Why Android malware scares are almost never as bad as they seem

By Alex Dobie
last updated

Whether it's QuadRooter earlier in 2016, or Gooligan more recently, the news is full of reports of terrifying Android security vulnerabilities. Often they're brought to light by security companies with a product to sell, and blown out of all proportion by the mainstream press.

Research like this is important work done by very smart people. But make no mistake, the goal is to drum up publicity and (eventually) sell you security software. That's why new Android vulns come with catchy nicknames and sometimes even logos — particularly around the time of the big hacker conferences like Defcon and Black Hat. It's a neat pre-packaged story sure to attract attention, easily turned into headlines like "Android users beware: Over 900 MILLION smartphones are vulnerable to this crippling hack." (That was British tabloid The Mirror on QuadRooter, by the way.)

That sounds scary, but it's in the interest of those doing the disclosing (and, let's be honest, the clickthirsty online media) to wave their arms around and make it appear as bad as possible.

There are many types of software vulnerabilities, and it's almost impossible to guarantee any piece software is completely flawless — especially in something as complex as a smartphone. But let's focus on app-based malware, since that's the most common attack vector. The simplest way for the bad guys to do bad things to your phone or your data is to have you install a malicious app. The app might then make use of vulnerabilities in the OS to take over your device, steal your data, cost you money or whatever else.

When a security vulnerability crops up on iOS, Apple issues a software update and it's fixed. Because of the complete control Apple has over the iPhone, that means devices are patched pretty quickly, and all is well.

On the iPhone, everything that matters lives inside the OS. On Android, it's split between the OS and Play Services.

On Android, it's not so simple. Google doesn't directly update the firmware on the billion or so Android phones out there, and because of this only a small handful are running the latest OS version. But that doesn't mean they have to miss out on new features, APIs and malware protection.

Google Play Services is a system-level app, which is updated in the background by Google on every Android phone going back to 2010's Gingerbread release. As well as providing APIs that let developers interact with Google services, and porting many features back to older versions of Android, Play Services has an important role in Android security.

The "Verify Apps" feature of Play Services is Google's firewall against app-based malware. It was introduced in 2012, and first enabled by default in Android 4.2 Jelly Bean. At the time of writing, 92.4% of active Android devices are running version 4.2 and up, and older versions can manually enable it in the Google Settings app.

Verify Apps works similarly to a traditional PC virus scanner: Whenever the user installs an app, Verify Apps looks for malicious code and known exploits. If they're there, the app are blocked outright — a message is displayed saying "Installation has been blocked." In other, less suspicious cases, a warning message may be displayed instead, with the option to install anyway. (And Verify Apps can also help remove known malware that's already been installed.)

While the underlying exploit may still be there, this makes it impossible for the bad guys to take advantage vulnerabilities after they've come to light. With Play Services updating constantly in the background across basically the entire Google Android userbase, as soon as a major vulnerability is reported to Google (often before the public hears about it), it's patched through Verify Apps.

Android security

Verify Apps is a last line of defense, but it's a highly effective one.

While the method is different compared to iOS, the result is the same. The platform holder updates its security — Apple through an OS update, Google through Play Services — and users are protected. You can argue all day about which one is better or more robust, but the fact that we've yet to see the predicted Android malwarepocalypse indicates that Google's method is working pretty well. That's not to say other steps like Google's monthly security patches aren't important. While Verify Apps is a last line of defense, it's a very effective one.

Let's take a step back even further — to even get to the point of installing a malicious app, the user would've had to disable the "unknown sources" checkbox to allow installation of apps from outside the Google Play Store. For most of people, that's not something they ever do. Apps come from the Play Store, and that's that. Google controls and curates apps on the Play Store, and continually scans for nefarious apps. If you only install apps from there, generally, you're fine.

Breathless reports mentioning hundreds of millions of vulnerable Android devices don't mention any of this, of course. In the case of the QuadRooter vulnerabilities, for example, assuming you're on an affected version of Android, you'd first have to disable the "unknown sources" checkbox, then go to Google Settings > Security and disable app scanning. Then, if you decided to download and install an infected app from a nefarious corner of the Internet, you'd be affected. These are not steps that most people take, nor are they things that will happen of their own accord.

It's the digital equivalent of propping open your door, throwing your keys on the driveway and erecting a big sign on your lawn saying "Free stuff inside, come on in."

That's not to say there haven't been one or two genuinely menacing Android security issues over the past few years. The worst to date has been Stagefright, which led to Google establishing its regimen of monthly security patches. Stagefright was particularly bad because it could affect phones just by playing media files. There's a big difference between that and malware in the form of an app that needs to be installed.

When it comes to anything in the form of an APK, Android's existing security safeguards already protect the vast majority of folks, even if they're not on the most up-to-date version.

So those reports about hundreds of millions of Android devices being "vulnerable" to this or that? In theory, if you go out of your way to disable all of Android's built-in safeguards, sure. In the real world, not so much.

Alex Dobie
Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.

