Android malware — should you be worried?

Malware on Android phones is a pretty sensational subject. If you write about it or talk about it, you'll get plenty of attention from people that are concerned or interested in learning more as well as people who just want to do a little bit of internet trolling in any comments section they can find. That means you'll find plenty of "news" that's playing funny with numbers, only telling part of the story or just confused about the whole thing in an attempt to sensationalize it even more. Scary headlines get clicks, and clicks get money. That's how this business works.

Let's talk about the situation and you can better decide how much you need to worry about your privacy and your phone's security.

There are big numbers, and then there are huge numbers

Plenty of phones

Some of the scariest things you'll see written about Android malware are the numbers of devices supposedly affected. Even when you get past any type of squirrelly math that was used to get them (and that happens when you're estimating — things like numbers can easily be inflated) some of the totals you see when a new threat is uncovered can be crazy high. While any number higher than one isn't good, you have to remember a couple of things.

  • There are well over 1,600,000,000 Androids in the wild.
  • Most threats are found in apps from places other than Google Play.

Google says there are about 1.6 billion Android devices. That number isn't right — the real number is even bigger. The way Google counts Android activations is through Google Play. The first time anyone visits Google Play with a new Android, it gets counted as an activation. If you wipe your phone or sell it to someone else, it's not counted again. It's a one-shot deal based on an identifying number embedded in the device.

That means phones that didn't come with Google Play installed aren't accounted for in that 1.6 billion number. And there are a lot of them. Worldwide, there are millions and millions of Android phones and tablets and computers that never get counted as an activation. These two things can help put those malware numbers in perspective.

10 million Android phones are less that 1% of the total.

Using a big scary number like "10,000,000 Android devices at risk" can help visualize things a bit. 10,000,000 devices out of 1,600,000,000 is 0.625%. That means 10 million devices is still less than one percent of the 1.6 billion total. That number is still way too high for my taste, but it's less sensational to say "Less than 1% of Android phones" instead of "10,000,000 Android Phones." You need to remember that both those things are the same.

Back to the activation numbers. The vast majority of malware issues come from people who are getting apps somewhere other than Google Play. You can download and install apps from anywhere on your phone — even if you have access to Google Play — but most people aren't and just use the easy way to get the latest and greatest app or game. What this all means is that the 1.6 billion number is not really the total number of Androids, and the percentage of devices infected with any malware instance is even lower. We don't know exactly how much lower, so we aren't going to guess at a number.

I just want to make sure everyone has an idea of how this all works when you scale the number of activated devices past the billion mark. There is a shit-ton of phones and tablets running Android. More than we know. Malware infections have to have huge numbers to hit anyone's radar.

What is malware, exactly?

AT&T knows better than this

Malware is any software on your phone that does something you didn't allow it to do. A lot of people get loose with the term and apply it to crappy apps that do crappy things like spam your notifications or put ads and pop-ups in your browser after you gave them permission to do it. Those apps suck and the people developing them need a swift kick in the groin, but they aren't malware.

The fault lies in the permissions model. Google is too vague when it comes to the wording of what you're agreeing to, and developers who are scumbags will exploit a normal permission and do crummy things with it. When you say it's OK to display ads when you get a free game or app, you didn't mean it's OK to put ads in the notifications or the web browser. Some of the folks writing the Android code know this is an issue, but Google hasn't said anything publicly that they are working on changing it. Let's hope they do.

In the meantime, take a few minutes and read the latest reviews. Mixed in with the obvious shilling and ludicrous nonsense you'll quickly see if an app does anything silly. Nobody who downloaded ES File Explorer before they backed away from their horrible tactics read the comments. Don't be that guy or gal — listen to what other folks are saying and skip that app. And when you read about "malware" that turns out to be nothing more than really shitty ads from a free app, know that this isn't malware at all. It's an unfortunate side-effect of a more open policy in Google Play.

