Remember that mobile security companies only want to sell you something

Did you hear that like every Android phone ever made is broken because the companies that made them are lying and not really sending you security patches when they say they are sending you one? Chances are you did, because the whole silly mess was engineered solely so you would hear about it. I'll go a step further and say the entire study only exists as a thing that will grab your attention so you can become concerned about your phone, then be directed to a link where you can download an app with intrusive permissions and send loads of juicy user data.

Fear is big business and there will always be companies who use scare tactics to get attention.

That's bad. Very bad. Not just because some company drops a gigantic accusation and offers little to no proof, but because it will make us skeptical when we shouldn't be. One day a security researcher may find something we really need to know about or be concerned about, but we'll brush it off because of the countless times we've been misled. Mobile security products are the 21st-century version of snake oil.

The fact of the matter is that mobile security companies only exist to make money like all other companies. Every word a spokesman says or types is said or typed to make money for the company, and they try to make us think they are helping or saving us while they do it. They really love it when they see news stories that repeat the words they have said or typed and the more times they see headlines with the company name and sensational numbers about "infected Android phones" or similar nonsense the more money there is to count. Android may be broken, but instead of trying to fix it these companies are circling like buzzards so they can get their bit of flesh.

I spent way too much time trying to investigate the recent claims about dishonest security patches only to see that the details eventually released don't tell us anything — other than how bad it all is based on proprietary software that scans phone firmware files. That's kind of interesting, but not really what we expected to hear after a full day of hype letting us know there was something important to say. This sort of carnival barker behavior is ridiculous and shows that the companies involved don't really care about your safety and privacy or they wouldn't make you wait one more day.

It works, though. The news business is full of fierce competition and that means your website can't be the only one that doesn't repeat the dubious claims that infer we all should trust a company we have never heard of more than the company that invented the cell phone. And what if one of these claims turns out to be more than sensationalism? No outlet wants to be the place that didn't warn you when they could have. Remember that the next time you want to blast a website or news channel for repeating something that might be important. They (we) aren't security researchers and aren't making these claims, only repeating them so you know about them.

News writers should display a disclaimer in these stories. I'm guilty of not doing it, too.

What we here at AC and every other news outlet could do is remind you that these sorts of things come from companies that sell a product designed to "fix" the problems they claim to have found. I'm guilty here, too. Whenever you read a news article telling you that millions of Android users are affected by something and the company making the claims has a mobile security product to sell you, there should be a disclaimer. "Company XXX is the publisher of this security application and we can't validate their claims" or something similarly generic that can just be dropped in place every time a post about the latest thing is written would work. I'll try to remember to do it from now on and remind others when I see it.

What we as users need to do is pay attention and decide which of these sorts of issues are worth further attention. We can't just ignore them because every once in a while they turn out to have a bit of truth buried under all the BS. And the law of averages says that eventually millions of smartphones will be hacked and a lot of money will be stolen. But remember that it is ridiculously hard to hack a smartphone, and the companies writing the software and making the hardware never stop trying to make it even harder.