30 Comments
  • Cough cough Renee embellishes them on iMore cough cough cough
  • It's the digital equivalent of leaving the keyfob of your push to start car on your windshield wiper.
  • I've been reading Mobile Nations for about five years. In that time, I don't think I've ever heard Rene write objectively about other operating systems.
  • I don't think he's written objectively about iOS either.
  • *Ahem* he has www.imore.com/galaxy-s7-samsung-still-cant-achieve-apple-level-industria... But only a few times. He's stopped.
  • I mean:
    goo.gl/eyFv80
  • It's a shame because hes a pretty smart dude. It's so obvious the reasons he's so biased and bitter too. I think we all know any tech savvy person with above average intelligence and a more knowledgeable understanding of mobile could see what Android has evolved into. Its become highly elegant, with an aesthetic that majority of UI designers find the best, it's much more functional and capable, and diverse. He knows all this. He's smart. He's bitter about knowing upper midrange-high-end Android is more robust and capable. Hes also gotta be bitter about what it's done to Apples marketshare. He also must be bored with iOS after having used it so long. I think it's way easier to avoid that using Android But I will say there are a couple of things iOS remains superior at. iOS app developers can create a fluidity of complexity of transition animations in apps that devs can't quite reach yet on Android. Using objective C makes iOS the more fluid OS. Java requires more and still isn't as powerful on Android . It's also more highly optimized , cuz they don't have to worry about more than their hardware to develop for. Alot more more memory efficient too. But still, you can't modify anything, or choose defaults , integrate apps for info sharing, true multi task, use real widgets, optimize with the best custom launchers. Those last 2 alone make Rene bitter I'm sure. Just felt like writing since Rene was brought up. Not really responding to anyone. I'm oddly fascinated about the rivalry between advanced users of Android and iOS mainly. Maybe because I see it as the most remarkable and capable invention humanity has ever had access to. Alot of folks on AC see how cool the tech is
  • He should just get a job as an evangelist for Apple instead of an editor. When someone's incapable of criticizing the removal of a headphone jack, or the USB C only ports or the lack of major innovation in the iPhone, they don't belong in Mobile Nations. At least the folks here on Android Central give pros and cons and even review the iPhone. I have an iPhone 7 Plus and an S7 Edge right now. Trying to decide which to go with after the Note7, because I've had some problems with the S7 Edge before this one, I'm not a fan of the LG V20, and I think the Pixel XL is both overpriced and impossible to get. The iPhone has come a long way and in many respects it's a great phone. I prefer Android phones, but it's close now. The 7 is so damn quick, that some of my reservations are less of a concern for me. Still, I'm not blind to any of either phone's imperfections.
  • Well, I think it's fair to say that I haven't used AV software on my phone since 2013.
  • This. I uninstalled that crap only last year and you know what? Nothing has happened to my phone.
  • You're probably right that nothing has happened, but it's also probably fair to point out that you don't really know. I mean, it's not as if most malware announces its presence. So you COULD be infected right now without knowing it, and it's POSSIBLE the software you uninstalled would have caught it. But, like I said, odds are you ARE completely clean. And I don't run any software either because the risk IS overstated for most users. But the absence of symptoms isn't necessarily indicative of no infection.
  • Y
  • Never had an issue myself. For that matter never had an issue on my PC either. Just don't be stupid. Avoid sketch ass sites.
    Don't click weird popups.
    Pay attention to your computer (pc or android) behavior.
    Secure your network (If you jump on public wifi turn on Tor etc) It's really not complicated...
  • I agree 100%
  • Just like any OS download apps install software from unscrupulous locations and you get what you deserve. Don't blame the OS when the user is stupid you can't fit stupid
  • Nice article, thanks.
  • Lol
  • When the breathless bottom feeders from the media get ahold of these scares they point out one million infections, which sounds like a huge number. We'll, it is of course, but that boils down to about one tenth of one percent of android devices in service. From that angle it's pretty insignificant. Part of the problem as I see it is the way that the media pants over each and every device from United Fruit as though as their latest product will end hunger, cure cancer and make you rich, famous, and popular.
  • EVERY SINGLE ANDROID DEVICE IN EXISTENCE VULNERABLE TO NEW VIRUS* *as long as you choose alter your security settings, follow through despite the clear warning when doing so, and then manually download and install said virus, once again choosing to ignore the second warning about doing so.
  • Thanks once again AC, for providing a voice of reason in such matters. Love linking these posts in the comment sections of the click bait equivalents.
  • +1
  • This needs to be featured on mainstream media. It's just too easy to bash Android and I'm glad AC is keeping it real.
  • I also think so many of the iOS users in the media, and the public in general, have so little understanding of Android; and they love to fan the flames of Android-hate and to try and say "ooh see what happens with an open system your prone to viruses." Psychologically, it makes them feel like they made the right choice by going to the "safe & secure phone" called iPhone.
  • where i can find that wallpaper?
  • I've asked this question on other similar articles but never got an answer. If a malicious app does somehow make its way onto the Play Store and is subsequently installed on devices, can Google perform remote uninstallation of said malicious apps when they're taken off the Play Store?
  • Yes. They can. And have for a very long time. Here's an article from 2008. http://gizmodo.com/5064357/google-has-a-remote-kill-switch-for-android-apps I don't know how often they have actually used it.
  • That's the answer I was looking for because it never seems to be mentioned in any articles of this nature (it is inevitable that a malicious app can slip through the cracks and end up on the Play Store).
  • Is this why some of the bigger anti-virus companies seem to be adding extraneous horse hockey into their apps? Hard to find one nowadays that doesn't offer cache/ram cleaners and other "optimizers" that seem only marginally useful. I got sick of Avast constantly bugging me to try different things and have uninstalled. Are any of these things REALLY necessary? Especially for someone who doesn't sideload and doesn't visits bunch of questionable sites?
  • No. It's not necessary, even on a pc
  • That's what I'm starting to think, too. I have Android Device Manager so there is the ability to remote lock and wipe. Cache and ram cleaners are useless. I can back up my contacts with Google or my carrier. I don't, in general, use free public Wi-Fi. And, I don't go to sites that specialize in illegal activities. I would think that pretty much covers me. I guess there is always a slim chance, but I keep this thing backed up regularly and can always do a factory reset. Is there anything that I'm missing?