The ultimate Android malware guide: What it does, where it came from, and how to protect your phone or tablet

android virus

Although it hasn’t made a huge dent in the tablet market yet — or perhaps we should call it the iPad market — Google’s Android operating system has been the top-selling smartphone platform for a while. That also means it’s a top target for scammers and malware developers eager to steal data and money from unsuspecting Android users. Last year brought some dire statistics, with security firms like McAfee and Lookout claiming sharp rises in Android malware, and even that three in ten Android devices will run into malware. Juniper Network famously reported a 472 percent increase in Android malware between July and November 2011, and Google has been pulling malicious apps from the Android Market (now Google Play) and just rolled out Bouncer, a new tool that attempts to automatically screen out bad apps before they hit the market. Still, new threats seem to arrive regularly, whether they’re malicious apps that record phone calls or pose as banking apps to grab credentials and potentially instal more software.

What sorts of potential threats do Android users face, and is paranoia really necessary? Ultimately, how can Android users protect themselves — and all the data that flows through their devices?

Why does Android have malware?

The simplest reason Android has more malware than competing mobile platforms is that it’s the bigger target. The vast majority of malware targeting traditional computers aims at Windows because, historically, Windows has had the largest marketshare. Although Android has only become the leading smartphone platform comparatively recently, that emergence coincided neatly with massive consumer interest in smartphones. Thus, Android is the biggest target. However, there are also aspects of the Android ecosystem that may make it — and Android users — more vulnerable.

Is open source a problem? — Android has been criticized in some circles as an inherently insecure platform because significant portions are built on open-source technologies like Linux and WebKit. Some critics would argue that because Google offers the full Android source code to anyone who wants to look through it and pick out flaws, the platform is inherently less secure than platforms (like BlackBerry, Windows Phone, and Apple’s iOS) that hold their source code (or significant portions of it) as a closely guarded secret.

Although there’s little denying Android has seen more of a malware issue than competing mobile platforms — Apple iOS and RIM’s BlackBerry have been relatively unscathed, and it may still be too early to say for Windows Phone 7 — the presence of malware for Android seems to have a great deal more to do with the Android ecosystem than the technologies on which it’s been built. If one wants to attack Android’s security because it uses open-source technology, one also has to make the same attack against Linux (which has never had a significant malware problem) and iOS (which is based on BSD Unix and uses the same WebKit browsing technology). And the technology has taken a few hits in recent months. OpenSSL is widely deployed on almost every platform on the planet — and it’s open source. The same applies to a wide number of utilities and libraries used on most (if not all) mobile platforms. No software is perfect, but open-source efforts with sufficient developer interest have consistently proven they can sustain high quality levels over the long term.

Or maybe the open market? — Rather than deriving from the provenance of its code, Android’s malware situation seems to derive from Google’s app ecosystem. Where Apple, RIM and Microsoft have offered curated app market experiences, Google Play has been almost a free-for-all: essentially anyone can contribute an application and have it distributed on a market that’s available to the vast majority of Android devices. And Google Play isn’t even the sole source to get apps. Google essentially lets anyone set up their own markets for Android apps: Amazon’s App Store is probably the best-known, but there are a myriad of other app stores out there. International markets are especially hot for non-Google app stores, where being able to offer an Android app store in a local language — perhaps with apps specific to a particular country or region — can be an appealing proposition. Some of these alternative markets are run by mobile operators; others are less clear.

droiddream android malwareWhat about device makers and carriers? — If a security issue turns up in Android, Google is responsible for developing and releasing a fix. However, at that point it is up to device makers and carriers to get the update out to their customers. In many cases, carriers have been notoriously slow to get Android updates to their customers. Case in point: the DroidDream malware that assaulted the Android Market about a year ago. Google discovered the vulnerability that led to DroidDream all the way back in August 2010, and developed a patch for it very quickly. However, more than half a year later, most Android handsets still didn’t have the patch, and DroidDream was able to continue exploiting a known flaw. As many as 250,000 Android users may have been impacted. Contrast this situation with a deployment model like Apple’s, where the company can push updates to device owners without having to involve carriers.