Stay safe, y'all.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Fantastic write up! Many many years ago I used Lookout until I realized that the app is doing nothing but sit there, eating battery and collecting data. Whenever I read/hear that people should use Antivirus software I roll my eyes and hope folks understand the uselessness of those apps. But, the number of downloads in Google play speak volumes. Scare tactics work! The biggest problem is that people have absolutely no clue how Android (or the iPhone for that matter) work and that common sense (mostly extinguished these days) and a little knowledge is all you need to stay safe.
  • People DEFINITELY do need to use antivirus software! But it's important they understand they're using probably the best one on Android, Play Protect, already. Because it's included in Google Play Services.
  • Yep
  • Absolut rubbish! That Antivirus software is doing absolutely nothing to protect your device! The same way it's useless, or at least unnecessary, on a Linux run computer, so it is on an android phone.
  • You're wrong. The main two reasons antivirus software is usually unnecessary on Linux are it's relative obscurity as a desktop OS coupled with the relatively high technical ability of the average user. Meaning very little malware is developed for the platform, and the small amount that is rarely gets installed. Neither of those things are true for Android. It is the most popular mobile OS (most popular OS?) In the world, and the average Android user has the same level of technical expertise as the average person in general, because that's what they are. Ie, quite low.
  • Yep. How do you like my knowledge of the subject?
  • Well, you've agreed with me twice... So I'd like to think you know what you're talking about ;p
  • You guys seem to be "real experts". But its a free country. And if you wanna waste your money or bog down your phone you have the freedom to do so. The way Android works (or Linux) its impossible for any "security software to work preventive (also see Jerry's comments below). All it does is giving you a sense of false security!
  • I never claimed to be an expert, I'm a relatively knowledgeable enthusiast. But it seems I know more than you... I say this because YOU'RE RUNNING THE SAME SECURITY SOFTWARE I AM! Unless you're one of those morons who tries to get rid of Google Play Services, you ARE running play protect. If you really think Play Services doesn't have root system access, you're demonstrating your own ignorance... I suggest you actually read Jerry's original post and comments again yourself, but this time don't ignore the words "Play Protect". And as an aside, whose country are you referring to?
  • "The way Android works (or Linux) its impossible for any "security software to work preventive"
    - It can scan your device and detect malicious packages, even if it can't stop what said packages are doing on its own. That former functionality is useful.
  • Ding ding ding ding we have a winner
  • Except independent 3rd party tests have shown it's pretty ineffective against actual malware. Even Google admitted that they don't try to stop malware, they just try to reduce it to a manageable level.
  • On the flip side, when some great app comes along that gets promoted by everyone, there should also be a disclaimer, eg. "Company xx is the publisher of that app and has been known to harvest and sell your data"
  • I use AVG.
    Only a couple of £ a year including a VPN.
  • Sophos has better coverage and is free.
  • Free VPN?
  • So were patches actually missed or not?
  • This! I feel like Jerry's piece doesn't address this issue. That original article was about OEMs falsify the accuracy of the current security level, not whether the device was still reasonably secure. It's the lying about what the security patch level is currently installed on the device that's the issue.
  • pretty much normal on AC, they like to tackle things like this with opinion pieces instead of actual real facts that require work. AC has always had the stance that security is a complete non issue on Android OS... funny that a site that makes it money from Android have that stance.... after reading this article I feel like I should remove ALL security software from my phone??? Samsung is going to patch all security holes for me and I should just trust them? /confused... wait, don't trust samsung, download and use Google Play Protect and trust that one? ....
    see how these articles are useless?
  • Just so you know, I spent about 20 hours looking into this then wrote about 1,500 words to try and explain what it might be because they didn't say much. Only to find out it is nothing and delete them all. And yes you should remove all security software from your phone unless you're running it with uid 0 (which means you can't uninstall it without elevating your user permissions). Otherwise all it can do is compare a file's size and signature against a list of what it thinks is bad because it has no access to any application data except its own. Play Protect did this when you installed it so you're just doing it twice.
  • There's a very detailed 30 page PDF by them here How you call that "didn't say much," I don't know.
  • There was nothing to address. SRL claims OEMs lied, OEMs claim they didn't. When it was time to provide proof the company said their special software found that not all parts of a patch got installed and that's it. No proof so everyone just shrugged. I don't believe what they say, not one little bit. But until someone shows me proof from either side I don't have an answer. FWIW, Google said they will help SRL develop something that can actually find the answer. You can see what they had to say in the original updated post.
  • I haven't a clue what's going on ether but if software suggested parts of a security patch where missing on some devices and not others that would point to a difference in the updates.
