Wednesday, June 10, 2015
Android antivirus apps are useless — here’s what to do instead
The scare tactics
The most recent Android malware report comes from Symantec, which says 17% of all Android apps are malware. Shocking and upsetting, right? This is being widely reported as, “1 in 5 Android apps are malware.” These headlines certainly make it seem like your phone is ripe for infection, but the real numbers are much more nuanced.
As is common with these reports, Symantec is sampling the entirety of the Android application ecosystem. That means apps that are hosted in the Google Play Store, and those that live outside it in alternative app markets and direct download sites. It’s not clear from the report, but I’d bet warez/pirated APKs make it into the data as well. The odds that you’ll come across these apps in your journeys are slim.
Symantec has confirmed that only a very small fraction of malware apps are ever spotted in the Play Store, and they are quickly pulled. Google has an automated system that scans incoming apps in the Play Store to watch for malicious behavior. There’s also a human review process in place for anything that looks even a little bit questionable. Google just started doing this a few months ago, mainly as a way to keep copycat apps and obvious scams from slipping through the cracks.
We’ve all been programmed by PC malware, which can sneak onto your system simply because you visited the wrong website with a vulnerable browser. These “drive-by downloads” aren’t feasible on Android without a pre-existing infection. On Android, you have to physically tap on a notification to install an APK downloaded from a source outside the Play Store. Even then there are security settings that need to be manually bypassed.
The solution pushed by AV companies is to install a security suite that manually scans every app, monitors your Web traffic, and so on. These apps tend to be a drain on resources and are generally annoying with plentiful notifications and pop ups. You probably don’t need to install Lookout, AVG, Symantec/Norton, or any of the other AV apps on Android. Instead, there are some completely reasonable steps you can take that won’t drag down your phone.
What you should do to stay safe
Your first line of defense is to simply not mess around with Android’s default security settings. To get Google certification, each and every phone and tablet comes with “Unknown sources” disabled in the security settings. If you want to sideload an APK downloaded from outside Google Play, all you need to do is check that box. Leaving this disabled keeps you safe from virtually all Android malware, because there’s almost none of it in the Play Store.
There are legitimate reasons to allow unknown sources, though. For example, Amazon’s Appstore client sideloads the apps and games you buy, and many reputable sites re-host official app updates that are rolling out in stages so you don’t have to wait your turn. If you do take advantage of this feature, the first time you do so a box will pop up asking you to allow Google to scan for malicious activity. This is known as Verify Apps and it’s part of Google Play Services on virtually all official Android phones.
Users have been rooting their Android phones ever since the first handsets hit the market, but it’s less common these days, as the platform offers many of the features people used to root in order to acquire. Using rooted Android is basically like running a computer in administrator mode. While it’s possible to run a rooted phone safely, it’s definitely a security risk. Some exploits and malware needs root access to function, and otherwise it’s harmless even if you do somehow install it. If you don’t have a good reason to root your phone or tablet, just don’t open yourself up to that possibility.
Android apps also exist that might not be “malware” per se, but you might not want them on your phone because they snoop through your data. Most people don’t read the permissions for the apps they install, but the Play Store does make all that information available. If you’re worried about privacy, check apps to see if they request things like access to your contacts, SMS sending/receiving, and fine location. If an app has reason to access these modules (like a social networking app), you’re probably fine. If, however, a flashlight app is asking for your contact list, you might want to think again.
It really just takes a tiny bit of common sense to avoid Android malware. If you do nothing else, keeping your downloads limited to the Play Store and other 100% trustworthy sources will keep you safe from almost all threats out there. The antivirus apps are at best redundant and at worst a detriment to your system performance.