Android malware — should you be worried?

Malware on Android phones is a pretty sensational subject. If you write about it or talk about it, you'll get plenty of attention from people that are concerned or interested in learning more as well as people who just want to do a little bit of internet trolling in any comments section they can find. That means you'll find plenty of "news" that's playing funny with numbers, only telling part of the story or just confused about the whole thing in an attempt to sensationalize it even more. Scary headlines get clicks, and clicks get money. That's how this business works.

Let's talk about the situation and you can better decide how much you need to worry about your privacy and your phone's security.

There are big numbers, and then there are huge numbers

Plenty of phones

Some of the scariest things you'll see written about Android malware are the numbers of devices supposedly affected. Even when you get past any type of squirrelly math that was used to get them (and that happens when you're estimating — things like numbers can easily be inflated) some of the totals you see when a new threat is uncovered can be crazy high. While any number higher than one isn't good, you have to remember a couple of things.

  • There are well over 1,600,000,000 Androids in the wild.
  • Most threats are found in apps from places other than Google Play.

Google says there are about 1.6 billion Android devices. That number isn't right — the real number is even bigger. The way Google counts Android activations is through Google Play. The first time anyone visits Google Play with a new Android, it gets counted as an activation. If you wipe your phone or sell it to someone else, it's not counted again. It's a one-shot deal based on an identifying number embedded in the device.

That means phones that didn't come with Google Play installed aren't accounted for in that 1.6 billion number. And there are a lot of them. Worldwide, there are millions and millions of Android phones and tablets and computers that never get counted as an activation. These two things can help put those malware numbers in perspective.

10 million Android phones are less that 1% of the total.

Using a big scary number like "10,000,000 Android devices at risk" can help visualize things a bit. 10,000,000 devices out of 1,600,000,000 is 0.625%. That means 10 million devices is still less than one percent of the 1.6 billion total. That number is still way too high for my taste, but it's less sensational to say "Less than 1% of Android phones" instead of "10,000,000 Android Phones." You need to remember that both those things are the same.

Back to the activation numbers. The vast majority of malware issues come from people who are getting apps somewhere other than Google Play. You can download and install apps from anywhere on your phone — even if you have access to Google Play — but most people aren't and just use the easy way to get the latest and greatest app or game. What this all means is that the 1.6 billion number is not really the total number of Androids, and the percentage of devices infected with any malware instance is even lower. We don't know exactly how much lower, so we aren't going to guess at a number.

I just want to make sure everyone has an idea of how this all works when you scale the number of activated devices past the billion mark. There is a shit-ton of phones and tablets running Android. More than we know. Malware infections have to have huge numbers to hit anyone's radar.

What is malware, exactly?

AT&T knows better than this

Malware is any software on your phone that does something you didn't allow it to do. A lot of people get loose with the term and apply it to crappy apps that do crappy things like spam your notifications or put ads and pop-ups in your browser after you gave them permission to do it. Those apps suck and the people developing them need a swift kick in the groin, but they aren't malware.

The fault lies in the permissions model. Google is too vague when it comes to the wording of what you're agreeing to, and developers who are scumbags will exploit a normal permission and do crummy things with it. When you say it's OK to display ads when you get a free game or app, you didn't mean it's OK to put ads in the notifications or the web browser. Some of the folks writing the Android code know this is an issue, but Google hasn't said anything publicly that they are working on changing it. Let's hope they do.

In the meantime, take a few minutes and read the latest reviews. Mixed in with the obvious shilling and ludicrous nonsense you'll quickly see if an app does anything silly. Nobody who downloaded ES File Explorer before they backed away from their horrible tactics read the comments. Don't be that guy or gal — listen to what other folks are saying and skip that app. And when you read about "malware" that turns out to be nothing more than really shitty ads from a free app, know that this isn't malware at all. It's an unfortunate side-effect of a more open policy in Google Play.

But malware is real

Google security

I'm not going to try and paint a rosy picture of anything here. Malware for Android exists, and in much higher numbers than many folks are comfortable with. Using the numbers from our example, 0.625% is 0.625% too much. That's why I'm always complaining about big companies who make Android phones and aren't spending enough of their billions in profits to bother updating the software on the phones they sell. Google has programs and entire teams dedicated to finding and fixing exploitable holes in Android. They make the necessary fixes for both the phones they sell as well as for phones from others in Android and deliver them to the companies who build and sell them. Not taking advantage of this is silly, and most companies who make Android phones should be ashamed of their track record. Software support is hard, but it's also pretty important — and well worth spending some money on.

Remember, if they made 1.6 billion in profit they could spend 10 million to get out security updates faster and it would only cut into their profit by .625%.

While you're reading about a report from a company who makes money trying to sell you on the idea that you're at risk and has huge numbers of affected devices, remember to put the numbers in scale, then get a little frustrated because the numbers are still too high. Or let me be frustrated for you — I probably feel enough to cover for a few you.

What should you do about it?

App cash grab?

Here's the real meat of the issue. While you can be concerned about malware on devices in China (or wherever) when it comes to the phone in your hands you can actually do something.

  • Don't be stupid. No sugar-coating here. If you're going to install apps from outside of Google Play, find places that everyone agrees are trustworthy. And if you're trying to save $2 by pirating a paid app from somewhere else, you deserve whatever you get. It sounds cliche, but you really can skip a Starbucks or drink one less beer Friday evening to get the $2. The people who worked hard enough to make an app you want to download deserve to get paid.
  • Look at a company's track record on security updates before you give them money. Samsung, for example, will probably support a phone for two years — but only if you bought one of their high-end models. If you need a budget-friendly phone, buy one from someone else. The only way companies will get better at software support is if it's good for their bottom line.
  • Virus scanners and assorted security apps aren't necessary, but they don't hurt anything. Look for ones that don't do a bunch of extra stuff like fiddle with things to try and free your memory. People ask me which is the best anti-virus app for Android all the time. I have no idea which is the best, but I always recommend Lookout. I know people who worked with the company, and I like the things I hear about the way Lookout handles your data. Past that, I just don't have an answer.
  • Stay informed. Read the comments and reviews for anything you download and install. Read system notifications from the people who made your phone or Google or your carrier. Check the support pages for your phone's software once in a while to make sure you're current. Read Android Central as well as other online publications whenever you see headlines about malware — get several opinions then pick the one that makes the most sense to you.

What you don't need to do is get sucked into the idea that Android as a platform is riddled with malware. It's not true — it just makes money to talk about it.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.