Android is a hot bed for malicious malware. This malware is so dangerous that it can destroy your phone, and even your life if you’re not careful. The worst part is it’s already happening to you right now! There is no place to hide! It’s everywhere! At least that’s what some people want you to believe. Android malware has been a hot topic for several years.
With just a quick search for “malware” on this site you can find many stories about this topic. There are reports from security companies about Android malware being on the rise, infographics for fighting malware, reports of Google patching holes, and much more. It’s time to set things straight once and for all. This is the truth about Android malware.
1. It exists
If you are using something that has access to the internet you are susceptible to malware. Windows, Mac, iPhone, and even Blackberry devices are susceptible to malware. Being able to access the internet makes any device a target for malware. Android is no exception. In the past few years there have been cases where Android devices were infected by malware. The most public cases were from Microsoft’s #DroidRage campaign. They held a device giveaway for anyone that was infected with Android malware.
Still, those are extreme (and maybe fake) cases. Despite what you may have heard Android is actually one of the less susceptible platforms out there. It is estimated that less than 0.001% of app installations are able to evade Google’s security measures. Even though the malware exists it’s not a serious concern for most Android users.
2. Google has security
There are some people who think Android is like the Wild West. They think the sheriff, Google, is out-of-town and everyone is free to do as they please. This is obviously not true. Google has advanced security tools with many layers of protection. The 0.001% of apps that do make it pass Google’s security have to make it through all the levels in the chart below.
That’s 7 layers of security. If the user doesn’t have unknown sources enabled, like most average users don’t, the app won’t even make it past the second level. Android is not the wild west, but it’s not Apple’s walled garden either. Google will let anyone upload an app to the Play Store, but that doesn’t mean they will let it infect your device. They have your back.
3. The iPhone isn’t immune
There’s a very misinformed notion that somehow the iPhone is somehow immune from all of this. Despite owning the biggest piece of smartphone market share, it’s true, the iPhone may not be as big of a target as Android devices. This is largely in part due to iOS not giving users the ability to download/install apps from outside sources like on Android, but security flaws within the OS are exposed frequently.
In fact, security firm Symantec published a report last year in which they discovered 387 security holes in iOS. Android? Only 13. More recently, it was discovered that the default Mail app used in most recent versions of iOS wasn’t encrypting email attachments properly, leaving them wide open to attackers looking for sensitive data.
With the process of “jailbreaking” an iPhone or iPad being a practically 1-click affair, there’s also a growing number of iOS users turning to jailbreaks in order to have access to 3rd party market places like the Cydia app store, free from Apple’s iron fist. A year ago, Evasi0n — a popular iOS jailbreak method — logged 7 million downloads of their free software the week after it went live to the public. That’s a lot of users.
Of course, jailbreaking opens up iOS devices to many of the same non-sanctioned, possibly malicious applications as Android. In fact, it was earlier this year, a proof of concept malware was created that showed how would-be hackers could record every screen press and interaction a user had on their jailbroken iOS devices. Not a huge issue for the vast majority of iPhone/iPad users who stick with the stock firmware and App Store for all their application needs, but then again, the same could be said for Android users.
4. Some security apps are a scam
All of this fear mongering around Android malware has created opportunities to make some easy money. A lot of people are more than willing to shell out a few bucks if they think it will protect them. There are some really nice security apps available, but most of the ones that cost money aren’t worth it.
- Norton & McAfee: These companies have built a good reputation on PCs, but their mobile apps are unnecessary. They both throw a ton of separate apps out there for many different things like dialer protection and cloud security. You don’t need any of these apps.
- NQ Mobile: This app has lead a controversial life. The company is on the New York Stock Exchange, but many people of accused them of being a fraud. The app has good reviews in the Play Store, but be wary of the accusations.
- Paid Apps: Android is very secure on its own. Paying for a security app is a waste of money. Plain and simple. If you do really, really want an extra layer of security we have a few suggestions below.
5. Some security apps actually work
While some companies are trying make easy money, others are trying to actually help. There are a few apps that you can use to give yourself some peace of mind.
- 360 Mobile Security: The app with the highest detection rate is 360 Mobile Security, coming in at 99.9%. This app is lightweight, fast, and well designed. Above all that is the functionality. It can do standard scans, but also fix system vulnerabilities, and help your phone run more efficiently.
- Avast!: The popular free desktop anti-virus program also has an excellent Android app. Avast scans your apps to provide details on what they are doing, scans URLs for malware, and even has some anti-theft tools. The best part about Avast! is it’s completely free.
