The media (and Apple) still can’t stop talking about Android malware. Antivirus companies want to sell you a complete Android security solution, but Android malware can be avoided with a few common-sense tips.
Antiviruses aren’t essential on Android, like they are on Windows. However, proper security practices like not downloading and installing suspicious programs also apply on Android.
Exercise Caution When Sideloading Apps
Unlike Apple’s iOS, Android allows you to install apps from outside Google Play. While Google may remove apps from Google Play, you still have the option of getting them from elsewhere. Installing apps from outside the device’s app store is referred to as “sideloading.”
Of course, with great power comes great responsibility. Sideloading is disabled by default for security reasons. Enabling it is just a matter of enabling the Unknown sources check box in your Settings screen. There are good reasons to enable sideloading – perhaps you want to use the Amazon App Store, install Android games purchased from the Humble Bundle, or just install apps that aren’t yet available in Google Play, like XBMC for Android.
However, there are also bad reasons to enable sideloading. If you’re installing pirated APK files to avoid having to pay for games and other types of Android apps, you’re taking a serious security risk. It’s possible to locate APK files claiming to be pirated apps on the web and install them, but this is a significant risk, just as downloading pirated applications can be on Windows.
As we mentioned in HTG Explains: Does Your Android Phone Need an Antivirus?, a study by McAfee found that over 60% of the Android malware samples they received were from a family known as “Fakeinstaller.” FakeInstaller malware disguises itself as a legitimate app and sends premium-rate SMS messages in the background once installed, costing you real money. This malware likely comes from pirated apps downloaded from suspicious websites or disreputable third-party app stores.
In short, only install apps from sources you trust. The official apps from Amazon, Humble Bundle, and XBMC shouldn’t be a problem, but a pirated game app from a third-party website may be stuffed with malware. If you’re using Android 4.2 or a newer version of Android, Android will offer to scan sideloaded apps for malware.
Avoid Suspicious Third-Party App Stores
Malware may also come from third-party app stores whose owners either don’t inspect the apps in their store for malware or don’t care that malware is being pushed through their store.
Studies have found that some third-party Android markets in countries like China host some types of malware not found elsewhere. Lookout Security found that third-party markets in China contained a Trojan named Gemini, which runs in the background, collecting a phone’s location information and other unique identifiers and sending it to remote servers.
To be infected with this Trojan, you’d have to be using a third-party market from China or install an app that came from there.
Watch the Apps You Install From Google Play
Some studies by antivirus companies – the same antivirus companies that want to sell you an Android antivirus solution – classify certain types of apps as malicious when they’re not. Some studies have scanned Google Play and concluded that certain apps are “high-risk” because they have access to permissions like viewing your phone’s device information. While this may be a privacy concern, such studies are overly sensational and lumping such apps in with malicious apps only serves to confuse the issue.
Still, when installing apps from Google Play you should exercise some caution. Don’t install suspicious-looking apps with bad reviews (or few reviews), apps that require too many permissions (like games with permission to send SMS messages), and other suspicious-looking apps. If an app needs a permission like the “Send SMS messages” permission, make sure it has a legitimate reason for requesting that permission. Most malware comes from outside Google Play, but exercising caution is always helpful.
Watch Out for Phishing
Malware isn’t the only security threat. Social-engineering techniques like phishing through email, SMS messages, or web browsers can be attempted against Android users, just as they can against desktop PC users. If you get a suspicious email claiming to be from your bank, open a link from it, and enter your online banking credentials into a fake website, it doesn’t matter whether you were using Windows or Android – either way, you gave away your sensitive information.
Update Your Phone or Tablet
Just like on another operating systems, security problems are occasionally found with the Android operating system and devices using it. Updates to the Android operating system often fix these problems, and device manufacturers can release patches to fix problems unique to their device.
Unfortunately, Google isn’t responsible for rolling out updates to all Android devices. Device manufacturers and carriers are responsible, and they often drag their feet and may never even get around to releasing operating system security updates – especially for older or less-popular devices.
For the same reasons your Android phone or tablet doesn’t get OS updates in general, it may not get important OS security updates, either. Google does directly update its Nexus devices, but security updates for devices like the Samsung Galaxy S III could potentially take months to trickle down through all carriers worldwide. Cheaper and less popular phones will be worse off.
Luckily, the sheer variety of different Android devices and operating system versions out there has meant that no significant attack against old, unpatched versions of Android has yet occurred. However, the lack of Android operating system security updates for many devices could result in wider-scale attacks in the future. This may just be another good reason to buy a Nexus device or use a custom ROM like Cyanogenmod until manufacturers and carriers get serious about updates.