But malware is real

Google security

I'm not going to try and paint a rosy picture of anything here. Malware for Android exists, and in much higher numbers than many folks are comfortable with. Using the numbers from our example, 0.625% is 0.625% too much. That's why I'm always complaining about big companies who make Android phones and aren't spending enough of their billions in profits to bother updating the software on the phones they sell. Google has programs and entire teams dedicated to finding and fixing exploitable holes in Android. They make the necessary fixes for both the phones they sell as well as for phones from others in Android and deliver them to the companies who build and sell them. Not taking advantage of this is silly, and most companies who make Android phones should be ashamed of their track record. Software support is hard, but it's also pretty important — and well worth spending some money on.

Remember, if they made 1.6 billion in profit they could spend 10 million to get out security updates faster and it would only cut into their profit by .625%.

While you're reading about a report from a company who makes money trying to sell you on the idea that you're at risk and has huge numbers of affected devices, remember to put the numbers in scale, then get a little frustrated because the numbers are still too high. Or let me be frustrated for you — I probably feel enough to cover for a few you.

What should you do about it?

App cash grab?

Here's the real meat of the issue. While you can be concerned about malware on devices in China (or wherever) when it comes to the phone in your hands you can actually do something.

  • Don't be stupid. No sugar-coating here. If you're going to install apps from outside of Google Play, find places that everyone agrees are trustworthy. And if you're trying to save $2 by pirating a paid app from somewhere else, you deserve whatever you get. It sounds cliche, but you really can skip a Starbucks or drink one less beer Friday evening to get the $2. The people who worked hard enough to make an app you want to download deserve to get paid.
  • Look at a company's track record on security updates before you give them money. Samsung, for example, will probably support a phone for two years — but only if you bought one of their high-end models. If you need a budget-friendly phone, buy one from someone else. The only way companies will get better at software support is if it's good for their bottom line.
  • Virus scanners and assorted security apps aren't necessary, but they don't hurt anything. Look for ones that don't do a bunch of extra stuff like fiddle with things to try and free your memory. People ask me which is the best anti-virus app for Android all the time. I have no idea which is the best, but I always recommend Lookout. I know people who worked with the company, and I like the things I hear about the way Lookout handles your data. Past that, I just don't have an answer.
  • Stay informed. Read the comments and reviews for anything you download and install. Read system notifications from the people who made your phone or Google or your carrier. Check the support pages for your phone's software once in a while to make sure you're current. Read Android Central as well as other online publications whenever you see headlines about malware — get several opinions then pick the one that makes the most sense to you.