- Lookout Security & Antivirus: A great app that has been around forever is Lookout. Like Avast!, this app combines software and physical security. It will scan apps and give you reports, but also allow you to track your phone if it’s stolen. The detection rate for malicious apps is 99.4% accurate.
Other security apps to consider
Of course, the security apps listed above aren’t the only apps of their kind in the Google Play Store. With so many options to choose from, here are a few others we found that, according to their reviews, seem to be well-received by their users. While we haven’t tested these apps ourselves, we’ll ask you guys if you’ve had any experience/success with any of the below listed apps. Any others you’d recommend?
6. You are the best weapon
The best way to avoid malware, and this goes for any platform, is to be smart. If you are installing cracked APKs from random websites you are obviously more at risk. But, if you follow these simple guidelines and you and all your Android devices will be safe.
- Read reviews before downloading an app in Google Play.
- Download APKs from trusted or official sources.
- Read the permissions required by the app.
- Ask about it on AndroidForums.
If you do these things, and use a little common sense, your Android device will always be malware-free. If anyone that you know is afraid of getting a virus on their Android device share this article with them. Together we can end the terrible myths about Android security.
Great for the average users for the tech heads though its like psh Malware? Blah!
Malware exists on all popular platforms, however the amount of malware that has infected is slim to none percentage wise or the ways of attaining malware is tough on both iOs and android. One person would have to be trying very hard to stumble upon malware
It’s true. Whenever someone asks me about installing an “anti-virus” app on their Android the first thing I ask them is, “Do you only use the Google Play Store to install apps?” 99.9% of the time the answer is yes, in which case I tell them they don’t need it.
It would be really great if this article had some kind of factual backing. I don’t disagree that Norton and McAfee’s apps are unnecessary, but why is that? Why should I believe that 360 Mobile and Lookout Security are >99% accurate, other than that you say so? Where are the accuracy ratings for Norton and McAfee? Your claims are not “truths about malware” until you make them so.
It explained why they were unnecessary. May want to reread that again.
Be happy that you are so easily convinced, I guess.
I also don’t disagree, but that just my opinion. There may be factual backing for this, but I’m not aware of it, and it certainly wasn’t presented here. Maybe a better title would be “6 things I can say about malware that will ring true with most people likely to be reading this”?
I would answer this by saying “who cares what the accuracy of Norton and Symantec is, you have to buy it, when there are free alternatives out there that catch 99%+” Just my opinion.
would be nice if all hte apple fanboys/girls who use the reason of “oh, android gets viruses. My iphone is immune and this is why i wont ever buy an Android.”
Would be nice they… what? Please complete your thought.
Let them. People who jailbreak their iPhones are even more susceptible to viruses than a rooted Android phones.
Rooted Android still has Google security. Apple don’t want to help a jailbroken iPhone.
I use Avast because I can use the same account from my pc version.
I don’t use Avast on the PC any more because I spent a day fixing a relative’s PC when it failed to detect a pretty old and well-established piece of malware then wouldn’t allow me to update IntelliJ IDEA on my own machine because of a false positive that still wasn’t fixed a month after I reported it. It used to have some of the best detection rates but now it’s pretty poor.
That’s too bad for you mate. Works fine here.
“Despite owning the biggest piece of smartphone market share”.
The iPhone doesn’t have the biggest smartphone market share…
Like 12% now and falling.
Samsung has the largest overall share, but on an individual phone basis, the iPhone does.
Same thing I thought when I read that sentence. Jason Crumbley here seemed to miss the point. The article talks about vulnerability between OS’s, the author is using iOS and iPhone interchangeably. When he stated “Despite owning the biggest piece of smartphone market share, it’s true, the iPhone may not be as big of a target as Android” he is comparing iOS to Android and the statement is wrong. Android has the largest worldwide market share by a wide margin which makes it a big target, just like Windows in the PC market.
What about AVG?
AVG is a virus pretending to be an antivirus. But really, it misses so many viruses it’s not worth thinking of yourself as protected when you use AVG.
Yeah, it’s unfortunate AVG for Android is so bad (all it really catches are test viruses), because they’re Windows AV software is really good.
No, the windows AV that AVG puts out is way worse. For every 1 virus AVG finds, it also finds like 15 false positives. And misses about 5 real viruses. DO NOT use AVG.
Go buy a real antivirus like ESET or Kaspersky; or at least use Avast! if you don’t like spending the money.
… or (free as “free beer” edition) Antivir ?
I’ve been using AVG for a several years now and can only remember getting a couple false positives in all that time.
I’m not surprised a competitor says it’s bad, an independent source would be far more meaningful.
