The ultimate Android malware guide: What it does, where it came from, and how to protect your phone or tablet

android virus

Although it hasn’t made a huge dent in the tablet market yet — or perhaps we should call it the iPad market — Google’s Android operating system has been the top-selling smartphone platform for a while. That also means it’s a top target for scammers and malware developers eager to steal data and money from unsuspecting Android users. Last year brought some dire statistics, with security firms like McAfee and Lookout claiming sharp rises in Android malware, and even that three in ten Android devices will run into malware. Juniper Network famously reported a 472 percent increase in Android malware between July and November 2011, and Google has been pulling malicious apps from the Android Market (now Google Play) and just rolled out Bouncer, a new tool that attempts to automatically screen out bad apps before they hit the market. Still, new threats seem to arrive regularly, whether they’re malicious apps that record phone calls or pose as banking apps to grab credentials and potentially instal more software.

What sorts of potential threats do Android users face, and is paranoia really necessary? Ultimately, how can Android users protect themselves — and all the data that flows through their devices?

Why does Android have malware?

The simplest reason Android has more malware than competing mobile platforms is that it’s the bigger target. The vast majority of malware targeting traditional computers aims at Windows because, historically, Windows has had the largest marketshare. Although Android has only become the leading smartphone platform comparatively recently, that emergence coincided neatly with massive consumer interest in smartphones. Thus, Android is the biggest target. However, there are also aspects of the Android ecosystem that may make it — and Android users — more vulnerable.

Is open source a problem? — Android has been criticized in some circles as an inherently insecure platform because significant portions are built on open-source technologies like Linux and WebKit. Some critics would argue that because Google offers the full Android source code to anyone who wants to look through it and pick out flaws, the platform is inherently less secure than platforms (like BlackBerry, Windows Phone, and Apple’s iOS) that hold their source code (or significant portions of it) as a closely guarded secret.

Although there’s little denying Android has seen more of a malware issue than competing mobile platforms — Apple iOS and RIM’s BlackBerry have been relatively unscathed, and it may still be too early to say for Windows Phone 7 — the presence of malware for Android seems to have a great deal more to do with the Android ecosystem than the technologies on which it’s been built. If one wants to attack Android’s security because it uses open-source technology, one also has to make the same attack against Linux (which has never had a significant malware problem) and iOS (which is based on BSD Unix and uses the same WebKit browsing technology). And the technology has taken a few hits in recent months. OpenSSL is widely deployed on almost every platform on the planet — and it’s open source. The same applies to a wide number of utilities and libraries used on most (if not all) mobile platforms. No software is perfect, but open-source efforts with sufficient developer interest have consistently proven they can sustain high quality levels over the long term.

Or maybe the open market? — Rather than deriving from the provenance of its code, Android’s malware situation seems to derive from Google’s app ecosystem. Where Apple, RIM and Microsoft have offered curated app market experiences, Google Play has been almost a free-for-all: essentially anyone can contribute an application and have it distributed on a market that’s available to the vast majority of Android devices. And Google Play isn’t even the sole source to get apps. Google essentially lets anyone set up their own markets for Android apps: Amazon’s App Store is probably the best-known, but there are a myriad of other app stores out there. International markets are especially hot for non-Google app stores, where being able to offer an Android app store in a local language — perhaps with apps specific to a particular country or region — can be an appealing proposition. Some of these alternative markets are run by mobile operators; others are less clear.

droiddream android malwareWhat about device makers and carriers? — If a security issue turns up in Android, Google is responsible for developing and releasing a fix. However, at that point it is up to device makers and carriers to get the update out to their customers. In many cases, carriers have been notoriously slow to get Android updates to their customers. Case in point: the DroidDream malware that assaulted the Android Market about a year ago. Google discovered the vulnerability that led to DroidDream all the way back in August 2010, and developed a patch for it very quickly. However, more than half a year later, most Android handsets still didn’t have the patch, and DroidDream was able to continue exploiting a known flaw. As many as 250,000 Android users may have been impacted. Contrast this situation with a deployment model like Apple’s, where the company can push updates to device owners without having to involve carriers.