What you don't need to do is get sucked into the idea that Android as a platform is riddled with malware. It's not true — it just makes money to talk about it.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • First thing I thought under the "What is Malware" when looking at the above picture... At&t bloat notifications. Posted via the Android Central App *Yes, just some humor on my part.
  • Same, I saw "what is malware?" And then direct TV. Posted via the Android Central App
  • ES File Explorer, I don't understand that reference. Very informative article, thanks. Posted via the Android Central App
  • IIRC ES File Explorer (which used to be a great app) was bought out by some scummy company that promptly included crapware like Cheetah Clean Master (or something similar) along with a ton of new unnecessary permissions. I can't say if they ever corrected that behavior because I ditched it once they went to that model and have never investigated it again. YMMV.
  • Oh I didn't know about it, I used the free version on my phone and tablets when I switched and then later bought it, though I remember that there were ads in the app as an example of folder or tab. Anyway after paying for that app, those ads went away. Posted via the Android Central App
  • Oh, didn't know that. Thanks Posted via the Android Central App
  • Both ES File Explorer and Clean Master were go to apps before they were acquired by Cheetah Mobile. The worst that happened was you would begin to get full screen ads while using other apps in no way related to those two. You had to uninstall both apps and factory-reset to start fresh when that happened. It's a shocking experience to be reading a book and all of a sudden a full screen ad shows up.
  • I haven't seen the full screen ads. Also, it doesn't seem to be listed as being published by Cheetah Mobile. Just wondering if something changed.
  • "But malware is real". Not really. Never ever seen a real life Android issue. Yet its rare to find a windows user that hasnt been affected at one time or another... The reporting is vastly disproportionate
  • Yes, really. Just because you personally have not experienced it, does not mean it is not real. Do you know anything about security? I do. Posted via the Android Central App
  • Wow. That answer was visceral. Did your phone got "infected" (ignoring the sandbox) by something once upon time? Back when it was on gingerbread, or less than KitKat? Posted via the Android Central App
  • Benson, is absolutely right... My friend runs a computer repair shop and a good part of his business is removing malware from Windows boxes. No one brings in Android phones with malware. You know about security? Cool story bro... I have worked in IT all my life and still waiting to see my first infected Android phone myself. The fact is 99.9% of Android malware is caused by stupid people installing crap apps outside the Play store and probably with root. Malware on Android is a real issue in like China! LOL The key to security is migrating risk which is my Windows PC. I have implemented various layers of security to protect it. My Android Phone? I don't need to do anything to it out of the box. I just research the apps I want to install on it even from the Play store.
  • If you really think that just because you haven't seen it, there is no malware on Android, you're absolutely ignorant. Maybe you should watch some of those recent Edward Snowden interviews, it may open your eyes a bit. The best type of malware is the kind you'd never know about, but it will make your device such that "hackers" can listen to you while you ******* your boyfriend, make it so they can see what you see on the screen, etc. Anyways, the old saying "ignorance is bliss" is more true these days than ever before.
  • It sounds like you don't have the knowledge base to understand what I actually said in my comment but thanks for your input. LOL FYI, don't embarrass yourself on the Internet by calling people names you wouldn't ever say to their face. OK moron?
  • Isn't 99.9% of Windows malware because of stupid, naive users too? Let's be real here. It's just ALOT easier to be stupid with Windows. Posted via the Android Central App
  • Your friend is lying to protect his industry secrets
  • One thing you should mention is, how many Chinese Android devices there are that don't have the Google play store. Because these malware apps are infecting them AFAIK, so you could say that 0% of Android phones in the free world are infected :-)
  • I doubt it is 0% of phones in the free world, but it is a very low percent (0.1 or less, if I had to guess). But even in the free world 0.1% is still a big number.
  • "The people who worked hard enough to make an app you want to download deserve to get paid" This. Stop stealing and pay up!
  • Same with music, movies, TV shows etc. Google Nexus 6P
  • Thanks Jerry. I do worry about it a little. But staying in the playground of Google play is helping me. I don't side load at all. And thanks for something that is not anything to do with Pokemon Go. I'm sick of that already. :-) Posted via the Android Central App
  • Just buy a Priv I'm up to date at the beginning of every month or sooner. #ibelieveinbbry Posted via the Android Central App
  • Except blackberry doesn't tell you why and how it's secure. Posted via the Pokémon Central App
  • It's secure because so little people uses it that criminals don't waste their time on it. Google Nexus 6P
  • Doesn't applyb to the priv though. Posted via the Android Central App
  • I think there is a blackberry device that's vulnerable to this as well.... Dtek50 or similar...?
