into malware. Juniper Network famously reported a 472 percent increase in Android malware between July and November 2011, and Google has been pulling malicious apps from the Android Market (now Google Play) and just rolled out Bouncer, a new tool that attempts to automatically screen out bad apps before they hit the market. Still, new threats seem to arrive regularly, whether they’re malicious apps that record phone calls or pose as banking apps to grab credentials and potentially instal more software.

What sorts of potential threats do Android users face, and is paranoia really necessary? Ultimately, how can Android users protect themselves — and all the data that flows through their devices?

Why does Android have malware?

The simplest reason Android has more malware than competing mobile platforms is that it’s the bigger target. The vast majority of malware targeting traditional computers aims at Windows because, historically, Windows has had the largest marketshare. Although Android has only become the leading smartphone platform comparatively recently, that emergence coincided neatly with massive consumer interest in smartphones. Thus, Android is the biggest target. However, there are also aspects of the Android ecosystem that may make it — and Android users — more vulnerable.

Is open source a problem? — Android has been criticized in some circles as an inherently insecure platform because significant portions are built on open-source technologies like Linux and WebKit. Some critics would argue that because Google offers the full Android source code to anyone who wants to look through it and pick out flaws, the platform is inherently less secure than platforms (like BlackBerry, Windows Phone, and Apple’s iOS) that hold their source code (or significant portions of it) as a closely guarded secret.

Although there’s little denying Android has seen more of a malware issue than competing mobile platforms — Apple iOS and RIM’s BlackBerry have been relatively unscathed, and it may still be too early to say for Windows Phone 7 — the presence of malware for Android seems to have a great deal more to do with the Android ecosystem than the technologies on which it’s been built. If one wants to attack Android’s security because it uses open-source technology, one also has to make the same attack against Linux (which has never had a significant malware problem) and iOS (which is based on BSD Unix and uses the same WebKit browsing technology). And the technology has taken a few hits in recent months. OpenSSL is widely deployed on almost every platform on the planet — and it’s open source. The same applies to a wide number of utilities and libraries used on most (if not all) mobile platforms. No software is perfect, but open-source efforts with sufficient developer interest have consistently proven they can sustain high quality levels over the long term.

Or maybe the open market? — Rather than deriving from the provenance of its code, Android’s malware situation seems to derive from Google’s app ecosystem. Where Apple, RIM and Microsoft have offered curated app market experiences, Google Play has been almost a free-for-all: essentially anyone can contribute an application and have it distributed on a market that’s available to the vast majority of Android devices. And Google Play isn’t even the sole source to get apps. Google essentially lets anyone set up their own markets for Android apps: Amazon’s App Store is probably the best-known, but there are a myriad of other app stores out there. International markets are especially hot for non-Google app stores, where being able to offer an Android app store in a local language — perhaps with apps specific to a particular country or region — can be an appealing proposition. Some of these alternative markets are run by mobile operators; others are less clear.

droiddream android malwareWhat about device makers and carriers? — If a security issue turns up in Android, Google is responsible for developing and releasing a fix. However, at that point it is up to device makers and carriers to get the update out to their customers. In many cases, carriers have been notoriously slow to get Android updates to their customers. Case in point: the DroidDream malware that assaulted the Android Market about a year ago. Google discovered the vulnerability that led to DroidDream all the way back in August 2010, and developed a patch for it very quickly. However, more than half a year later, most Android handsets still didn’t have the patch, and DroidDream was able to continue exploiting a known flaw. As many as 250,000 Android users may have been impacted. Contrast this situation with a deployment model like Apple’s, where the company can push updates to device owners without having to involve carriers.

What about ad networks? — The anything-goes nature of the Android Market coupled with Google’s insistence that purchases go through Google Checkout has created a situation where a a large number of Android applications generate their revenue solely through ads, rather than by being purchased directly by users. Building free, ad-supported apps lets developers sidestep the headaches of Google Checkout (which isn’t available in many markets, and has complicated tax implications — unlike Apple, Google doesn’t handle any of that for developers). Building ad networks into mobile apps is so regular in the Android ecosystem that many apps even support multiple ad networks. And, of course, these advertising providers want to know everything about Android users: email address, contact information, unique identifiers, and sometimes even location.

