Android Security

Before you panic: 6 things to remember about Android security

The next Android security scare will seem a lot less scary with these six critical facts in mind.

Android Security Facts
Tumisu, modified by IDG Comm (CC0)

Android security sure can seem like a scary subject.

And it's no wonder: Every few weeks, we see some new hair-raising headline about how our phones are almost certain to be possessed by demons that'll steal our data, eat our ice cream, and pinch our tenders when we least expect it.

This week, it's a series of Android malware monsters known as "ViperRat" and "Desert Scorpion" that has phone-holders everywhere trembling in their bootsies. (Kudos to whoever came up with those spooky-sounding names, by the way. It's an art!) Last week, it was word that Android device-makers might be skipping security updates that had our hands a-shakin'.

These sorts of stories can certainly be disconcerting (especially that second one, which is less about the typical malware, directly, and more about a potential act of deception — "potential" being the key word for now, though). But you know what? From a regular user's perspective, these electrifying tales are almost never cause for alarm.

Before the inevitable next Android security scare comes along, take a moment to refresh yourself on six security facts that'll help you breathe a little easier and leave the hyperventilating for something that actually deserves it.

1. Android malware can't magically install itself on your phone

When we talk about "malware," most people envision a plague-like force that finds its way onto your phone and then sneakily undermines you. But guess what? Even in a worst-case scenario on Android, that just isn't how things work.

In order for something to "take over" your Android device — or do much of anything, really — you'd first have to manually install it and then grant it access to any relevant permissions. Most of the talk about malware on Android relies on the assumption that the user has done both of those things, be it intentionally or via manipulation. But that's a pretty big assumption to make.

2. Even if it is somehow installed, Android malware is highly unlikely to be able to access any sensitive data

Android works with a system of sandboxing that keeps each app separate from other areas of the device and limits the ways in which it can go beyond those barriers. On enterprise devices, an additional fence is in place to keep personal and company data isolated.

According to Android's recently departed security director (whom I interviewed for a story late last year), the vast majority of active Android malware revolves around attempts to make money by abusing advertising, engaging in botnet-like behavior, utilizing clickfraud, or conducting SMS spoofing. Google's latest Android Security Year In Review report, which came out just last month, presents a similar conclusion based on all of Google's internal data from the past year.

To put it in simpler terms, Android malware is mostly the terrain of low-level pickpockets who pounce on easy opportunities to snag dangling dollars — usually indirectly, at that — and not sophisticated identity thieves who infiltrate their victims' lives.

3. Android security has multiple layers

Hearing that your phone might not have the most recent Android security patch is upsetting — and it should be. Android's monthly security patches absolutely do matter. But they're also a single part of a much bigger Android security picture, one in which no single layer by itself is typically a make-or-break element.

Much of Android's security is at its core, with factors like the aforementioned sandboxing along with the platform's permissions system, encryption system, and Verified Boot system. These are the types of areas we see improve with OS updates each year (like with Oreo in 2017 and Android P now — a perfect example, as I've said before, of why OS updates unequivocally matter). Even by themselves, they make most types of truly damaging "infections" incredibly difficult to achieve.

Then there's Google Play Protect, which continuously scans the Play Store and your actual device for signs of suspicious behavior (and remains active and up to date independently, without the need for any manufacturer- or carrier-provided rollouts). And yes, that system does occasionally fail, but (a) that happens far less frequently than Android security headlines would lead you to believe — more on that in a moment — and (b) such constant challenging and adaption is an inevitable part of any security system.

Beyond that, Chrome on Android keeps an eye out for any website-based threats, and Android itself monitors for signs of SMS-based scams and warns you if any such signals are detected.

All combined, that brings us to our next point:

4. Your odds of actually encountering Android malware in the real world are almost laughably low

I've often said that Android malware tends to be more theoretical than practical, and it's true: Most Android security scare stories fail to take into account all the layers of protection mentioned above and the fact that few, if any, regular people are actually in danger by whatever new threat happens to have come along.

There are examples upon examples of this, year after year. And there's a reason, as we'll get into next.

First, for perspective: Based on Google's 2017 data, the probability of downloading a "potentially harmful app" from the Play Store is about 0.02%. Less than a tenth of a percent of active Android devices worldwide encountered such a scenario last year. Even for the minority of folks who download apps from sources outside of the Play Store, we're looking at 0.82% of all devices, globally, being affected by any "potentially harmful app" over the last year.

And don't forget, too, what we're actually talking about when we discuss these types of apps — things like the "Gaiaphish" family of malware, which made up the majority of the titles in the most-observed category of "potentially harmful apps" from Google's 2017 report. What does the "Gaiaphish" family do, you might wonder? It "uses Google account authentication tokens on Android devices to fraudulently manipulate parts of Google Play, such as star ratings or comments."

THE HORROR.

5. Spreading fear over Android malware is serious business

Whenever you see a story about some scary-sounding new Android security threat, take a moment to cross-reference the name of the company behind the research. With rare exception, you'll find it's a company that makes its money by selling — yup, you guessed it — security software for Android.

That's not to say you shouldn't believe anything the company says because of that, but you absolutely should consider the firm's motivation as part of the context. All of these companies work tirelessly to market security scares on Android because, quite simply, keeping people convinced that Android is scary is what keeps them in business.

That's also why their marketing campaigns (and that's ultimately what they are) consistently overplay the risks involved with a threat while downplaying the layers of protection already in place to combat it — layers that, in most scenarios, make the threats of little real-world concern for the vast majority of Android users.

6. Your own common sense goes a long way in keeping you protected

All else aside, basic security hygiene is worth a heck of a lot when it comes to Android security.

Look at something before you download it, especially if it's something you haven't heard of anywhere else and that isn't from an obviously reputable source. Look at the reviews. Look at the permissions the app asks for and think about whether they make sense — and whether you're comfortable providing them. Click the name of the developer and see what else they've created.

Unless you really know what you're doing, don't download apps from random websites or other unestablished third-party sources. Don't accept requests for permissions without understanding what they're asking. And if you ever see a prompt asking you to install something you don't recognize, don't authorize it.

I've said it before, and I'll say it again: With all due respect to the dodos of the world, it doesn't take a rocket scientist to stick with reputable-looking apps and avoid questionable creations.

Bonus: 4 questions to ask every time you see an Android security story

I'll end with a short series of questions I came up with a while back to help evaluate any Android security story. The questions are incredibly effective and will save you countless hours of undue stress.

Ready?

  1. Who's behind the "research" driving this story, and what is their motivation?
  2. Is this threat related to something I'm likely to download and install, or does it revolve around some weird random app no normal person would ever encounter?
  3. On the off-chance that I did somehow install the trigger, would my phone automatically protect me from anything harmful?
  4. Has any normal user actually been affected by this in the real world?

Think through those questions carefully — and make sure you're always keeping up with your own Android security hygiene — and you'll find there's rarely a reason to exert much energy, no matter how much huffing and puffing the latest Android malware monster may attempt.

Sign up for JR's new weekly newsletter to get this column along with bonus tips, personal recommendations, and other exclusive extras delivered to your inbox.

AI Newsletter

[Android Intelligence videos at Computerworld]

5 tips for working with SharePoint Online
Shop Tech Products at Amazon