Best answer: Yes. Almost every modern Android phone gets security updates to halt most major types of remote exploits. Google and the company that makes your phone have done a lot of work to make Android as safe as it can be, too.
Android phones have always had a terrible reputation when it comes to security. In the early days, it might have been warranted because manufacturers made hundreds of models and never cared about updating any of them. When you combine this with those same manufacturers not really following any sort of best practices when it comes to online security, there will be people who get hit with malware.
Google wasn't that great at things ten years ago, either. The company knew how to harden a server and protect both the hardware and the data it holds from intrusion and hacking, but phones were a whole different ball game because of one thing: users.
When you have phones that probably aren't secured as well as they could be and users who will do the unpredictable, it's a recipe for disaster.
Thankfully, that large scale disaster never really happened, and we've come a long way since the early "wild west" days of Android phones. And yes, your phone is probably safe from viruses, and you can feel good about online banking while using it in 2020.
How Google and Android have changed
Did you know Google has an entire team dedicated to Android's security? These are the people who trawl through online forums looking for new ways to attack the phones we use, get bulletins from other companies that exist to find security vulnerabilities on Android phones, then work tirelessly to get it fixed.
There is no such thing as a virus for Android. Because of the permission model and how apps are sandboxed, any software can't just replicate itself and then automatically transfer a copy to another device. That's what a virus does, just like it does inside the human body.
When people say a virus, they usually mean malware of some sort. Malware can be relatively benign, like giving your location history to an advertisement company, or it can be downright dangerous and do things like try to break your phone's security by rooting it or sending your keystrokes off to some offshore server. Malware is bad news.
We hear about malware that ended up being installed 50,000 times or so from the Play Store before Google's Safety Net caught it and wiped it out, but that only sounds like a huge number because there are over two billion Android devices in use right now. 50,000 is a drop in the bucket, but that's little condolence for someone who ended up getting it installed.
Malware can also come from a webpage. We've probably all seen pop-up messages telling us to download and install this thing when we visit a webpage, and if you do, chances are you're not going to like what you just put on your phone.
These are serious issues that every company writing an operating system has to deal with. What Google has done is tighten up how any app — whether it's one you wanted to install or some random thing that piggy-backed on it — can access the rest of your phone. By default, an app only gets access to its own folder and has no idea what other files and folders exist. That's why you see those dialog boxes asking for permission to access your photos or call logs and what-not.
The problem is that most apps need some sort of extra permissions to work, so that means it's up to the user to figure out which ones to grant and which ones to deny. That's no good, and Google knows it. Google scans your phone every day using the same scanning algorithms it uses for the Play Store. Even if you installed something bad and then granted it permission to do bad things, Google is going to stop it from keeping on and let you know it found something awful.
To block the really bad stuff, Google uses a verified boot process and manufacturers lock the bootloader. In other words, if the operating system has been tampered with, your phone won't start and you're directed to either call the manufacturer or erase everything and download a good copy to start fresh.
What the companies making phones do
Google rounds up all the known security vulnerabilities that it patched every month and sends out a fix. The fix for Pixel phones comes out the first week of every month (always by the 5th), but the fixes have been sent out to the other companies that make phones about 60 days earlier. Those companies are free to incorporate the fixes and send out a patch as soon as possible.
We've seen that more than a few times, too. Samsung or OnePlus, or even BlackBerry will sometimes get a patch out before Google does, and that's great. It means those companies spent those 60 days the right way and want to keep you protected from the latest exploits that can wreck things on your phone.
In 2020, almost every phone gets an update or two, along with scheduled security updates. In a perfect world, security updates would come daily; if you use a Linux distro on a PC, you know that they can and do. But even a quarterly update is good enough to keep you safe from any real dangers because of the other fixes Google has done to Android to rope everything in.
On the flip side, some companies like Samsung go the extra mile and provide an extra level of security like Knox. Most casual users hated Knox when it first arrived because it seemed intrusive and always trying to tell you not to do something with your phone.
Now, Knox is configured as a separate instance inside the "regular" operating system (that's a close enough explanation for a container or compartmentalized instance), and if you want to be extra safe, you use it for apps that have anything important in their data files, like a banking or credit card app.
But really, even though you hear people like me harping about online security, modern Android phones are pretty darn safe. There has never been a monstrous breach of user data through an Android vulnerability, and trust me — plenty of people are trying to make that happen. As long as Google and the companies that make the phones we love to use stay on their toes, the chances of it happening are small.
You need to do your part by securing your phone with a good lock screen and not worry about fingerprint sensors being slightly less secure than long goofy passwords or which method is the best and use the one that is most convenient for you. That means you'll use it every time, all the time.
In the past ten years since Android came to be I've had issues with my bank or Visa card twice: once because of Target's online security being hacked and once because of a dishonest server at Denny's who grabbed my card digits and security code. I'll continue to use the Chase app for banking, PayPal for online money transfers, and Amazon's app right from my phone and feel good about it. I think you can do the same.
Nice article. I will have to look up more info about Knox. Unfortunately, Samsung has made such an effort to get me to give them permission to track everything (bixby, use their app store/apps, use their cloud, use Samsung pay, use a Samsung acct for everything, etc.) It makes me leery of everything they want to the point I almost want to buy an iphone. Also, I think the way folks get hacked the most is phishing attacks not malware.
I looked up Knox. It looks straight forward enough. However, I stand behind that the most serious threat to doing banking on an Android phone, or any tech device, is falling to a phishing scam and/or committing the cardinal sin of using the same password for banking as one uses for other accounts.
I have worked in the Tech world for 30 years. The vast majority of security issues are people related. Think back to the iCloud breaches a few years ago. Most of the celebrates had PWs like 1234, abcd, etc... I work in enterprise software and we spend millions on security for our products. In almost every case of security problems few are ever sophisticated attacks. Almost everything comes from user issues. As the saying goes "you can't fix stupid".
I love Samsung Knox, it's that transparent layer you don't really see but it's everywhere in your Samsung phone adding an extra wall. Especially for payments.
Serious typo. There are over 2 BILLION Android devices in use; not the 2 million mentioned in the article.
Fixed that. Oops. Only off by 998,000,000 :P
Not at all worried about malware. Common sense is the best way to go about anything, not tap/click on everything you see. Adblockers do plenty to prevent malware. From my BlackBerry Key2 LE on Freedom Mobile LTE or 3G HSPA+
Great article, I too have often wondered about Knox. Does anyone know what the name of or where to get the wallpaper background on the phone in the thumbnail photo at the top of the article?
Good article, though the title is a bit awkward 😉
I use Chase too, and like the app, but I never use it unless I'm on a secure network that I know personally, or on mobile data.
By the way, NFC is disabled when the phone is connected to a public network, though I'm not sure if that feature is courtesy of Google Pay or HTC.
I hope apps will be able to use face unlock eventually, even though only Apple, Google, and HTC offer secure face unlock at the time.
I recommend downloading Blokada from their website. Excellent application helping keep things at bay.
imo, android is safer than a windows pc.
I think having secure passwords, plus really KNOWING where the stuff you sideload comes from. There's a comment in THIS THREAD telling people to go download software not from the Google Play store, but directly from a website. For me personally, knowing how malware is more prevelant in sideloaded apps, I would NOT go out there and download that softwre without a LOT of research into the company. I mean, if they are legit, why aren't they selling through the Play Store?
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.