What about ad networks? — The anything-goes nature of the Android Market coupled with Google’s insistence that purchases go through Google Checkout has created a situation where a a large number of Android applications generate their revenue solely through ads, rather than by being purchased directly by users. Building free, ad-supported apps lets developers sidestep the headaches of Google Checkout (which isn’t available in many markets, and has complicated tax implications — unlike Apple, Google doesn’t handle any of that for developers). Building ad networks into mobile apps is so regular in the Android ecosystem that many apps even support multiple ad networks. And, of course, these advertising providers want to know everything about Android users: email address, contact information, unique identifiers, and sometimes even location.

Even if an Android developer has good intentions, it may not have the time or capability to vet ad networks — particularly if there’s a language barrier involved. Remember, lots of ambitious app developers are just one or two people with an idea and some time on their hands. They may just drop in support for whatever ad network promises them the highest return, without much regard for the safety of their users’ data, what those networks do with those data — or, potentially, the security of the ad network’s software. If a major security flaw turns up in a library supplied by an advertising network, hundreds or thousands of apps could suddenly be vulnerable to exploit. And let’s not forget the the idea that scammers might set up their own ad networks and build the back doors themselves.

Types of threats

It’s important to note that the Android platform doesn’t have traditional viruses — malicious programs that spread between devices. An Android virus isn’t impossible, but it’s certainly not likely. Instead, malware creators have focused on other types of exploits, most of which involve tricking Android users into doing something they shouldn’t.


Malware apps — The most common Android malware is an app that claims to do one thing but does another — often behind a user’s back or without their knowledge. These are often classic Trojan horses: Many take the form of knockoff or free versions of paid games; others play on hot products or entertainment trends. The idea is to lure users into downloading a free or heavily discounted game, get them to launch it, and clandestinely install malware behind their back. That malware might try to grab passwords and keystrokes; it might forward email, messages, and address books on to cybercriminals, it might be used to take over a Google accounts. Anything’s possible — but the makers have to fool people into downloading and running the app. That’s often easier if there’s a language barrier involved.

Drive-by exploits — Drive-by-downloads are a bit nastier. The idea is to lure Android users to visit a website containing code that exploits a known weakness in a browser. Once users visit the site, the malware gets installed. Depending on the exact mechanism, the malware may deliberately crash the device in order to get users to restart it — executing a nasty payload. Drive-by techniques aren’t exclusive to Android — iOS jailbreaks have famously used drive-by techniques — but they’re becoming more common in the Android world.

Drive-by exploits often use social engineering or phishing techniques to usher users toward infected sites. For instance, you might get an SMS message that looks like it’s from a carrier or service provider, urging you to download an urgent update.

The bottom line is that any time you install an app or visit a website, there is a chance not all is as it appears to be.

How to stay safe

Yes, Android’s malware situation is complicated — and it’s not going to be getting simpler any time soon. Nonetheless, there are some simple things you can do that greatly reduce the chances you’ll have any problems.

Only use trusted app stores — First and foremost: Don’t just download any app from any source you happen to encounter. Go to your Android device’s Applications Settings menu and disable the “unknown sources” option for installing apps. This will prevent your device from installing apps via email, the Web, or any source besides Google Play. Unfortunately, it also disables potentially legitimate sources like the Amazon App Store, and carrier-specific stores. If this matters to you, enable “unknown sources” only when specifically shopping at those trusted markets.


Check out the app and the publisher — Before downloading a new app, check out the reputation of both the app and the publisher. This means looking further than reviews posted in whatever marketplace you’re using — unscrupulous publishers are notorious for writing their own five-star reviews. Look for reviews from independent sources.

Don’t install APKs — Do not install APKs (Android application package files) directly, say from an SD card or a USB device. Unless you’re a skilled Android developer (with tools), there’s almost no way to determine what an APK will do until you’ve already run it — at which point, there’s usually no going back. There’s some misperception that since all Android APKs have to be digitally signed by their developers, they’re safe. That’s misleading: While all APKs must be signed, it’s just to verify the files haven’t been damaged or corrupted since the developer built them. A signature in no way confirms an app is not malicious, and there’s no requirement signatures be verified by a third party. In fact, it’s pretty much standard practice for developers to self-sign their own applications.