Even if an Android developer has good intentions, it may not have the time or capability to vet ad networks — particularly if there’s a language barrier involved. Remember, lots of ambitious app developers are just one or two people with an idea and some time on their hands. They may just drop in support for whatever ad network promises them the highest return, without much regard for the safety of their users’ data, what those networks do with those data — or, potentially, the security of the ad network’s software. If a major security flaw turns up in a library supplied by an advertising network, hundreds or thousands of apps could suddenly be vulnerable to exploit. And let’s not forget the the idea that scammers might set up their own ad networks and build the back doors themselves.

Types of threats

It’s important to note that the Android platform doesn’t have traditional viruses — malicious programs that spread between devices. An Android virus isn’t impossible, but it’s certainly not likely. Instead, malware creators have focused on other types of exploits, most of which involve tricking Android users into doing something they shouldn’t.

android-malware

Malware apps — The most common Android malware is an app that claims to do one thing but does another — often behind a user’s back or without their knowledge. These are often classic Trojan horses: Many take the form of knockoff or free versions of paid games; others play on hot products or entertainment trends. The idea is to lure users into downloading a free or heavily discounted game, get them to launch it, and clandestinely install malware behind their back. That malware might try to grab passwords and keystrokes; it might forward email, messages, and address books on to cybercriminals, it might be used to take over a Google accounts. Anything’s possible — but the makers have to fool people into downloading and running the app. That’s often easier if there’s a language barrier involved.

Drive-by exploits — Drive-by-downloads are a bit nastier. The idea is to lure Android users to visit a website containing code that exploits a known weakness in a browser. Once users visit the site, the malware gets installed. Depending on the exact mechanism, the malware may deliberately crash the device in order to get users to restart it — executing a nasty payload. Drive-by techniques aren’t exclusive to Android — iOS jailbreaks have famously used drive-by techniques — but they’re becoming more common in the Android world.

Drive-by exploits often use social engineering or phishing techniques to usher users toward infected sites. For instance, you might get an SMS message that looks like it’s from a carrier or service provider, urging you to download an urgent update.

The bottom line is that any time you install an app or visit a website, there is a chance not all is as it appears to be.

How to stay safe

Yes, Android’s malware situation is complicated — and it’s not going to be getting simpler any time soon. Nonetheless, there are some simple things you can do that greatly reduce the chances you’ll have any problems.

Only use trusted app stores — First and foremost: Don’t just download any app from any source you happen to encounter. Go to your Android device’s Applications Settings menu and disable the “unknown sources” option for installing apps. This will prevent your device from installing apps via email, the Web, or any source besides Google Play. Unfortunately, it also disables potentially legitimate sources like the Amazon App Store, and carrier-specific stores. If this matters to you, enable “unknown sources” only when specifically shopping at those trusted markets.

google-play-store

Check out the app and the publisher — Before downloading a new app, check out the reputation of both the app and the publisher. This means looking further than reviews posted in whatever marketplace you’re using — unscrupulous publishers are notorious for writing their own five-star reviews. Look for reviews from independent sources.

Don’t install APKs — Do not install APKs (Android application package files) directly, say from an SD card or a USB device. Unless you’re a skilled Android developer (with tools), there’s almost no way to determine what an APK will do until you’ve already run it — at which point, there’s usually no going back. There’s some misperception that since all Android APKs have to be digitally signed by their developers, they’re safe. That’s misleading: While all APKs must be signed, it’s just to verify the files haven’t been damaged or corrupted since the developer built them. A signature in no way confirms an app is not malicious, and there’s no requirement signatures be verified by a third party. In fact, it’s pretty much standard practice for developers to self-sign their own applications.

Always check permissions — Whenever you download or update an app, Android will present a list of permissions it requires to run. Don’t just power your way through the list in your rush to the app: See if it makes sense. Does a wallpaper app really need to know your location? Does an app that lets you keep track of baseball player stats really need access to your address book? Probably not. If apps ask for inappropriate things, they may be up to no good — or be supported by an advertising network that wants to know everything about you.

