Security

Recently we've seen AVG, an Android "security" app marking other applications as malware when they aren't. That's called a false positive, and it's a fairly common occurrence. When it happens to a popular app, it always causes confusion and gets everybody unnecessarily stressed out. This time it also got us thinking -- do people really need to run any type of Android malware scanner, and are they doing more harm than good?

Android malware certainly exists. We take issue with the way it gets reported sometimes, as sensationalism draws focus away from real issues, but we're not foolish enough to pretend that people aren't writing apps designed to cause trouble. But who needs to worry about this sort of thing, and how to stay safe is something that needs discussed. That's what we're going to try and do today, in real-talk that everyone can understand. Hit the break and let's get started.

What is malware?

When you read the description of an application to see what it is supposed to do, that's all it is supposed to do. If the app does something different or something unadvertised, we call it malware. This is a pretty broad brush, and often folks don't bother to read just what an application can do only to cry foul later. We understand that the list of permissions is often difficult to understand, and Google is trying to make them a bit more clear, but they are there for a reason. Whether we read them and click OK, or just skip past them, we have given the app permission to do everything listed. 

When an application tries to get access to something you haven't authorized it to do, it's malware. No code is bug free, and people are skilled at writing other apps that take advantage of those bugs. 

What isn't malware?

Applications that do things like overwrite or modify system settings or preferences because that is their purpose are not malware. Apps that put spammy notifications for garbage you don't want in your system notification bar are not malware if you OK'd the ads. Apps that track your location, or read your contacts information, or intercept your browser data after declaring permission to do so are not malware. 

Basically, an app that does what is says it is going to do, or only does things that you gave it permission to do, aren't malware. They might be crummy apps designed to trick you or track you to gather information, but they aren't malware.

Why does it matter? 

Frankly, I don't care what people think about an application that puts unwanted ads in my notification bar, or tracks the things I search for to boost the value of their ad network. I will lose no sleep if everyone thinks those apps are bad, and tells all their friends not to install them. Hopefully, that will get the developers thinking about new ways to monetize that don't put links in my notification bar or tell some company that I buy my underwear at Target.

On the other hand, some apps are quite clever and can modify the way our devices operate by design. I'll not name any names, because I want to remain unbiased, but I'll bet most of us have a favorite app that does something like change our sound settings, or add in some quick toggles, or has some other behavior that affects the system. Developers who use their skill and knowledge of Android to build these types of apps are awesome.

But, as explained above, neither of these cases are necessarily malware. When an Android security application hits one with a false positive, they aren't doing anyone a service. They confuse the matter. I imagine most of us have seen false positives in Windows from some sort of software we downloaded. Keygens, cracks, or dll files included in a torrent often hit as malware because they exhibit behavior that looks suspicious. When we tell our Windows virus scanner to ignore those, we always have second thoughts and hope we did the right thing.

The same goes for Android. We know Google Play Movies and TV isn't malware, even if AVG tell us it is. But what about a cool app you've seen a friend use, from a developer you've never heard of? How do we decide when to trust a malware scanner and when not to -- especially when they've been proven wrong a few times? We can't. We roll the dice and go with our gut, making the app unnecessary. 

Who needs a malware scanner, and who doesn't

Time for that real-talk kind of talk. If you like to visit places where you can pirate paid apps, you need a malware scanner. Nothing in life is free, so you get to spend time researching all the false positives or unzipping applications to see what's inside instead of spending $0.99 on the application. Don't trust the fellow who uploaded it when he says it's "virus-free" and scan every single application you download. You will get hit with malware eventually, as the folks writing it are faster than any Android security companies when it comes to updating, and you'll end up installing malware that the scanners haven't learned yet. I still can't condone stealing a buck from a developer, and think you should actually pay for your apps, but if you're gonna steal at least do it safely.

If you only download apps from Google Play or Amazon, you do not need to use a malware scanner. Amazon checks every app before they host it, and Google uses the bouncer to actively scan the hundreds of thousands of apps in the Play store. From either store, apps will only be able to do what you gave them permission to do. When apps are new on Google Play, they may not have been scanned yet. Wait a few days or read the reviews if you just have to get it right away. Doing so will keep you safe, and you'll not need a third party application that may confuse you in the end.

It's also worth mentioning that Google is ramping things up here, and with Android 4.2 comes an on-device scanner. The first time you go to sideload an app you'll see it in action, and it scans each and every application you sideload after that if you told it to. If your phone is running 4.2, you have that extra layer of protection without any extra fuss. 

