Why Android malware scares are almost never as bad as they seem

Whether it's QuadRooter earlier in 2016, or Gooligan more recently, the news is full of reports of terrifying Android security vulnerabilities. Often they're brought to light by security companies with a product to sell, and blown out of all proportion by the mainstream press.

Research like this is important work done by very smart people. But make no mistake, the goal is to drum up publicity and (eventually) sell you security software. That's why new Android vulns come with catchy nicknames and sometimes even logos — particularly around the time of the big hacker conferences like Defcon and Black Hat. It's a neat pre-packaged story sure to attract attention, easily turned into headlines like "Android users beware: Over 900 MILLION smartphones are vulnerable to this crippling hack." (That was British tabloid The Mirror on QuadRooter, by the way.)

That sounds scary, but it's in the interest of those doing the disclosing (and, let's be honest, the clickthirsty online media) to wave their arms around and make it appear as bad as possible.

There are many types of software vulnerabilities, and it's almost impossible to guarantee any piece software is completely flawless — especially in something as complex as a smartphone. But let's focus on app-based malware, since that's the most common attack vector. The simplest way for the bad guys to do bad things to your phone or your data is to have you install a malicious app. The app might then make use of vulnerabilities in the OS to take over your device, steal your data, cost you money or whatever else.

When a security vulnerability crops up on iOS, Apple issues a software update and it's fixed. Because of the complete control Apple has over the iPhone, that means devices are patched pretty quickly, and all is well.

On the iPhone, everything that matters lives inside the OS. On Android, it's split between the OS and Play Services.

On Android, it's not so simple. Google doesn't directly update the firmware on the billion or so Android phones out there, and because of this only a small handful are running the latest OS version. But that doesn't mean they have to miss out on new features, APIs and malware protection.

Google Play Services is a system-level app, which is updated in the background by Google on every Android phone going back to 2010's Gingerbread release. As well as providing APIs that let developers interact with Google services, and porting many features back to older versions of Android, Play Services has an important role in Android security.

The "Verify Apps" feature of Play Services is Google's firewall against app-based malware. It was introduced in 2012, and first enabled by default in Android 4.2 Jelly Bean. At the time of writing, 92.4% of active Android devices are running version 4.2 and up, and older versions can manually enable it in the Google Settings app.

Verify Apps works similarly to a traditional PC virus scanner: Whenever the user installs an app, Verify Apps looks for malicious code and known exploits. If they're there, the app are blocked outright — a message is displayed saying "Installation has been blocked." In other, less suspicious cases, a warning message may be displayed instead, with the option to install anyway. (And Verify Apps can also help remove known malware that's already been installed.)

While the underlying exploit may still be there, this makes it impossible for the bad guys to take advantage vulnerabilities after they've come to light. With Play Services updating constantly in the background across basically the entire Google Android userbase, as soon as a major vulnerability is reported to Google (often before the public hears about it), it's patched through Verify Apps.

Android security

Verify Apps is a last line of defense, but it's a highly effective one.

While the method is different compared to iOS, the result is the same. The platform holder updates its security — Apple through an OS update, Google through Play Services — and users are protected. You can argue all day about which one is better or more robust, but the fact that we've yet to see the predicted Android malwarepocalypse indicates that Google's method is working pretty well. That's not to say other steps like Google's monthly security patches aren't important. While Verify Apps is a last line of defense, it's a very effective one.

Let's take a step back even further — to even get to the point of installing a malicious app, the user would've had to disable the "unknown sources" checkbox to allow installation of apps from outside the Google Play Store. For most of people, that's not something they ever do. Apps come from the Play Store, and that's that. Google controls and curates apps on the Play Store, and continually scans for nefarious apps. If you only install apps from there, generally, you're fine.

Breathless reports mentioning hundreds of millions of vulnerable Android devices don't mention any of this, of course. In the case of the QuadRooter vulnerabilities, for example, assuming you're on an affected version of Android, you'd first have to disable the "unknown sources" checkbox, then go to Google Settings > Security and disable app scanning. Then, if you decided to download and install an infected app from a nefarious corner of the Internet, you'd be affected. These are not steps that most people take, nor are they things that will happen of their own accord.

It's the digital equivalent of propping open your door, throwing your keys on the driveway and erecting a big sign on your lawn saying "Free stuff inside, come on in."

That's not to say there haven't been one or two genuinely menacing Android security issues over the past few years. The worst to date has been Stagefright, which led to Google establishing its regimen of monthly security patches. Stagefright was particularly bad because it could affect phones just by playing media files. There's a big difference between that and malware in the form of an app that needs to be installed.

When it comes to anything in the form of an APK, Android's existing security safeguards already protect the vast majority of folks, even if they're not on the most up-to-date version.

So those reports about hundreds of millions of Android devices being "vulnerable" to this or that? In theory, if you go out of your way to disable all of Android's built-in safeguards, sure. In the real world, not so much.

Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.