  • This is one of the reasons I'm buying a Priv in my transition from BB10 to Android. BlackBerry's record, so far, of applying security updates apparently rivals even Nexus phones. Posted via Android Central App
  • So got my first android phone back in April and went for a Vodafone ultra 6, good phone for the money but know where did it say that security patches will not be kept updated, if this had being the case I would not have bought the phone, still on January's security patch and of course Vodafone don't comment on firmware. Disappointed so will be saving up for a new phone and do some research about security updates and the best company. Any suggestions as can't afford a flagship! Posted via the Android Central App
  • Wait a couple of months for the new smaller nexus,if you can,although I'm not sure what the cost mark-up is for nexus devices in Europe.If it works for you,there are your timely updates. Posted via the Android Central App
  • Here is your suggestion (from this same site):
  • Get the Nexus 5x from Carphone Warehouse, currently on sale at £169.00 for the 16gb model. Posted via the Android Central App
  • Not sure about EU, but in the US, most phones don't get regular security patches on a monthly or semi annual basis. In my experience, most get them if & when the phone gets an annual Android update to a new version. Occasionally, VZ might push out a security update, but not often. Posted via the Android Central App
  • Don't waste your time with antivirus apps on Android. They don't work. Android's process sandboxing and hierarchical permission model makes them completely useless. Google Play Services already comes with a built in security scanner that's more effective than any of the suspicious antivirus apps in the Play Store. If you care about security on Android do the following: 1). Buy a Nexus device. Google is the only Android OEM serious about timely security fixes and OS updates.
    2). Don't install apps outside of the Google Play Store. That's it. You're safe.
  • Also: don't unlock your bootloader and root your phone. Don't get me wrong, I love the ability to tinker and have rooted many phones. But from a security stand point it's a bad idea. Posted via the Android Central App
  • My GS7 has the July security patch. It also has Knox. Get educated.
  • But it will be another ~3 month before you get another security update. Prior Note user chiming in. Samsung is still better than many, however. Posted via the Android Central App
  • While I doubt that will be the case, I hope it is the case. Monthly updates are overkill. It makes me wasn't an iPhone.
  • Great article Jerry. Thank you Posted via the Android Central App
  • Great write up, thanks Jerry. Always wondered though, what happens if a malware/virus app made it to the official Play Store? I know Google will pull it from the store, but what happens to those that already installed it? I know the odds of this happening are almost non-existant, I am just curious if they have built in a remote kill switch or something. Thanks! Posted via the Android Central App
  • If memory serves Google has the ability to remove those apps from infected devices. Posted via the Android Central App
  • It's always nice to have these facts confirmed. Thanks Jerry.
  • I personally use the Lookout app and pay for the premium version. It's the best Antivirus app for Android IMO Posted via the AT&T Note 5
  • Except, the anti virus apps don't really do anything, especially if you keep your phone unrooted and the bootloader locked. Its not anything like a Windows computer. Android is Linux based, and has sandboxing, etc. So, unless your side loading shady apps, and rooting, an anti virus won't do much. Posted via the Android Central App
  • I was worried about the hummingbad and immediately downloaded avast just to get that piece of mind. A few days ago my friend recommended me to download a Chinese video app from the Web and i have to disable trust apps outside of Google play to install it. I didn't do that. Had a bad experience the last time i installed a Chinese app. It hijacked my lockscreen with an ad. Posted via the Android Central App on G4
  • You should only ever check that setting if you are doing one of the following: 1. Using the Amazon App Store
    2. Downloading an app directly from the developer (ie for beta releases.. and even this you really shouldn't need to do anymore since the Google Play supports beta testing apps. ) Posted via the Android Central App
  • You also need to be aware of grey market resellers. A while back, Kogan (an Australian online store) was selling OnePlus 2s that were preloaded with malware (meaning it would be reinstalled whenever you did a factory reset). Last I checked, it was still unclear where the devices came from and if any other devices were also preloaded with malware. Posted via my Nexus 5X or Pixel C
  • On the topic of security patches. Not all of us here really care too much about them, but I still think device OEMs should at least release them in a timely manner, because having a positive rep for releasing timely security updates is going to look better for the company as a whole. I only know a few phones that receive timely security patches. That includes the Nexus, BB PRIV, and a fair range of Samsung Galaxy devices. But what's surprising about the latter is that even a fair bit of their non-flagship devices get timely security patches.
  • The waters get even muddier when you factor in carrier-specific versions of the same phone (something that really shouldn't exist in the first place).