Always check permissions — Whenever you download or update an app, Android will present a list of permissions it requires to run. Don’t just power your way through the list in your rush to the app: See if it makes sense. Does a wallpaper app really need to know your location? Does an app that lets you keep track of baseball player stats really need access to your address book? Probably not. If apps ask for inappropriate things, they may be up to no good — or be supported by an advertising network that wants to know everything about you.

And, above all, don’t panic. Malware isn’t a tremendous issue for Android yet, but the edges of the ecosystem are starting to get pretty sketchy. Well-informed users who understand how the Android world works should be in little danger, but the less you understand the technology and the ecosystem, the more likely they are to inadvertently get into trouble.


Browse safely and securely with Opera’s unlimited VPN on Android

Opera has added a new VPN to its Android browser, offering an easy way to keep your privacy and data locked up solid, and with no limits on usage or cost, you can keep it on all the time.

24 must-have apps for rooted Android phones and tablets

Rooting your Android device opens up a world of possibilities, along with a few apps. Here are 24 of our favorites, so you can make the most of your rooted device and unleash the true power of Android.

Google Fi: Phones, plans, pricing, perks, and more explained

Google's wireless service, formerly Project Fi, now goes by the name of Google Fi, and it's now compatible with a majority of Android phones, as well as iPhones. Here's everything you need to know about Google Fi.

Rooting your Android device is risky. Do it right with our handy guide

Wondering whether to root your Android smartphone or stick with stock Android? Perhaps you’ve decided to do it and you just need to know how? Here, you'll find an explanation and a quick guide on how to root Android devices.

The best Apple AirPods alternatives for Android, Windows, and iOS devices

Apple AirPods might be new and improved, but they aren't the only game in town. Other makers are offering their own truly wireless earbuds, with attractive features. These are the best AirPod alternatives on the market today.
Social Media

Facebook Messenger adds quoted replies to better organize group chats

Facebook is rolling out a feature that should help make group chats a whole lot more organized. The feature allows you to reply to specific messages within a group chat, so others will be able to tell what you're replying to.

The Samsung Galaxy S10 5G might be a few short weeks away from launch

Samsung has announced a whopping four new Galaxy S10 devices, from the low-cost S10e to the triple-camera S10 and S10 Plus. But it's the Galaxy S10 5G that steals the show as it's among the first 5G-ready smartphones to hit the market.

Need a quick battery boost? Try one of our favorite portable chargers

Battery life still tops the polls when it comes to smartphone concerns. If it’s bugging you, then maybe it’s time to snag yourself a portable charger. Here are our picks for the best portable chargers.

Fossil made a smartwatch in 2004, and it’s part of a new brand retrospective

Fossil has been making watches for 35 years, and to celebrate the anniversary, it has a new retrospective exhibit complete with the first smartwatch it made — the Wrist Net watch from 2004.

Fossil is working on a smartwatch with BMW, and it’s coming next year

Fossil, the watch company that makes smartwatches under its own name and partners with other major brands too, intends to launch a smartwatch with car manufacturer BMW in the future.

Diesel’s denim-inspired smartwatch straps are a casual, colorful must-own

Diesel will release two new versions of the On Full Guard 2.5 smartwatch later this year, with seriously cool, denim-inspired straps in classic Diesel colors. We tried them on at the Baselworld 2019 show.

The Moto G7 Power, with its massive battery, is now available for purchase

After a number of leaks and rumors, the Motorola Moto G7, Moto G7 Play, and Moto G7 Power are finally here. The devices represent quite a spec bump over the previous-generation Moto G6 phones, yet still come at a reasonable price.

Got gadgets galore? Keep them charged up with the 10 best USB-C cables

We're glad to see that USB-C is quickly becoming the norm. That's why we've rounded up some of the better USB-C cables on the market, whether you're looking to charge or sync your smartphone. We've got USB-C to USB-C and USB-C to USB-A.

5G's arrival is transforming tech. Here's everything you need to know to keep up

It has been years in the making, but 5G is finally becoming a reality. While 5G coverage is still extremely limited, expect to see it expand in 2019. Not sure what 5G even is? Here's everything you need to know.