Your pretending to know what your talking about.
A one month snapshot does not account for the entire history of a product. Collect the last 2 years of reports from av-comparatives and you’ll see its track record is awful by comparison to Kaspersky, ESET, even Norton 360. I will say this, though, at least it’s better than Trend Micro.
They have snapshots going back months, any particular month you want and reason why?
Of course not, your just being awkward.
I was using AVG (free) on windows laptops for 4 years, when one of the laptop got infected 2 years ago. Uninstalled it after having cleaning the laptop from malwares, and then installed Antivir… which detected the incriminated virus.
So yes: TigerC10 knows his subject
Detection rate for AVG is quite reasonable for free antivirus software.
But it sounds like it protected you for 4 years, no antivirus software detects 100% of infections, what you described could happen with any antivirus software.
I always scan with more than one antivirus program. They all have slightly different detection databases, and I often find a few stragglers on the 2nd or 3rd pass that way.
I’ve tried that many times over the years and on many systems and I have always had the worst viruses slip through AVG. I’ve had better luck with Avast but get annoyed by their nagging to purchase when I didn’t feel it was polished enough for me to spend money on. In the end I went back to paying for Norton Internet Security or using Microsoft Security Essentials. I back it up with a Malwarebytes scan if anything seems weird. Of course individual results may vary.
I like to use ESET Mobile Security on my Android – the reason is because I got a “family license” which allows me to install ESET on any 5 devices I want. Windows, Mac, Android, even Windows Mobile if I wanted to. Very nice when they all use the same license info.
and according to kc’s link it’s one of the best, offering a lot of extra features, a perfect score for detection of recent known malware, and no false positives so far.
I’m not using anything extra though.
I trust my own judgement and Google’s app verification.
I agree with you. I trusted ESET for years on my PC and ones that I looked after. I put it on my tablet because my kids get on it a lot and I’m never sure what they click.
But my two phones have nothing. Like thedicemaster here, I trust myself on those devices.
The latest results from AV-TEST: TrustGo and LookOut did well. They did not include 360 Mobile Security.
Can not say anything about CM Sercurity but I use another of their apps called Clean Master. I use it when I am running low on space. It lets me look to see what files are taking up the most space and can even remove old apks and the like from the device. So if CM Sercurity is anything like it its not a bad piece of software.
“If you are using something that has access to the internet you are susceptible to malware.”
My laptop running Linux is laughing smugly at you right now.
It doesn’t mean you aren’t susceptible. As of this moment, it just means Linux is not popular enough operating system to be even bothered by malware. Same thing happened to OSX.
So then why for years when Apache was the WebServer of choice was IIS the one facing so many exploits?
Popularity is not the only factor.
open source can also mean overlooked (heartbleed).
No one mentioned open source until you did.
If you want to look at overlooked though, that IE exploit was around for 11 years. That is a hell of a time to overlook it.
I think they can all be accused of missing threats for years. What surprised me is how things have changed on the MS side. The fact that they remained unhacked at Pwn2own for IE11 on Windows 8.1 w/EMET. Too bad the average person doesn’t know about it. http://nakedsecurity.sophos.com/2014/03/13/pwn2own-day-one-reader-ie-flash-and-firefox-felled-java-left-standing/
It takes years to earn back the trust of folks. For some people even more. Pwn2own means literally that, so the prizes are too small for the real bad folks to ever show off their tricks. Besides that MS has been very unfriendly to the security community in the past. I hope they continue to improve, but I have my doubts.
I would agree that MS was unfriendly in the past but that was around a decade ago. When they started getting trashed by threats on XP they started changing their tune. Some people definitely hold grudges for a long time.
I think you must have a different bar set for rewards. In the Pwn2own contest MS offered $150,000 to break the Windows 8.1, IE11, and EMET combo. That’s $50,000 more than any other prize. Most threats are found by a team of 1-2 people over usually a 6 month period. I think I could handle $75,000 for 6 months of work. :-)
Funny thing is I started feeling that way about Google about 3 years ago. When Gmail first came out I was excited about it and the same with Android. Now I only use them out of necessity as my job requires knowledge of them. Working with their team that handled Postini after the acquisition didn’t help. They took my money and then refused to help or fix anything.
I actually can talk directly to engineers at Microsoft and can actually get support for Office 365 for my clients unlike Google who just refers you to the internet for paid services. It’s weird for me to say Microsoft has been helpful but they actually have been the past few years.
I’m sure we all have our stories with some company but i was losing interest in MS until a cultural shift started happened, and I don’t mean Balmer.
