Are Android phones 'safe' from viruses & for banking?
Best answer: Yes. Almost every modern Android phone gets security updates to halt most major types of remote exploits. Google and the company that makes your phone have done a lot of work to make Android as safe as it can be, too.
- Google's latest: Pixel 4 XL (opens in new tab) ($800 at Amazon)
- Protected by Knox: Samsung Galaxy S10+ (opens in new tab) ($790 at Amazon)
Android phones have always had a terrible reputation when it comes to security. In the early days, it might have been warranted because manufacturers made hundreds of models and never cared about updating any of them. When you combine this with those same manufacturers not really following any sort of best practices when it comes to online security, there will be people who get hit with malware.
Google wasn't that great at things ten years ago, either. The company knew how to harden a server and protect both the hardware and the data it holds from intrusion and hacking, but phones were a whole different ball game because of one thing: users.
When you have phones that probably aren't secured as well as they could be and users who will do the unpredictable, it's a recipe for disaster.
Thankfully, that large scale disaster never really happened, and we've come a long way since the early "wild west" days of Android phones. And yes, your phone is probably safe from viruses, and you can feel good about online banking while using it in 2020.
How Google and Android have changed
Did you know Google has an entire team dedicated to Android's security? These are the people who trawl through online forums looking for new ways to attack the phones we use, get bulletins from other companies that exist to find security vulnerabilities on Android phones, then work tirelessly to get it fixed.
There is no such thing as a virus for Android. Because of the permission model and how apps are sandboxed, any software can't just replicate itself and then automatically transfer a copy to another device. That's what a virus does, just like it does inside the human body.
When people say a virus, they usually mean malware of some sort. Malware can be relatively benign, like giving your location history to an advertisement company, or it can be downright dangerous and do things like try to break your phone's security by rooting it or sending your keystrokes off to some offshore server. Malware is bad news.
We hear about malware that ended up being installed 50,000 times or so from the Play Store before Google's Safety Net caught it and wiped it out, but that only sounds like a huge number because there are over two billion Android devices in use right now. 50,000 is a drop in the bucket, but that's little condolence for someone who ended up getting it installed.
Malware can also come from a webpage. We've probably all seen pop-up messages telling us to download and install this thing when we visit a webpage, and if you do, chances are you're not going to like what you just put on your phone.
These are serious issues that every company writing an operating system has to deal with. What Google has done is tighten up how any app — whether it's one you wanted to install or some random thing that piggy-backed on it — can access the rest of your phone. By default, an app only gets access to its own folder and has no idea what other files and folders exist. That's why you see those dialog boxes asking for permission to access your photos or call logs and what-not.
The problem is that most apps need some sort of extra permissions to work, so that means it's up to the user to figure out which ones to grant and which ones to deny. That's no good, and Google knows it. Google scans your phone every day using the same scanning algorithms it uses for the Play Store. Even if you installed something bad and then granted it permission to do bad things, Google is going to stop it from keeping on and let you know it found something awful.
To block the really bad stuff, Google uses a verified boot process and manufacturers lock the bootloader. In other words, if the operating system has been tampered with, your phone won't start and you're directed to either call the manufacturer or erase everything and download a good copy to start fresh.
What the companies making phones do
Google rounds up all the known security vulnerabilities that it patched every month and sends out a fix. The fix for Pixel phones comes out the first week of every month (always by the 5th), but the fixes have been sent out to the other companies that make phones about 60 days earlier. Those companies are free to incorporate the fixes and send out a patch as soon as possible.
We've seen that more than a few times, too. Samsung or OnePlus, or even BlackBerry will sometimes get a patch out before Google does, and that's great. It means those companies spent those 60 days the right way and want to keep you protected from the latest exploits that can wreck things on your phone.
In 2020, almost every phone gets an update or two, along with scheduled security updates. In a perfect world, security updates would come daily; if you use a Linux distro on a PC, you know that they can and do. But even a quarterly update is good enough to keep you safe from any real dangers because of the other fixes Google has done to Android to rope everything in.
On the flip side, some companies like Samsung go the extra mile and provide an extra level of security like Knox. Most casual users hated Knox when it first arrived because it seemed intrusive and always trying to tell you not to do something with your phone.
Now, Knox is configured as a separate instance inside the "regular" operating system (that's a close enough explanation for a container or compartmentalized instance), and if you want to be extra safe, you use it for apps that have anything important in their data files, like a banking or credit card app.
But really, even though you hear people like me harping about online security, modern Android phones are pretty darn safe. There has never been a monstrous breach of user data through an Android vulnerability, and trust me — plenty of people are trying to make that happen. As long as Google and the companies that make the phones we love to use stay on their toes, the chances of it happening are small.
You need to do your part by securing your phone with a good lock screen and not worry about fingerprint sensors being slightly less secure than long goofy passwords or which method is the best and use the one that is most convenient for you. That means you'll use it every time, all the time.
In the past ten years since Android came to be I've had issues with my bank or Visa card twice: once because of Target's online security being hacked and once because of a dishonest server at Denny's who grabbed my card digits and security code. I'll continue to use the Chase app for banking, PayPal for online money transfers, and Amazon's app right from my phone and feel good about it. I think you can do the same.
Get the Android Central Newsletter
Instant access to breaking news, the hottest reviews, great deals and helpful tips.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.
I use Chase too, and like the app, but I never use it unless I'm on a secure network that I know personally, or on mobile data.
By the way, NFC is disabled when the phone is connected to a public network, though I'm not sure if that feature is courtesy of Google Pay or HTC.
I hope apps will be able to use face unlock eventually, even though only Apple, Google, and HTC offer secure face unlock at the time.