Android malware is still a huge issue, but that doesn't mean Android is unsafe

Malware scanner apps
Malware scanner apps (Image credit: Jerry Hildenbrand / Android Central)

It seems like every week a group of security researchers finds another exploit that can be used by bad people to do bad things on an Android device. It's a real problem that does exist, and when it comes to mobile device malware, Android is where you'll find most of it.

Android is a target because app distribution is easier and there are so many Android devices.

There's a reason for that. I'm going to ignore plenty of decent phone operating systems and focus on the two that make up the vast majority of what runs on the phones people buy every day — Android and iOS. A quick glance at both shows two systems slowly drifting to a point where they look and act the same, with the same apps, and the same services you can use. But there is a fundamental difference when it comes to installing apps and granting permissions.

Unless you want to jailbreak an iPhone, the only way to get apps is from the App Store. To get an app in the App Store, a developer has to follow some very strict rules, submit their work to Apple, then wait for the approval. Only then can the app appear for you to install. Yes, there have been instances of malware slipping through, but they are few and far between.

More: Google's App Defense Alliance teams up to fight malware on Android

Compare this to Android. With a simple tap of a button, you can install apps from anywhere by sideloading them. Google does police its Play Store, but not every app is pored over by hand during a lengthy approval process — Google has AI that does much of the scanning. When a bad app is found — and plenty are — it's unpublished quickly, and if Google thinks the intent was malicious, the developer's account is suspended. If actual malware that tries to harvest your data is found, Google can also remotely uninstall or disable the app from your phone, which it has done on a few occasions.

Google Play Store

Source: Android Central (Image credit: Source: Android Central)

This open versus closed model isn't ever going to go away and it will always be easier to distribute malware-infested apps on the Android platform. Security researchers will always find new ways that bad actors try to game the system as will Google. Simply put, Android is the target because there are so many Android phones and it's so much easier to get a bad app installed on some of them.

100,000 is a lot but it's only 0.0000005% of Android devices.

But how many is "a lot?" Some analysts and malware prevention companies will try to sensationalize the issue because that gets clicks. Others will use the malware issue to try and sell you a product or a service. It may be a really great product or service, but developers will still capitalize when news of a new set of apps with malware is found. Others just ignore it or claim it doesn't exist. but they are wrong.

The numbers don't lie, though. We see headlines about 50,000 phones downloaded malware before it got caught or 100,000 or even a million. Even one instance is too many for anyone who enjoys using the open platform or for the people who work on securing Android against malware. But most times those big numbers don't tell the whole story.

Percentage Results

Source: Percentagecal (Image credit: Source: Percentagecal)

There are over two billion active Android devices in the wild. Let's say a malware developer was crafty enough to get 20,000,000 (twenty million) phones infected. That's never going to happen, but if it did, that's less than one percent of Android devices. A more realistic "major" malware outbreak would have 100,000 infected devices, which amounts to less than 0.0000005% of active Android devices. Here's an even better way of reckoning those last numbers: this is about the same odds as winning at Powerball.

Malware doesn't install itself. Read those pop-up boxes before you click "yes".

Since you're reading an article about Android malware, your chances are even smaller because you're about to get some friendly advice: only download apps from Google Play and read the permission dialogs before you click the "yes" button. If they sound fishy, don't install anything until you do a quick web search that answers any questions you might have. Malware can't install itself and depends on us to let it work. If you follow these two simple rules, it's impossible for you to install malware on your device.

Malware that targets Android is never going to go away, and every single operating system is vulnerable to some form of malware. Android's numbers are higher than average because of the same reason Windows numbers are — bad actors target what's popular. But the issue hasn't reached the hand-wringing point some headlines suggest, and it's doubtful it ever will.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.