    At the very least it suggests the updates we are getting from our phone manufacturers are not the same as the ones Google is putting out.
    Of cause this doesn't mean there is a problem and I like most haven't had any issues even on my most outdated phones but some clarification would be nice.
  • "I don't have an answer"
    - LOL except you did have an answer in your article. You basically claimed all Android security vulnerabilities and issues are hoaxes at best. You definitely took a side.
  • Amazing, huh? He provided zero evidence to support his point.
  • So Lookout is useless? Just use Google play Protect?
  • Pretty much
  • Yep. Just pay attention to app permissions, don't sideload, and use some common sense in your online activities and you should be fine.
  • I don't currently have extra security software installed but a second opinion never hurts anyone (battery wise perhaps a little) and these security companies do tell Google about a lot of the issues.
  • "these security companies do tell Google"
    - There's a formal CVE process for vulnerability reporting that reputable organizations follow. The author's assertion that security outfits aren't doing anything to actually solve the problems is wildly inaccurate at least and blatant lying at face value.
  • Lookout has been garbage for a long time. You can find worthy alternatives at AV Comparatives and AVTest.
  • I also read even a very outdated android phone is more secure than the average PC.
  • That's a useless comparison because "average" and "very outdated" are not quantitative metrics. This is the only thing they said that sounded kinda fishy to me.
  • I believe it was to highlight the relative risk based on historical evidence.
    The reasoning behind the claim was not made public but the amount of viruses and malware written for PC's could well be higher or the average PC use may be very different rather than the operating system itself.
    But the underlying message is people should probably be as concerned with their PC security as they are with their phones.
  • Yep - fear is a motivator, so is death or deceased people. I've had scam phone calls that were - very - convincing. To the point I took it to the local law enforcement which continued the conversation with them. That particular person on the other end was even getting rude with our law enforcement - again very convincing - and very illegal. I can see why they target older people. I've also had my identity stolen - which now days is a major concern. Hell even our state ran DMV sells data... Sad.
  • I deleted my AV software two years ago. They always craft the words to say "We protected you from 100,000 potential infections" instead of "No infections were found on your device. Ever". But then, I don't sideload apps from "Jeff & Bucky's APK Shed", do online banking over public wi-fi, or fall asleep with the phone on questionable sites.
  • Haha...thank you for this. That's why I try not to be a sheep and believe everything I read !
  • But you believed this article. LOL OK.
  • Backtracking on a previous story on Android Central
  • Of course security companies are trying to sell us something, I don't have a any paid security or anti virus software on my Laptop or Android phone, in fact I don't have anything on my phone and that won't change and on my windows laptop, I have Avast, the free version. Edit: it's good to know that Play Project is a built in anti virus but isn't it like Windows Defender?
  • Glad you have something on your laptop! I use AVG free, but might go paid eventually. I install it on whatever computers I work on if the person does not have antivirus, and I'm sure that's generated a sale or two for AVG.
    Play Protect scans you apps to make sure they are still clean, and no malware has been installed by the apps either. I'm not sure if it scans ONLY Play Store Apps, or scans other apps like those from Amazon. Perhaps someone else can chime in.
  • I also don't have any antivirus on my phone.
    Also none at all on my Alienware laptop.
    It also runs Linux. :)
    I do alot of VM installer testing and need the desktop CPU.
    An average corporate desktop takes up to 45 minutes to do a Linux server install in a VM. YUCK.
    My Alienware laptop does it under 5 minutes, and sometimes just over 4 minutes if Chrome is not doing heavy web pages at the time. :)
    The worst part is waiting til completion until the results of my post install changes can be verified.
    Make a syntax error and wait 45 minutes to discover it each time? No Way!
  • Cool story bro
  • "I don't have a any paid security or anti virus software on my Laptop or Android phone"
    - LMFAO because you'd have adware antivirus. Hilarious.
  • Don't you have anything better to do? Most people are ignoring you.
  • Yep, security companies make money, but the people also in them are probably the most paranoid of people, they want to tell others about the issues (while making money), like the author of this article. That doesn't excuse the manufacturer's "selling" us phones with up to date patches and then not supplying the feature promised. That is lying. Given that the security guys provided an application (SnoopSnitch) it would appear that they have gone to a lot of trouble to provide proof of the cover-up. My OnePlus 5T looks pretty good except for 5 inconclusive results. Time for us to put the pressure on manufacturers and for them to explain any false results. There needs to be more and not less naming and shaming, its the only way the phone manufacturers (who also make money) will protect us and do the right thing.
  • Exactly. Apparently it's shocking to AC that OEMs that delay updates and skip monthly patches would actually dare be dishonest about the patches they claim to have. Yeah I'm sure they're being totally honest /s
