Guys, gals, aardvarks, fishes: I'm running out of ways to say this. Your Android device is not in any immediate danger of being taken over a super-scary malware monster.
It's a silly thing to say, I realize, but we go through this same song and dance every few months: Some company comes out with a sensational headline about how millions upon millions of Android users are in danger (DANGER!) of being infected (HOLY HELL!) by a Big, Bad Virus™ (A WHAT?!) any second now. Countless media outlets (cough, cough) pick up the story and run with it, latching onto that same sensational language without actually understanding a lick about Android security or the context that surrounds it.
To wit: As you've no doubt seen by now, our latest Android malware scare du jour is something an antivirus software company called Check Point has smartly dubbed "Quadrooter" (a name worthy of Batman villain status if I've ever heard one). The company is shouting from the rooftops that 900 million (MILLION!) users are at risk of data loss, privacy loss, and presumably also loss of all bladder control -- all because of this hell-raising "Quadrooter" demon and its presence on Qualcomm's mobile processors.
"Without an advanced mobile threat detection and mitigation solution on the Android device, there is little chance a user would suspect any malicious behavior has taken place," the company says in its panic-inducing press release.
Well, crikey: Only an advanced mobile threat detection and mitigation solution can stop this? Wait -- like the one Check Point itself conveniently sells as a core part of its business? Hmm...that sure seems awfully coincidental.
Yeah, right. Here's the all-important asterisk being omitted from Check Point's thinly veiled publicity campaign for its product: A "mobile threat detection and mitigration solution" is already present on practically all of those 900 million Android devices. It's a native part of the Android operating system called Verify Apps, and it's been present in the software since 2012.
Verify Apps scans your device for potentially problematic programs both as you download new apps and continually over time. It'll stop you from installing any app that could compromise your device's security and will also warn you if an existing app starts doing anything suspicious.
Verify Apps is present on every Android device running version 2.3 or higher -- which, according to Google's latest platform measurements, accounts for a whopping 99.9% of active Android devices. And Google has confirmed the system is already watching out for any "Quadrooter"-related mischief -- none of which, it's worth noting, has actually been observed in the real world.
Huh -- wouldya look at that. This shrieking malware monster suddenly isn't so scary.
This is the same ol' story we've been hearing every few months for years now, my friends -- and the parameters are almost always identical: A company that (surprise, surprise) makes its money by selling antivirus software publicizes some Big, Bad Virus™ attacking Android devices. It fails to mention the various reasons why said virus poses little to no practical threat to actual Android users in the real world. Mainstream news sites take the bait and mimic the company's sensational tone while excluding or minimizing the critical context.
The reality, as I've pointed out more times than I can recall, is that Android has had its own built-in multilayered security system for ages now. There's the threat-scanning Verify Apps system we were just discussing. The operating system also automatically monitors for signs of SMS-based scams, and the Chrome Android browser keeps an eye out for any Web-based boogeymen.
On top of that, Google now provides monthly security patches to address vulnerabilities at the OS level (though if reliable and timely ongoing OS updates are really important to you, there's only one type of Android phone you should be buying). That's one layer of the system -- one that's important, to be sure, but one that more often than not provides a secondary path of protection on top of the always-present first-line defense.
I'll leave you with my standard set of questions always worth asking yourself anytime you hear about a new Big, Bad Virus™ lurking outside your window:
- Who's behind the "research" driving this story, and what is their motivation?
- Is this threat related to something I'm likely to download and install, or does it revolve around some weird random app no normal person would ever encounter?
- On the off-chance that I did somehow try to install the trigger, would my phone automatically protect me from anything harmful?
- Has any normal user actually been affected by this in the real world?
I've said it before, and I'll almost certainly say it again: The Android malware monster will never die -- the antivirus software peddlers will make damn good sure of that -- but a little knowledge and a pinch of logic go a long way in making his Big, Bad Virus™ charade less scary.
The real vulnerability we as consumers should be worrying about in these situations is ignorance -- and that's a vulnerability companies like Check Point are preying upon constantly. When it comes to keeping your Android device safe and secure, the most important tools you need are already right in front of you.