Conclusion

We don't want to try and tell you what to do with your Android device. If you want to use any of the popular malware scanners, by all means do so. But never count on them to be right, and be careful if you sideload apps. You might even want to use one for other features like device tracking or remote wipe, some are pretty good at it. But always remember -- a false positive is an issue with your virus scanner and not the application it scanned. Reserve your bad application reviews for the right people.

 
There are 29 comments

If you are stealing an app and get Malware... I don't feel bad for you.
Thanks for the breakdown Jerry!

mwara244 says:

I download a few things from XDA, like the new GWallet apk, because I don't want to root my Nexus, and I just like stock android by itself, but love a lot of options too. Should i be scanning sites like AC forums, where i DL-ed a Gwallet apk, and xda, and other sites i assumed trusted? I'm a vzw Nexus owner in contract till next January, but may have to learn how to root and rom since vzw has stopped updates being 4 updates behind now.

movielover76 says:

I think your probably safer on XDA than the AC forum. Just because their are so many knowledgeable people there, that any malware uploaded to XDA would quickly be found out.
I generally trust XDA and don't use a malware scanner, though technically speaking it is a 3rd party site and it's possible to get malware from there. AC Forums are probably a little better than most 3rd party sites, especially the pirate ones. But I myself would be more leery of installing apks from here.

One way to be safer on XDA if you go the custom rom route is to find well known and trusted developers, who create a lot of roms. It will actually benefit you in two ways, their roms are generally speaking higher quality and more stable and your safer from malware.

Metallinatus says:

OK, I will trust you and uninstall Avast from my phone then ´-´
It has never found any malware on my phone anyway.....

wonkman says:

I was just about to post the same thing but I'm leaving it on as it doesn't seem to impact system resources. Mine never found anything either.

icebike says:

I've never seen a single published account of any malware scanner on Android ever detecting walware in the wild.

Lab test cases, maybe. But any malware that sneaks into theplay store also sneaks right by these scanners.

I run lookout for the phone finding feature. I don't for a minute believe it will catch malware.

VAVA Mk2 says:

Yeah I too had my whole phone come out as a false positive by Avast a few weeks back. Was a pain in the ass. Strangely it stopped doing that after I cleared the app data and restarted the app.

moosc says:

And tomorrow morning some will get a new android product and post asking which security app to use. Endless circle

return_0 says:

BREAKING: Jerry buys his underwear at Target. Target's stock skyrockets 130%. Walmart sees a 60% drop in its stock.

Metallinatus says:

LOL.....

biln says:

Wow, this was informative. Use a malware scanner if you want to. If you don't want to then dont use one. And you can get malware from pirated apps. Must be a slow news day.

TheDu9du says:

Maybe maybe, but good article nonetheless

wpavlik2 says:

I agree.
Don't load "Warze" on your phone and you will be fine.
I had not thought about running Lookout for the phone finding feature. Sprint has their own app that will do phone finding.
I'm not running a scanner on my phone.

TheDu9du says:

Yes!!! Just the info I needed I'm buying target stocks as we speak!!
BUY!
BUY!!
BUY!!!

ads says:

While I appreciate your effort to keep this simple and educate, and that one can be made to worry about harmless things, you do either oversimplify significantly or don't understand what target rich environments are. As well, the explanation of permissions supplied is weak, and the supposition that if one accepts the permissions you've accepted the risk, while true, is unhelpful. I'm not an expert but have significant experience of permissions in operating systems, including unix, however, Android permissions are again, poorly explained, and more complex in general.

The number of apps that ask for permissions they don't need to do the basic function they advertise they do are ubiquitous. A rare few explain WHY they need the permissions they require, and often, they do NOT need permissions they have. I don't want an app like keyring having access to my phone or contacts, much of anything really. They or others can cite "richness of experience" or other nonsense, but all I want is a way to organize the cards. I now use quomai for this reason.

But honestly, few folks even have my understanding of what is needed for the function they want to desire. YOU may not care about adds or tracking, but someone who has had their personal info mismanaged probably feels differently.

I hope you realize that hackers go for the biggest bang for the buck. As phones become even more prevalent than home computers, they WILL in fact go after Android and iphones moreso than Windows based computers, the target rich environment from the past. To continue to tell folks not to worry too much simply isn't the best advice. A HUGE opportunity exists for a firm to deeply explain what perms are truly required to provide a given function and to "certify" them as only using what is needed. A significant opportunity exists for app developers to allow me to turn off their "feature rich" crap, and associated perms, I don't care to use. Again, keyring is a good example. I don't mean to pick on them alone, the number that have perms they don't require to do what most folks want out of them is endless. And you know this.

