We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.

Beware unofficial apps: why Android malware won't go away

Beware unofficial apps: why Android malware won't go away

There’s an old saying that “dog bites man” isn’t news, but “man bites dog” is. We’ve seen a good example of that this week, because the creator of the InstaAgent malware has released another dodgy app. Nobody shouted “There’s a dodgy app on Android! Hold the front page!”. It did make the news, but only because it also targeted iOS users.

Androidpit privacy security
Malware isn't inevitable, and Android is a pretty secure OS. / © ANDROIDPIT

History has a habit of repeating. Before smartphones became our primary computing devices we had Windows PCs, which were plagued by malicious apps, viruses, worms, Trojans, spyware, adware, the common cold and the Black Death. And you had Macs, which weren’t. And today we have Android devices, which are plagued by… you know where I’m going with this.

What can we do about it?

Let’s judge people!

We can’t let users off the hook here. Just like with Windows, the easiest way to get malware onto somebody’s Android device is to get them to download it – so part of the problem, and maybe even the biggest part of the problem, is that Android users are installing things without checking whether they’re legit. Unfortunately, as with Windows, most Android users aren’t remotely techy, so if something looks okay they’ll generally assume that it is.

That’s not to say Android users are dumber than iOS users. But Apple’s app store is so locked down that the appearance of a single dodgy app is global news: iOS users can’t generally download dodgy apps because there aren’t any dodgy apps to download. Rubbish apps, yes; pointless apps, absolutely. But not malicious apps such as password grabbers and other malware.

Google knows that third party app stores can be dodgy, of course, and it has published statistics demonstrating that the risk of malware from third-party app stores is enormous. Sideloading is ten times more dangerous than sticking solely to the Play Store.

But that doesn’t mean the Play store isn’t dangerous too.

androidpit play store 2
Google tries to keep bad apps out, but some inevitably make it into the Play store. / © ANDROIDPIT

Let’s judge Google!

There’s a misconception that Google doesn’t vet Play Store apps. It does, and it scans for malicious apps in particular with a combination of a scanner called Bouncer and teams of human reviewers. But with a new app being added every minute, Google is dealing with an enormous number of apps. As Sophos’s Naked Security blog notes: “Mistakes happen, to the point that during 2015, malware samples from more than 10 different families made it past Google’s checks and were installed more than 10,000,000 times.”

There’s a misconception that Google doesn’t vet Play Store apps

Many of those malware apps are easily detected, and some rely on exploits that Google has patched in Android updates. Sophos’s advice to Android users is to “run a third-party anti-virus tool, and to go out of your way to grab patches as soon as you can.”

Did someone say patches?

You've seen this a million times, but fragmentation's still an issue today. / © ANDROIDPIT

Let’s judge the phone firms!

Say hello to our old friend, Android fragmentation. Android 6.0 is the most secure Android yet, and that’s of absolutely no use to you if it isn’t available for your phone or tablet. Android Marshmallow is currently installed on just 1.2 percent of all Android devices. Still, Lollipop was pretty secure too. That’s only on 34 percent.

Everything else is running even older versions of Android. The numbers aren’t really huge for the oldest versions – Froyo, aka Android 2.2, is only on 0.1 percent – but there are currently more Android users on Lollipop than on Marshmallow, and more users on KitKat than on Lollipop. All those figures are correct as of February 2016 but they won’t change much in the following months.

Android 6.0 is the most secure Android yet, but it's of no use if it isn’t available

The problem isn’t always down to manufacturers losing interest in keeping their devices up to date, but it often is – and that means those devices are vulnerable to malware that more recent Android versions have been immunized against.

To its credit, Google has tried to address that by using Google Play Services as a channel for security fixes, and that’s compatible with Android versions going back to 2.3. But Play Services can’t address everything, and of course it isn’t always installed on devices because some manufacturers opt out of using Google Play.

AndroidPIT androidpit avast antivirus 1
It's a good idea to take precautions. / © ANDROIDPIT

Let’s not judge anybody!

Can we solve the Android malware problem? Probably not. No matter how much Google tries to lock down the Play store, bad apps will still sneak through. People will still use other app stores. And phone firms will continue to lose interest in updating Android when they’ve got something newer and shinier to sell.

But that doesn’t mean malware has to affect you. You can install third party security software, steer clear of app stores you don’t know and trust, assume that apps are guilty until proven innocent and root your device if the manufacturer won’t keep its Android up to date.

Or you could switch to iOS.

But you won’t, because while iOS is a demonstrably safer platform it’s also demonstrably duller. There’s only one way to do things on iOS, and that’s the Apple way - and that’s the very opposite of what Android’s all about. Android is all about giving people freedom, and unfortunately that includes the freedom to make mistakes. We wouldn’t have it any other way.

Recommended articles


Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • Thinking about this further, Apple did have the might to tell the carriers that they (Apple) will be responsible for OS updates being released to the customer. Google should do the same along with the phone manufacturers. Just saying.

  • That's it, I'm deleting all of my apps and wiping my phone.

  • But don't most of the malicious software install itself on the phone without us even knowing it? If you install an app from an unofficial or unknown source then you can get malware with it. But I think also just by clicking on a photo or an email link you can have some malicious software installed on the phone without even knowing it as the installation process took place in the background.

  •   18
    Deactivated Account Mar 28, 2016 Link to comment

    Nice article but you want to say that android is not secure. Matter of concern for lot of people.

  • Mark
    • Admin
    Mar 28, 2016 Link to comment

    Anyone who though they didn't need an anti virus/malware program should really rethink that decision. Especially if you do any banking or online purchasing with your phone. I never use my phone for banking, it is just not secure enough for me, and I rarely shop on line with my phone. I also have a special credit card with a low limit that I only use for online shopping. You should never use a card tied directly to your bank account on a phone or online. I use Norton on all my devices and have never had an issue. It is a good artical

    • The idea of using a specific card with a low limit just for online purchases is good, although credit card companies should write off any fraudulent purchases on a credit card anyway if somebody does get your details and uses them

    • Never used an AV. I use a VPN when I transact any business.

  • You pointed out the problems perfectly. But i think as consumers we have the power to pressure the manufacturers to update firmware more rapidly and for longer periods. And that seems to be happening but only in the countries where consumers demand that to happen. Also the only one who can help us is google.. They have the power.. It's not like the companies under pressure will go through the trouble of making their own individual OSes again to compete with IOS. We had Google to make the best OS and we depend on them to assure it keeps getting safer for every user, or else things will get to a point that it will be better to go Apple way than hacked and frustrated way.

    • The problem is, it's always been a "cat and mouse game" with malware/viruses etc. Someone will come up with a virus, which will eventually get patched. Then another virus will appear, that will get patched too, and on and on it goes. It's a never ending cycle. There will always be people out there clever enough, and malicious enough to make viruses and malware that circumvent security systems, and companies like Google just have to play "catch up" all the while and patch the viruses when they are discovered.

    • Very well stated, but also let us not forget that the carriers are also at fault here. One carrier releases an OS update while another won't release it to their customers. Maybe this is something that Google could push with the carriers. But the carriers just want to sell you a new phone. Just saying.

  • Good article

Write new comment:
All changes will be saved. No drafts are saved when editing