What about ad networks? — The anything-goes nature of the Android Market coupled with Google’s insistence that purchases go through Google Checkout has created a situation where a a large number of Android applications generate their revenue solely through ads, rather than by being purchased directly by users. Building free, ad-supported apps lets developers sidestep the headaches of Google Checkout (which isn’t available in many markets, and has complicated tax implications — unlike Apple, Google doesn’t handle any of that for developers). Building ad networks into mobile apps is so regular in the Android ecosystem that many apps even support multiple ad networks. And, of course, these advertising providers want to know everything about Android users: email address, contact information, unique identifiers, and sometimes even location.

Even if an Android developer has good intentions, it may not have the time or capability to vet ad networks — particularly if there’s a language barrier involved. Remember, lots of ambitious app developers are just one or two people with an idea and some time on their hands. They may just drop in support for whatever ad network promises them the highest return, without much regard for the safety of their users’ data, what those networks do with those data — or, potentially, the security of the ad network’s software. If a major security flaw turns up in a library supplied by an advertising network, hundreds or thousands of apps could suddenly be vulnerable to exploit. And let’s not forget the the idea that scammers might set up their own ad networks and build the back doors themselves.

Types of threats

It’s important to note that the Android platform doesn’t have traditional viruses — malicious programs that spread between devices. An Android virus isn’t impossible, but it’s certainly not likely. Instead, malware creators have focused on other types of exploits, most of which involve tricking Android users into doing something they shouldn’t.

android-malware

Malware apps — The most common Android malware is an app that claims to do one thing but does another — often behind a user’s back or without their knowledge. These are often classic Trojan horses: Many take the form of knockoff or free versions of paid games; others play on hot products or entertainment trends. The idea is to lure users into downloading a free or heavily discounted game, get them to launch it, and clandestinely install malware behind their back. That malware might try to grab passwords and keystrokes; it might forward email, messages, and address books on to cybercriminals, it might be used to take over a Google accounts. Anything’s possible — but the makers have to fool people into downloading and running the app. That’s often easier if there’s a language barrier involved.

Drive-by exploits — Drive-by-downloads are a bit nastier. The idea is to lure Android users to visit a website containing code that exploits a known weakness in a browser. Once users visit the site, the malware gets installed. Depending on the exact mechanism, the malware may deliberately crash the device in order to get users to restart it — executing a nasty payload. Drive-by techniques aren’t exclusive to Android — iOS jailbreaks have famously used drive-by techniques — but they’re becoming more common in the Android world.

Drive-by exploits often use social engineering or phishing techniques to usher users toward infected sites. For instance, you might get an SMS message that looks like it’s from a carrier or service provider, urging you to download an urgent update.

The bottom line is that any time you install an app or visit a website, there is a chance not all is as it appears to be.

How to stay safe

Yes, Android’s malware situation is complicated — and it’s not going to be getting simpler any time soon. Nonetheless, there are some simple things you can do that greatly reduce the chances you’ll have any problems.

Only use trusted app stores — First and foremost: Don’t just download any app from any source you happen to encounter. Go to your Android device’s Applications Settings menu and disable the “unknown sources” option for installing apps. This will prevent your device from installing apps via email, the Web, or any source besides Google Play. Unfortunately, it also disables potentially legitimate sources like the Amazon App Store, and carrier-specific stores. If this matters to you, enable “unknown sources” only when specifically shopping at those trusted markets.

google-play-store

Check out the app and the publisher — Before downloading a new app, check out the reputation of both the app and the publisher. This means looking further than reviews posted in whatever marketplace you’re using — unscrupulous publishers are notorious for writing their own five-star reviews. Look for reviews from independent sources.

Don’t install APKs — Do not install APKs (Android application package files) directly, say from an SD card or a USB device. Unless you’re a skilled Android developer (with tools), there’s almost no way to determine what an APK will do until you’ve already run it — at which point, there’s usually no going back. There’s some misperception that since all Android APKs have to be digitally signed by their developers, they’re safe. That’s misleading: While all APKs must be signed, it’s just to verify the files haven’t been damaged or corrupted since the developer built them. A signature in no way confirms an app is not malicious, and there’s no requirement signatures be verified by a third party. In fact, it’s pretty much standard practice for developers to self-sign their own applications.