ADS

icebike says:

I agree that apps request too many permissions.

I think Google has to hand control back to the user, and allow you to deny any permission you don't want it to have.

We also need much finer grained control of permissions.

If the app fails when I cut off its permission to access contacts, fine. I'll find a different app.

The take it or leave it model clearly isn't working for the end user.

quibbles says:

I agree denying individual permissions would be ideal, but what would happen? Any free app that required internet access to download adverts would have that permission denied. The app still works, but the ads don't show. The app could refuse to run without internet access, but that means it's becomes useless once you can't get a signal. Perhaps it would mean less ad-funded apps, and more paid apps.

Google could allow denying a subset of permissions - access to contacts, writing to the sdcard, making phone calls, sending texts, reading account info etc. When you download an app you know the sort of things it might require, so anything beyond that could be turned off. You could turn off those sets of permissions in the system settings, but turn them back on for individual apps that ask for it when you install.

For internet access, the permission could display the URLs it is allowed to connect to, so you can decide if you want to install.

Apps already have to be written to fail gracefully when internet access or gps is not available. There's no reason why they cannot also handle every other permission being denied.

I agree that apps should request the fewest permissions they can and should explain why they need all the ones they do.

Google may not have handed that control back to the user, but there are products (I use LBE Privacy Guard, based upon a recommendation here some months back) that allow control over which permissions a given app may actually use. There's no good reason for most apps to have access to my contacts, phone ID or call logs, for example, so I can selectively deny any or all of those as desired. This allows me to be much more granular in granting permissions to the apps I would like to use, rather than having to hunt for an app that limits itself to the permissions I'd prefer but is suboptimal in other ways.

This process, of course, requires root, which comes with its own set of potential security issues, but the system as currently configured is both functional and intuitive for me. Others can mix and match to come up with a setup that is similarly functional and intuitive for them.

movielover76 says:

But if they list it in the permissions, it's not malware. So a malware scanner still wouldn't catch it. Also I think google would be the best at scanning apps for malware, they invented the system and maintain the app store. I'm not questioning the fact that Android is a huge malware target, just whether a malware scanner improves the situation when you exclusively use google play.

Arallu says:

I agree about a huge opportunity for someone to come along and certify some of these apps. I cant count the number of times I've seen some article here or there showing off their best of or 'popular' apps, only to then check out the permissions and see stuff way above what is needed for an app to do its intended job and no explanation in sight.
Oh but it has such a pretty UI or feels buttery and works so well and its free too!! (But don't look at the man behind the curtain over there, he's just tracking wherever you go and reading your contacts & phone data...)

Voliam says:

To suggest that malware apps are unnecessary is irresponsible. As others have stated, malware will become a significant problem, just as it did with the proliferation of PCs.
I read an article just yesterday of two apps in the Play Store that included malware. Waiting a couple of days to install them is like saying wait until traffic is light so you don't have to wear a seatbelt.
If a false positive is detected, exercise due diligence and research it. I can't imagine any app so necessary that risking infection outweighs it's usefulness.
I'm going to wash my hands now...

Gekko says:

Lookout works. it found and alerted me to "Secret SMS Replicator" on my phone when i purposely installed it as a test. if someone would surreptitiously install a spy app like this - i would probably never know about it without a scanner app like Lookout. that's enough for me. and the "Find My Phone" feature is a plus.

Donmeister85 says:

If you're stealin' paid apps I feel bad for ya son,
You got 99 problems and malware's just one.

wpavlik2 says:

I believe we have a winnah!

JobiWan144 says:

I use Lookout, but mainly for the secondary features like fund my device.

GreyRogue says:

"...features like fund my device."

Hot diggity, just the feature I've been looking for! brb, downloading Lookout... ;)

zeroality says:

Incredible article! Convinced me to uninstall Avast since I stick with Google Play and my Nexus is much faster now. Thanks a lot Jerry!

can anyone here actually prove they have malware on their phone?

msxDr0id says:

You can vastly improve avast! - then your Android device performance - by disabling the on-access scanner.
The malware type found in Android these days isn't the type of contiguous one so you should be safe doing a *previous* scan of the APK you want to install.