As smartphone users and general citizens of the internet, we're all used to seeing headlines telling us how the app store for our phones was found to have a handful of apps with malware and that they were downloaded a few million times. These stories come from security companies who spend 100% of their time looking for this sort of thing, and it's great that those companies are out there doing all this dirty work — the more eyes on the things we can install on our phones the better. But it's also just as important to put everything in perspective; not to downplay the risks involved when downloading any application to any type of computer, but to reinforce it and find out what's best when it comes to the things we do.
And when it's all said and done, Google Play is still the best place for almost everyone to use when they want to download an app. Sure, it's not perfect. Even Google knows this. But when it comes to minimizing the risks involved when you share anything with yet another company or individual who wants to profit from your data, it is your best bet.
What is malware?
The first thing you need to consider is that the definition of malware varies. To you and I (and security companies like Sophos or Lookout), malware is any app or part of an app that does something we don't think it should be doing. A game that harvests information from your address book or an app that has ads that track your location and internet history is crap, and they are malware. But there is another factor in the equation, and that's asking for permission.
Malware is that thing we all hate talking about, but we need to do it anyway.
Android's permissions make it possible for an app to do really crummy things and not be classified as malware by an automated scanner or by Google itself. And that sucks. But it's also perfectly acceptable on another level because all the rules are being followed. This is why Google regularly changes those rules and makes things like screen overlays forbidden. When your favorite screen dimming app or that sidebar on your Galaxy S edge phone changes how it works and you don't like it, blame shitty developers who used an overlay to trick people into clicking things. And there are a lot of those.
Actual malware is an application that does a thing you didn't give it permission to do. Those exist, and sometimes they can end up in Google Play. But they don't last very long and Google has secondary checks that block them from being installed on your phone even if they are being hosted in the Play Store and you downloaded them. Even if an app does something tricky to get you to add something from a different source via a direct download, Google Play Protect scans all your apps regularly and will find it, provided you have it enabled. And you totally should have it enabled.
Malware in Google Play
As mentioned above, it happens. You will see a headline everywhere when it does (which is a good thing) to let you know that malware was found in your app store. You'll also see how many millions of times it was downloaded, and seeing that 5 million people downloaded an app that can exploit their phone's software and send data back to some server is scary. But again, some perspective is in order; Google says there are over 2 billion active Android devices using Google play every month. 5 million people is 0.25% of them, so that means that 99.75% of Android users weren't exposed.
Any malware in an app store is too much malware for our tastes. Google's, too.
That 0.25% is still too high. Google agrees and it has the lofty goal of zero instances of malware in its store. They also know that's not going to happen, but they still aim high. And they should because they are asking for our trust. Trust should never be given freely and should also be quickly revoked when necessary. Remember that Google is a huge company and the people who want to do whatever they can to collect your data are not the same people who want to do everything they can to protect your data. Thankfully, Google embraces both departments.
Most of the "malware" found in Google play is that other kind of malware. Apps that follow the rules but depend on you not reading app permissions (or not even knowing about them) and installing their crap anyway. This is a bigger problem because there is no easy fix.
An open app store
We want and embrace an "open" app store. That means anyone can spend just $5 and register with Google Play and upload an app for you and me to download. We've seen some amazing apps from people who might not afford to be able to write apps for iOS because of the fees and necessary equipment (you need a modern Mac computer to write iOS apps) and Google Play doesn't have those same restrictions. But with the good, there is always bad.
Google Play places some of the responsibility on you when it comes to app permissions. Read them.
The other side of an open app store isn't as pretty. Anyone with an iPhone can tell you that all the apps in the App Store have the same level of attention to the user interface, and Apple vets every single submission to make sure it meets its standards for both the user experience and what data the app is able to collect, and what it can do with it. This causes some headache for developers, but all hyperbole aside, it does benefit the users. That's you and me.
Google doesn't use the same submission methods. Instead, it lists what Android's capabilities are, how a developer can use them through exposed APIs, and forces the app to ask for permission to do any of it. This puts the onus on you and me when it comes to allowing apps that aren't technically malware to live on our phones. This is good and bad; we should be able to install anything we like since we paid for the device, but most people don't even know or understand app permissions let alone read through them.
What those scary App Permissions mean
Google has done a good job of breaking out the permissions from the install process, and since Android 6.0 you've been able to go into your settings and revoke any or all the permissions for an app. But that's still not good enough because we really need to know what the permissions actually entail and why an app would have a legitimate need for it. We should hold the bulk of responsibility when it comes to what apps we install on our phones and what those apps can do. But we also should be properly informed about it all. Right now, the information available needs some technical expertise to wade through and that's not good enough for a product aimed at the general consumer.
Other app stores
Other app stores exist, and we're not trying to say they aren't safe to use. Samsung, LG, Amazon and other names everyone knows all have their own market for Android apps. Another popular service is F-Droid, which hosts 100% free software (the kind of free that means you can get the source code and build it yourself) for Android devices. Generally, you can trust that the apps you get from any of these stores will be safe to use. Amazon and F-Droid scan apps that are uploaded and Google Play Protect also scan them regularly, but there are other things to consider.
You know Samsung or F-Droid offer safe apps because you're reading an Android blog; not everyone reads Android blogs.
Companies like Samsung or Amazon are also in the data business and have their own policies when it comes to what can be collected, how it can be collected, and who it can be shared with. F-Droid requires you to disable a well-known security feature and allow apps from "unknown sources" on your phone to install apps. Neither of these situations is bad, but it puts an extra burden on the user.
I have used all the above-mentioned stores, and really like F-Droid in particular because it appeals to my love of Free, Open-Source Software. Plenty of people reading this will have done the same. But if you're online reading an Android blog you are not that "average consumer" that Android and the phones running it are designed for. Many people with an Android phone aren't technically inclined, and even those that are might not be interested in changing security settings or sorting through yet another EULA to use a different app store. We are here to help inform anyone, but our reach is extremely limited when you go back to that 2 billion monthly user number.
Google Play works for everyone
We're not cheerleading here, but Google Play remains the best place for anyone to get apps for their phone. Google has a vested interest in the Android platform, and it knows the app store is the reason why it has 2 billion users. It spends plenty of money and time to make it as safe as it can be or at least try to do so.
We want Google to work hard to make the Play Store even better for users and developers.
It has plenty of room for improvement, though. Go back to the two different definitions of malware and how most of it ends up installed on someone's (including yours and mine) phone. Google's current policies allow things like unnecessary data collection or sketchy ad injection to happen because users don't know about or understand the rules. The offenders know the rules and are very good at skirting the edges of them so they can profit from our data. They depend on uninformed consumers making illogical choices when it comes to installing apps, and it needs to come to an end, finally.
All things considered, though, Google Play is still your best bet for a huge selection of safe apps. The small percentage that falls under either of the definitions of malware are a thing that needs to be addressed but those are few and far between, and might very well be in other app stores, too. "Advanced users," for lack of a better term, can benefit from other open markets like F-Droid, but as a general recommendation all of us here at Android Central would point anyone towards Google Play and have faith that it's the right decision.