No, they have ignored security issues for months and then tried to sue researchers who disclosed when nothing was done. This was in the last couple years. My grudge with MS is from before XP and after. Their current backing of patent trolls for example.
Support for office 365? These are the folks that ignored us during the outlook.com outage. You forget that already?
MS has a long road to hoe if they want to be seen as anything better.
I don’t mean this in a confrontational way but if you have some info on Microsoft suing someone for reporting a threat recently I would like to see it. I try to keep up as much as I can but I will admit I do miss some articles from time to time. I have seen Apple disable the account and freeze the apps of a developer who report a threat but haven’t heard of Microsoft as of late. To me personally, of the three I think Apple is the most hostile towards the security community. Microsoft sometimes seems to have an identity crisis sometimes but lately they “seem” to be finally coming together. Time will tell.
I don’t think anyone could argue with the fact that Google was at the forefront improving browser security though and they are the most consistent on at least that. If it wasn’t for Google, I think browser security would still be in the dark ages.
As for the outlook.com outage, they reported it on their website and gave status updates. I read about the last big Gmail outage from a tech blog first. From what I remember about outlook.com they even stated what mistakes they made. I had 3 times last year my Gmail stopped working on all devices and I received no emails on my paid Google Apps account and no explanation was given for nearly a full business day. I received no emails from clients via email, even gmail.com, and they thought I was ignoring them. My other staff had the same issue and to this day nothing has been said about it. That said, I’m referring to Office365 for business. When you subscribe they actually have a full portal of all problems and their status but I can also call an 800 number for questions or submit a trouble ticket and all I have used have been answered in a timely fashion. Of course, like I mentioned before I wouldn’t be surprised if others have had a different experience. Microsoft hasn’t exactly been golden for me personally but as of late they have been better than Google.
To tell you the truth though, neither Google or Microsoft has done anything that has made me absolutely want to quite using their services. Maybe curse for a little but then move on. :-) I have enjoyed my Google and Microsoft services and devices, most of the time.
If I can find an article newer than 2008 I will post it. I do know they still claim they won’t sue over “responsible disclosure”, but never commit to what that is. Personally they should have 3 months if the vulnerability is not being actively exploited, else it should be public in 24 hours. Once there are exploits in the wild users need to know they are at risk.
I agree they both have screwed up in the past and will likely do so again.
Great picture at the top of the article.
Heart bleed isn’t malware, its a security vulnerability in older versions of OpenSSL. Nothings bug proof.
It’s actually more about the community. Distros are mostly built with very secure repositories (google play for Linux) .. the big distros go over the source and compile the code themselves. Usually only closed source is included if its from a highly trusted company like say, nvidia. Then the smaller distros adopt their parent distros repos.
There was once a virus that slipped through (I believe debians repository) but it was fixed that day. When people leave their distros repos to get something, it’s mainly well known software. You don’t typically go off site for little tools and such because Linux distros typically have everything but games.
Then there’s sudo to break through.
There is malware for Linux but Linux is a tough ecosystem to crack.
I’d like to see an app that assesses other apps to determine if the permissions required are appropriate for that app. I don’t feel that enough attention is given to this. The article above makes the laughable statement about reading an app’s requested permissions. Oh yes! How is a person expected to make sense of that lot? Get real!
Ah!! I’ve stumbled across the article when I was reading an argument.
My problem with this article is the sheer irony of it. While attempting to convince me that most android security apps are useless and that we’re clueless about their true functionality, you go on to tout specific apps as being useful, or even worse, “99.9%” effective, while provide absolutely ZERO references to these claims. I just don’t see what value this has provided me.
Perhaps you would like a full refund?
Here you go, here’s NOTHING back. NOTHING.
Anything else free that you want to complain about, go right ahead, I’ll be happy to refund you for that too. :)
What are you … fourteen? If you have no intelligent content to add to the DISQUSion (get the correlation?) then please keep your childish nonsense to yourself.
Some people just simply won’t believe that they don’t need anti-virus. That’s why we tried to point out some of the better security apps. If someone is going to use something we want it to be a good one.
How is bitdefender not on the list? It’s been tested as #1 against malware/virus on Android
They are missing AVG
Do number 6. The end. In fact that goes for malware on all platforms in many cases
I don’t want a credit card identity relationship with Google, so purchase apps from vendors I do, e.g. Amazon, or sideload from reliable sources via PayPal. But I take the point of the article about risks and run BitDefender, which tests well and has almost no resource footprint.
As mentioned above, YOU are still the best weapon, or should I say the last line of defense. Because if you don’t allow them in, your phone will not get infected.