Always check permissions — Whenever you download or update an app, Android will present a list of permissions it requires to run. Don’t just power your way through the list in your rush to the app: See if it makes sense. Does a wallpaper app really need to know your location? Does an app that lets you keep track of baseball player stats really need access to your address book? Probably not. If apps ask for inappropriate things, they may be up to no good — or be supported by an advertising network that wants to know everything about you.

And, above all, don’t panic. Malware isn’t a tremendous issue for Android yet, but the edges of the ecosystem are starting to get pretty sketchy. Well-informed users who understand how the Android world works should be in little danger, but the less you understand the technology and the ecosystem, the more likely they are to inadvertently get into trouble.

Mobile

The Google Photos iOS app gets a bit better, now has depth control

Google updated the iOS version of the Google Photos app to now take advantage of the depth data that can be captured by the iPhone's camera in Portrait Mode. The new feature is already available in the Android app.
Mobile

Keep your phone organized with one of the best file managers for Android

Your smartphone has a limited amount of storage space and all sorts of files tend to accumulate if you let them. To keep things in order and find what you need, you should snag one of the best file managers for Android.
Computing

Four fake cryptocurrency apps were listed on the Google Play Store

It is a dangerous time to be going after crytocurrency on Android. Four bogus cryptocurrency apps were spotted on the Google Play Store this week, according to a report from cybersecurity researcher Lukas Stefanko. 
Mobile

Text messages are disappearing on Pixel 3s, but a fix is on the way

The Google Pixel 3 and Pixel 3 XL are arguably the best Android phones out there right now -- but they aren't perfect. Users have reported a number of issues and problems related to the Google Pixel 3 and Pixel 3 XL. Here's how to fix them.
Deals

Save up to $850 with the best smartphone deals for November 2018

Need a better phone but don't want to spend a fortune? It's never a bad time to score a new smartphone and save some cash. We rounded up the best smartphone deals available that can save you as much as $850.
Mobile

How does fast charging work? Here’s every single standard compared

Modern smartphones can charge in mere minutes instead of hours. How does fast charging work? Here's a guide to the most popular standards, including Qualcomm Quick Charge, Apple fast charging, OnePlus Dash Charge, and more.
Mobile

Samsung Galaxy Note 10 display could be bigger than the iPhone XS Max screen

The Samsung Galaxy Note 9 was only released a few months ago, but Samsung is already working on a follow-up. Not much is known about the Samsung Galaxy Note 10 just yet, but we do have a few details.
Mobile

Upcoming Honor View 20 may forgo the notch for new display technology

Nearly a year after Honor released the spectacular Honor View 10, the Chinese smartphone giant appears to be hard at work on its successor, the Honor View 20. Here's everything we know about the upcoming midrange powerhouse.
Mobile

Selfie-mad Meitu phones are now made by Xiaomi, may be sold globally

Meitu, a Chinese brand best known for its selfie and beautification software, has handed over its smartphone business to Xiaomi. The company now has the global license to produce phones using the Meitu name.
Mobile

Huawei's folding smartphone reportedly will launch at MWC 2019

Huawei will release a folding smartphone with 5G connectivity in 2019, according to the CEO and executives for the company. Rumors are also spreading to take away some of the mystery surrounding the exciting device.
Mobile

Keep your Galaxy S8 and S8 Plus free of smudges with a screen protector

The display on Samsung's Galaxy S8 is gorgeous, but it's not exactly rugged. Thankfully, these screen protectors will help you safeguard your new device from unwanted wear and tear.
Mobile

5G version of upcoming Galaxy S10 may feature 6.7-inch display, six cameras

While we still may be months away from an announcement, there's no doubt about it: Samsung is working hard on its successor to the Galaxy S9. Here's everything we know about the upcoming Samsung Galaxy S10.
Mobile

Photos attributed to midrange Google Pixel Sargo suggest flagship-quality camera

The Google Pixel 3 and Pixel 3 XL are considered to be two of the best Android smartphones, but it looks like Google could be prepping a third. A budget Pixel 3 that boasts some of the best features of the other two has been leaked.
Mobile

T-Mobile OnePlus 6T phones get some improvements in update

The new OnePlus 6T continues OnePlus's tradition, coming with flagship power, camera performance, and the gorgeous design you want -- but for under $600. Here's everything you need to know about the OnePlus 6T.