There’s an old saying that “dog bites man” isn’t news, but “man bites dog” is. We’ve seen a good example of that this week, because the creator of the InstaAgent malware has released another dodgy app. Nobody shouted “There’s a dodgy app on Android! Hold the front page!”. It did make the news, but only because it also targeted iOS users.
History has a habit of repeating. Before smartphones became our primary computing devices we had Windows PCs, which were plagued by malicious apps, viruses, worms, Trojans, spyware, adware, the common cold and the Black Death. And you had Macs, which weren’t. And today we have Android devices, which are plagued by… you know where I’m going with this.
What can we do about it?
Let’s judge people!
We can’t let users off the hook here. Just like with Windows, the easiest way to get malware onto somebody’s Android device is to get them to download it – so part of the problem, and maybe even the biggest part of the problem, is that Android users are installing things without checking whether they’re legit. Unfortunately, as with Windows, most Android users aren’t remotely techy, so if something looks okay they’ll generally assume that it is.
That’s not to say Android users are dumber than iOS users. But Apple’s app store is so locked down that the appearance of a single dodgy app is global news: iOS users can’t generally download dodgy apps because there aren’t any dodgy apps to download. Rubbish apps, yes; pointless apps, absolutely. But not malicious apps such as password grabbers and other malware.
Google knows that third party app stores can be dodgy, of course, and it has published statistics demonstrating that the risk of malware from third-party app stores is enormous. Sideloading is ten times more dangerous than sticking solely to the Play Store.
But that doesn’t mean the Play store isn’t dangerous too.
Let’s judge Google!
There’s a misconception that Google doesn’t vet Play Store apps. It does, and it scans for malicious apps in particular with a combination of a scanner called Bouncer and teams of human reviewers. But with a new app being added every minute, Google is dealing with an enormous number of apps. As Sophos’s Naked Security blog notes: “Mistakes happen, to the point that during 2015, malware samples from more than 10 different families made it past Google’s checks and were installed more than 10,000,000 times.”
There’s a misconception that Google doesn’t vet Play Store apps
Many of those malware apps are easily detected, and some rely on exploits that Google has patched in Android updates. Sophos’s advice to Android users is to “run a third-party anti-virus tool, and to go out of your way to grab patches as soon as you can.”
Did someone say patches?
Let’s judge the phone firms!
Say hello to our old friend, Android fragmentation. Android 6.0 is the most secure Android yet, and that’s of absolutely no use to you if it isn’t available for your phone or tablet. Android Marshmallow is currently installed on just 1.2 percent of all Android devices. Still, Lollipop was pretty secure too. That’s only on 34 percent.
Everything else is running even older versions of Android. The numbers aren’t really huge for the oldest versions – Froyo, aka Android 2.2, is only on 0.1 percent – but there are currently more Android users on Lollipop than on Marshmallow, and more users on KitKat than on Lollipop. All those figures are correct as of February 2016 but they won’t change much in the following months.
Android 6.0 is the most secure Android yet, but it's of no use if it isn’t available
The problem isn’t always down to manufacturers losing interest in keeping their devices up to date, but it often is – and that means those devices are vulnerable to malware that more recent Android versions have been immunized against.
To its credit, Google has tried to address that by using Google Play Services as a channel for security fixes, and that’s compatible with Android versions going back to 2.3. But Play Services can’t address everything, and of course it isn’t always installed on devices because some manufacturers opt out of using Google Play.
Let’s not judge anybody!
Can we solve the Android malware problem? Probably not. No matter how much Google tries to lock down the Play store, bad apps will still sneak through. People will still use other app stores. And phone firms will continue to lose interest in updating Android when they’ve got something newer and shinier to sell.
But that doesn’t mean malware has to affect you. You can install third party security software, steer clear of app stores you don’t know and trust, assume that apps are guilty until proven innocent and root your device if the manufacturer won’t keep its Android up to date.
Or you could switch to iOS.
But you won’t, because while iOS is a demonstrably safer platform it’s also demonstrably duller. There’s only one way to do things on iOS, and that’s the Apple way - and that’s the very opposite of what Android’s all about. Android is all about giving people freedom, and unfortunately that includes the freedom to make mistakes. We wouldn’t have it any other way.