  • Yes, Androud security companies sell fear. Yes, "volnerabilites" are strongly publicized. No, I have never read of identity theft due to vulnerabilities. You never read of massive Android fraud. If you download apps only from Google Play store or Samsung Galaxy store, you won't have a problem. Google scans apps on install. Samsung has free Device Maintenance that includes security checks powered by McAfee. Similarly, Microsoft provides free PC protection through Defender. Hey, go ahead & waste your cash on paying for security if you want. Oh, keep believing you mobile VPN you pay for keeps your online use private too... hahahaha......
  • You know your "free" security supplied by Samsung that you don't actually need is not actually free?
    Cost is added to the device.
    Those paying less for their devices might want to consider adding security.
    Especially if using apps and services from none official sources
    It's also handy to have a quick and easy way of scanning files before opening especially on work phones where people are sending files all the time.
    VPN's also let you access parts of the internet ISP's try to block in many countries.
  • VPNs also give the VPN provider ALL your internet traffic. Great idea.
  • Do they?
    I thought it was only when you turn your VPN on.
    Live and learn.
    Well you've got to make a decision one way or another ISP or VPN unless you have your own servers of course.
  • "volnerabilites"
    - User who can't spell lectures us about security.
  • You sound like the person who got beat up in high school and now behind his keyboard is taking revenge.....
  • Eleven years with Android phones and I've never had any issues. I don't know anyone personally who had issues on Android, IOS or Windows Phone. I used to panic the first few times an app began flashing warnings my phone was infected, saying I needed to install XYZ security app immediately to deal with it. I did use a variety of antivirus apps for years, assuming they were keeping me "safe". I always read every tech site's Top Ten Antivirus Apps articles, even now, which I think proves Jerry's point here.
    I use Samsung's own antivirus app on my Note 4 which is stuck on the August 17 patch now. But only because it's there.
    My Xperia X is on the March 18 patch and I don't have anything other than what Google and Sony have installed.
    I also still use a Lumia Windows phone which gets a regular patch every month, but not for much longer. Thanks, Microsoft.
    I've tried the "free" versions of all the top rated Antivirus apps. I only have one app on my phones that isn't available in the Play Store(it was there when I first installed it or I wouldn't have risked it) so when it occasionally asks to be updated(and directs me to a "safe" source to find the update) I still install a couple of the top 3 or 4 antivirus apps and let them do their scans before uninstalling them when they find nothing. As they find nothing, and I've never had any issues, I assume that this app is "safe".
    And if it isn't "safe", and these top apps can't tell me so, what use are they anyway?
  • rock, you're my favorite personality over there
  • I did not dig in to understand the actual patches that may have not been properly applied. I understand their claim is being backed by their own checking software. Surely Google or other parties (like for driver software) that create/contribute to the patches have some sort of testing procedure to verify what they did works. They could easily re-run their check and we'd have 3rd party (preferred-party?) verification. Silence from them is interesting. Also, are there not actual threats in the wild that take advantage of the issues the patches address? If not, it means the system is working (preventative instead of reactionary).
  • A very detailed PDF, which the author conveniently omitted, can be found here
  • "download an app with intrusive permissions"
    - This is blatantly false. The app is currently running on my Z2F with zero permissions granted. "Not just because some company drops a gigantic accusation and offers little to no proof"
    - They literally posted a blog with links to their security presentation and how they came to their conclusions here You, OTOH, are offering no proof to the contrary beyond words. "The fact of the matter is that mobile security companies only exist to make money like all other companies.
    - Other companies like Google and OEMs? This argument makes zero sense. "sensational numbers about "infected Android phones"
    - LOL so CVEs are fake? OMG this is laughable. "instead of trying to fix it these companies are circling like buzzards so they can get their bit of flesh."
    - They actually report the vulnerabilities to Google 1st and give them time to fix the bugs before going public ... what on Earth are you talking about? "I spent way too much time trying to investigate the recent claims about dishonest security patches only to see that the details eventually released don't tell us anything — other than how bad it all is based on proprietary software that scans phone firmware files"
    - Proprietary software? Like Google Android (as opposed to AOSP?) Also, quite a few 3rd party outlets replicate and confirm CVEs "what if one of these claims turns out to be more than sensationalism?"
    - Literally the only Android security report I recall that turned out to be fake was Lookout's report on a certain developer in 2011 or thereabout. "decide which of these sorts of issues are worth further attention."
    - Of course. Because all Android users are infosec experts and can audit code themselves. God forbid we trust people who do those things for a living. This article is wildly irresponsible. The next AC editorial might be telling us HIV is a hoax and you don't need condoms.
  • You dad sure did!
  • I'm not entirely sure what the author's point is. Yes, security companies are trying to sell you a product. Congratulations on picking up on that, I guess. I do have security software on my phone even though I try to screen who makes the app I download, don't side-load apps, and use best practices when surfing the web. It's just an additional layer of security. I'm okay spending a few dollars a year for an extra layer of protection.