  • LG has been doing pretty well with their flagship phones lately too. Posted via the Android Central App
  • The problem with AntiVirus for Android is not that there isn't much for it to do, but that there isn't much it can do. Even if the danger of getting malware was much higher, these Android AV apps can only scan the names of installed apps. They can't install file system filter drivers, they can't look for malicious processes, or stop malicious apps from running. Some of the built in security of Android (sandboxing, permissions, etc) work against them.
    I'm surprised that no one ever mentions social engineering in browser pop ups that tricks people into installing malicious apps. I've seen two phones that were compromised this way. These folks might well never go outside of the Play Store, but are tricked into installing a bad app on their own phone.
  • If you are going to use an antivirus product, Lookout should not be your choice. Sophos, on the other hand has a spotless record of malware detection. In's testing, they have had a 100% detection for the past 6 tests, with over 20,000 malware samples used. And no useless cache cleaners or memory boosts Posted via the Android Central App
  • Part of the blame lies on developers who release region locked apps. People will want these apps anyway and will start looking for the APKs, and that's where they risk getting infected.
  • VPN is the safe alternative to bypassing region locks. Or start a publicity campaign to shame the company into removing the lock. Posted via the Android Central App
  • There is usually a reason, and solid reasons a developer may region lock an app, especially over legal, licensing, localization, and other issues. Posted via the Android Central App
  • I agree that the only places you should download any apps from is from Google Play, Amazon's Appstore or a company's trusted website (like Samsung) which usually will re-direct you back to the Google Play Store anyway. But there are some seriously slick developers that will put malicious apps in the official appstores, so be careful. Look at the permission list. A flashlight app shouldn't need access to your gallery or phone log. Just some vigilant attention on your part and tips from this site will go a long way to help. Posted From my Verizon Galaxy Note Edge via the Android Central App... And Don't Eat The Yellow Snow!
  • And Apk Mirror Posted from my Moto X 2nd gen and my Nexus 9 both on Android Marshmallow
  • Nice article. Posted via the Android Central App
  • "it just makes money to talk about it." Honestly, that is not the case. You see, there are TONS of Android device owners out there. So, you would think that they would cater to that audience by writing articles on, I don't know, devices, platforms, manufacturers, apps etc. But instead, they spend 70% of their time covering iOS, and the little time that they dedicate to Android, it is negative stuff like security, fragmentation, piracy, infringement lawsuits, OEMs losing money, alleged tensions between Google and OEMs etc. and how this development from Apple or that development from Microsoft is going to knock Android off the map and return Google to its rightful place, which is developing software and services for Apple and Microsoft products. But especially Apple ones. Why is this? Because most tech writers have been longtime Apple guys, and were before the iPhone and even the iPod. Apple is the platform that they have long known and liked and is the platform that they want to see succeed. As for Microsoft: they tolerate it because of their longevity and success. But Google and Android? It is neither a platform that they like and use, or a platform that they have to grudgingly respect because it has been around since the 1970s and nearly every enterprise/professional user on the planet used it almost exclusively for 20 years. They see Android as not merely inferior tech behind a bunch of bad products, but as a squatter, a usurper, and wish that it would just go away so they can go back to just covering Microsoft and Apple and ignoring everyone else just like they could in the good ole days before 2008. So even though they would make more money by covering Android and tapping into the hundreds of millions of people who want more information on their devices, it is money that they would rather not have. They really would honestly devote their time to writing about Apple mobile devices, Windows PCs, the occasional article about servers and other back end stuff so that they can pretend to actually know something about the technology that they were writing about, and call it a day. Android doesn't allow them to do that, and so it infuriates them.
  • It is all about the clicks. Trust me as an Apple user we see the exact same bullshit written about Apple. Every year there are tons and tons of articles talking about Apple being doomed and yet Apple continues to take in over 90% of mobile profits. Every year you see articles talking about malware/fragmentation with Android and yet billions of people still use it. Don't try and blame this on anything other than click bait bullshit.
  • The only bit of cheetah mobile i have left in my phone and tablet is the launcher ... i remember their being lots of bloatware in cheetah mobile at large !!! Posted via the Android Central App
  • That's why I've bought an unlocked international variant - I get the monthly security updates ... monthly. Also, anti virus apps are a waste of time. Note 4 910C 6.0.1 | Good Lock UI | Android Central App
  • Yes, most of this malware scare mongering is done by these "security" companies who, of course, have an app to keep you safe (for just $25/year)...