The media is full of stories about malware infecting Android devices, painting a picture that undoubtedly serves the interests of antivirus application providers who use scary tactics to convince people that they need their products.
But is this image accurate? How vulnerable are Android devices really to malware and how much do anti-malware apps really help?
A growing backlash against anti-malware applications on the Android platform suggests that they are not really necessary at all, but as we explore in this article, the situation is rather more complicated.
Can Android devices be infected with malware?
Absolutely yes. A high-profile RiskIQ report found 25,000 “blacklisted” apps in the Play Store in 2019 (though it should be noted that this dropped 76.4% from 108,000 shocking apps in 2018).
And following a recent report, Google removed 24 malicious apps that had been installed on 382 million narcotic devices from the Play Store in 2020.
In its 2020 malware state report, Malwarebytes found that the most common forms of Android malware include hidden ads, such as Android / Trojan.HiddenAds and Stalkerware. Interestingly, the most common malware found, Android / PUP.Riskware.Autoins.Fota (a variant of Adups), was pre-installed on many Android phones made in China …
So there is no doubt about it: Android malware exists and it is dangerous for Android users. For many, this simple fact alone will be enough argument to use anti-malware applications, but first there are a few considerations.
What do Android Antivirus apps actually do?
In 2019, AV-Comparatives tested the ability of 250 of the best Android antivirus apps and services to detect the 2,000 most common Android malware variants of the past year. The results are quite revealing:
- Only 23 of the 250 applications had a detection rate of 100% (with 14 additional applications having a detection rate greater than 99%).
- Only 80 of them detected more than 30% of malware samples with no false positives.
- Almost 40% of the applications were deemed “questionable / ineffective”.
Frighteningly, of the 138 questionable / ineffective applications, several “have already been detected either as Trojan horses, questionable / bogus AVs, or at least as” potentially unwanted applications “(PUA) by several reputable mobile security applications.”
Many of these applications have failed to perform malware scans, instead of simply comparing package names to a whitelist, and if they are on that whitelist, declaring them clean. And any application that is not on the whitelist is blocked, even when installed from the Play Store, which results in many false positives.
Some of them don't even bother adding their own packages to their whitelists, which forces them to report their own application.
That said, all of the big name antivirus apps you've probably heard of (with the notable exception of Comodo) detected 99% or more of the malware samples, which means if you choose an antivirus app from a reputable anti-malware company, it will provide real and meaningful protection to your device.
Reputable Android anti-malware applications manually scan each application, using both databases to detect known malware and advanced heuristic analysis to detect new malware. They also monitor incoming and outgoing web traffic to detect suspicious activity. And as AV-Comparatives' results show, when done right, they can be very effective.
However, what even the best Android antivirus apps can't do is prevent app developers from collecting data that has been obtained at least semi-legitimately and from using that data for questionable advertising purposes. . The only thing that can stop this kind of unethical behavior is Google.
What security features are built into Android phones?
Google does a lot to ensure that apps in the Play Store are legitimate and to keep its users safe:
Applications are scanned for malware
Google Bouncer software scans all apps downloaded from the Play Store for malware, and will even remotely uninstall apps from your device if they later appear to contain harmful code.
Google will even scan apps downloaded from outside the Play Store (enabled by default in Play Protect settings, but this can be disabled).
It should be noted, however, that it has been found that Google has blocked only 68.8% of its test malware samples, making it one of the lowest performing tests.
To some extent, this is because Google has deliberately lowered its bar than most commercial malware applications, making them more useful by taking an aggressive approach to detection rates. But stay …
Google employs a human team to manually moderate content on the Play Store. It is the biggest line of defense against apps that abuse data collected via apparent permissions. Google generally does a fairly fair job in this area, but with nearly 3 million apps on the Play Store, it's impossible to examine them in detail.
Precise control of application permissions
Android apps notoriously capture all possible permissions, whether they are needed or not. Google has since controlled this developer behavior under greater control than before, but it still happens a lot.
You can check the permissions requested by an app on the Play Store before installing it, although they are not displayed as prominently as we would like.
Unfortunately, you can't refuse to allow certain permissions before installing the app – it's an all or nothing deal, even if the app has to ask for confirmation before accessing sensitive things like access to the microphone.
Since Android 6.0, it has been possible to get fairly fine control over app permissions once an app is installed (on this writer’s Samsung Android 10 phone, go to Settings >>[select app] >Authorizations).
Denying certain permissions can cause apps to malfunction (or prevent them from running completely), but at least it is possible.
We do think, however, that users should have this level of control before installing an app, as we are almost sure that most people do not bother to check the permissions of the app once they have downloaded the application.
Premium text messages are blocked
Android 4.2 fortunately put an end to an old scam by preventing applications from sending high-cost SMS. To be honest, we can think of very few apps that should have SMS access at all.
Applications are in sandbox
Each Android application is placed in a sandbox, so it runs in its own environment. This should limit the damage that malware that creeps into the net can do.
Is it enough?
If you only install apps from the Google Play Store, it's likely that you won't catch any malware (although this 68.8% detection rate from AV-Comparatives worries us a bit).
To that we would add installing apps from trusted third-party app stores like Amazon and F-Droid, and even side-loading APKs obtained directly from reputable developers (such as VPN apps obtained from from the VPN provider's own pages).
This does not mean that the risk is zero. VPN apps use system resources and processing power, which could slow down your device and increase battery consumption. So, whether you consider that the risk outweighs the disadvantages of using an anti-malware application, it really is a personal choice.
However, if you get applications in the darkest corners of the Internet, you should probably be using a good anti-malware application from a “big name” company.
Are there any advantages to using a VPN for Android?
A VPN does not replace a good Android antivirus application. That said, a growing number of VPN applications these days offer DNS-based ad and malware blocking. In other words, they filter DNS queries, blocking connections to blacklisted domains.
It's a simple trick that can't be used to protect you from tracking, unwanted ads, and installed ads contacting malicious domains. But it is often quite effective.
When using a VPN, your connection to the VPN server is encrypted, which protects you from hackers when using public WiFi networks.
Widespread adoption of HTTPS by websites in recent years has reduced the need for such protection, but VPNs still offer an additional layer of security (and will also prevent WiFi hosts from selling your HTTP browsing history to advertising agencies).