And, above all, don’t panic. Malware isn’t a tremendous issue for Android yet, but the edges of the ecosystem are starting to get pretty sketchy. Well-informed users who understand how the Android world works should be in little danger, but the less you understand the technology and the ecosystem, the more likely they are to inadvertently get into trouble.

Mobile

Bloatware could be putting millions of Android devices at risk

A study has revealed that changes to Android's firmware and added bloatware from carriers could be making millions of Android smartphones vulnerable to massive hacks and potential data theft.
Mobile

Samsung Gear owners may want to wait before upgrading to Android 9.0 Pie

Those who own a Samsung Gear and also looking to update their device to Android 9.0 Pie, Google's latest operating system, may want to wait. Users are running into an issue when pairing a Gear device to an Android smartphone.
Mobile

The 100 best Android apps turn your phone into a jack-of-all-trades

Choosing which apps to download is tricky, especially given how enormous and cluttered the Google Play Store has become. We rounded up 100 of the best Android apps and divided them neatly, each suited for a different occasion.
Mobile

Grab your fork and dig in: Android 9.0 Pie is now being served

It's time to dig in, as the new version of Android is here: Android 9.0 Pie. Is it worth getting excited about? You bet! Here are all the new features you'll want to try out in Android 9.0 Pie.
Mobile

Samsung Galaxy Note 9 vs. BlackBerry Key2: Productivity powerhouse punch-out

If you're after a top-notch business companion and productivity is paramount, then Samsung's Galaxy Note 9 and BlackBerry's Key2 are devices you're going to want to take a closer look at. We put them head to head to see which is best.
Mobile

MetroPCS Alcatel 7 boasts a dual-sensor camera and FHD+ screen for $180

Alcatel has taken the wraps off of the new Alcatel 7, a phone that's uniquely available from MetroPCS. The new device boasts a full HD display with a dual-sensor camera and a relatively nice design, and it comes in at only $180.
Product Review

Someday it will do 5G, but the Moto Z3 is already a great phone

Motorola’s flagship smartphone of 2018 looks exactly like its mid-range smartphone of 2018, but powered by a processor from 2017. It’s still a great-performing phone for $480, and it will be the first upgradable 5G smartphone next year.
Mobile

Marco? Polo! Let's explore the app known as the 'video walkie-talkie'

Marco Polo has been dubbed the "video walkie-talkie," but how does the video messaging app stack up against competitors like Snapchat and Instagram? From unique filters to personalized video messages, we explore the Marco Polo app.
Mobile

Samsung confirms the Galaxy S10 won't be the first 5G phone

It may be no more than a sparkle in Samsung's eye, but the Samsung Galaxy S10 is definitely coming. Here's everything we know about what's sure to be Samsung's most amazing creation so far.
Mobile

Samsung confirms the debut of its foldable smartphone isn't far away

Samsung has been showcasing bendable display tech for a few years now and a folding smartphone might finally become a reality. The Galaxy X, or perhaps the Galaxy F, may be the company's first example. Here's everything we know about it.
Mobile

Samsung Galaxy Note 9 vs. Apple iPhone X: Battle of the ultra-premium smartphones

The new Samsung Galaxy Note 9 is the company's latest ultra-premium smartphone. The device boasts top-tier specs, an excellent design, and more. But can it take out the Apple iPhone X, Apple's own ultra-premium device?
Mobile

Google tracks your location — even when you deny it permission

Google is tracking your location -- even when you tell it not to. According to an investigation by the Associated Press, Google services on both Android and iPhones store location data, regardless of whether privacy settings claim…
Mobile

How to transfer your contacts between iPhone and Android devices

There's nothing worse than getting a new phone and realizing you don't have any of your old contacts listed. Luckily, it's an easy problem to solve. Here's how to transfer your contact list to your new device.
Mobile

Motorola’s P30 looks like every other iPhone X-clone we don’t want

Motorola may be planning to launch a new series of smartphones called the P30, P30 Note, and P30 Play. Leaked photos show the P30 has a similar design to the iPhone X, complete with a screen notch.