Android offers a more open and customizable experience than Apple’s comparatively locked down iOS platform. However, that also means Android users could encounter more malware threats in the wild. The key word there is “could.” Many of the Android malware stories we see making the rounds end up amounting to nothing because of the way the platform operates these days. While Android malware is definitely out there, you don’t always need to panic. Let’s take a look at the anatomy of an Android malware scare to see when panic is warranted.
The first thing you need to know about Android malware is that you most likely can’t just magically become infected from visiting the wrong website. Apps on Android need to be installed by the user, and several steps must be completed before you can install anything from outside Google’s Play Store. Even when you do enable the “unknown sources” feature of Android, you need to tap to authorize each app installation manually.
The Play Store is the only service that can install an app in the background, and even then you need to verify your identity before it allows you to push app installations down to a phone. In the overwhelming majority of malware cases, people are being tricked into “sideloading” apps from outside the Play Store. It’s just an example of social engineering. Someone may land on a page that says, “Hey, you need this plug-in to view the content.” They install the APK, and they’re infected.
If you can avoid installing APKs from emails or random web pages, you’re already safe from most of the malware you hear about.
The Source of Infection
Not all Android devices are created equal. There are many millions (possibly even billions) of Android phones in Asia that don’t connect to Google’s servers. Since the search giant pulled out of China almost a decade ago, Android users there have been left to rely on third-party app stores. The makers of their phones often run these, but there are plenty of sketchy underground sites peddling APKs as well. And then there’s Russia, which has a thriving third-party app store scene that focuses on apps with Russian localization.
These app stores are the “wild west” of app distribution. There’s plenty of safe content there, but some of it is also harboring malware. There’s no one overseeing things to keep malware in check, so most bad apps show up there first. Consequently, many of the infections are concentrated in Asia. If you’re not installing apps from these marketplaces, you’re probably safe.
In the west, malware is most likely to appear in “warez” or pirated app repositories. The nature of the content means there’s little or no vetting of the files. So, you might think you’re getting Clash of Clans with a bunch of cheats installed, but you’re really getting a virus. Again, if you’re not installing these apps, your risk of infection goes way down.
For anyone with an Android phone powered by Google (which is almost every Android user reading this), your phone has malware scanning built in. Google deployed the Play Protect system several years ago (at the time it was just called Verify Apps). This service continually scans the apps on your phone to watch for malicious behavior. If it detects something, you can take action to remove it. In the event of a breach of Google’s Play Store, the company can remotely kill malware on all connected devices.
Yes, malware does occasionally slip past Google’s filters and end up on devices. These apps are usually only downloaded a handful of times before Google catches on, but there have been some larger-scale infections. This is something to watch for in malware announcements — did the discoverers find it in the Play Store and had users installed it? The odds of infecting your phone with a virus from the Play Store is still incredibly low.
When It’s Just an App
Let’s say you do end up with malware on your Android phone. What’s going to happen? The most common form of malware is going to cram your phone full of ads. Google has increasingly clamped down on what developers can do with regard to advertising, but malware can throw up full-screen ads or send scammy push notifications. This is an annoyance, but it’s not necessarily a security threat.
Making money from ads is nice, but your personal data might be worth more. That’s why a lot of malware will try to disguise its presence and spy on you. These are still just apps on your phone, so you need to grant them access to features like account data and location. Again, this takes some clever social engineering on the part of the malware author.
Other bad apps will try to impersonate a legitimate app to gather personal details entered by users. We saw this recently with a fake Uber app. You might not notice there’s malware active, but when you do it can be uninstalled like any other app.
Old and New Vulnerabilities
Every software platform in the world has bugs, and Android is no different. Its open source nature and reliance on the Linux kernel basically assures that all major Android bugs will get a lot of attention as well. When there’s a new severe vulnerability in Android (like Stagefright), that’s when you need to start worrying. In that event, much of what we talked about above no longer applies.
With the right vulnerability, an attacker could theoretically gain direct control over your device to install malware, or simply bypass the security measures that are supposed to prevent background installations. Malware that targets an unpatched vulnerability can also act as more than “just an app” by gaining root access to your device.
Are you sufficiently freaked out? There’s good news. Serious vulnerabilities are more rare than they once were, and the ones we do hear about are disclosed in a responsible fashion. Security researchers find the flaws and Google issues patches before anyone tries to use the vulnerability in the wild.
Some dangerous hacks in the past have prompted Google to ensure that Android lists the security patch level in the system settings. You can always check that to see if you’ve got the most recent security update on your phone. Unfortunately, not all Android OEMs are good about pushing security updates. In the event of a major exploit, you’ll want to keep an eye on your device’s update timeline.
Some Android users want root access for tinkering, but this is also a security issue. A lot of malware tries to root phones upon installation, but it almost always fails. That’s because app-based root exploits are basically unheard of at this point. It’s been years since someone has found such a vulnerability, and without root, there’s only so much malware can do. You’ll sometimes hear about malware that includes Towelroot or PingPongRoot. If you see these listed as a new malware’s vector of attack, you don’t need to worry. Android has been patched against them for years. If anyone does find a new version of these exploits, that would be something to worry about.
Don’t Panic (Usually)
The next time there’s an Android malware scare, look at the facts before you panic. Is it just being distributed via shady Chinese app stores? Do you need to be tricked into installing it manually? If you were to catch it, is it just going to show you ads until you uninstall it? If the malware is using Android vulnerabilities to corrupt phones, are they ancient exploits like PingPongRoot?
The real threat is a new major exploit for Android, which is increasingly rare. If something like that happens, you should see if your device is already patched. If it’s an in-the-wild attack, that’s when you need to worry. Be vigilant, and you’ll be fine.