How to combat the threat of Android malware

Many antivirus apps are bad, but there are solutions.
picture of angry woman shouting at phone lev dolgachov

It’s almost impossible to read the news these days without seeing yet another article on the rising threat of Android malware. But at the same time, a new report from AV-Comparatives has been making the rounds for its finding that most Android antivirus apps are terrible scams. So what’s a security-conscious user to do?

It’s easy for reports to get overblown, so we spoke to the folks at AV-Comparatives to get to the crux of the matter. They’re an independent organization that tests the effectiveness of security software on PCs and phones to find what actually works (and what should be avoided like the plague). Here’s what they had to say about the prevalence of Android malware, and what you can do about it.

Android malware is real, but the risk is higher outside the U.S.

The risk of malware on the Android operating system “depends on many different factors,” says Andreas Clementi, CEO of AV-Comparatives.

“Official stores such as Google Play are mostly used in western countries, where the risk of infection is very low,’ Clementi says. “In Asian countries, where rooted devices and large number of third-party app stores can be found, the chance of installing a dangerous app is greatly increased.”

Furthermore, Android malware is different from Windows malware, and that leads to confusion when all you see are scary statistics.

“Numbers propagated in the media might be inflated, depending on how threats are defined,” Clementi says. “Some people define Adware and other potentially unwanted apps as threats. If those are counted as such, the numbers look very high, as there are a lot of potentially unwanted apps on Android.”

Put another way, there’s a big difference between malware that spams you with ads and malware that tries to steal your personal information. And while phishing and other more serious threats are definitely present in the Android ecosystem—including in the Google Play Store—it may not be as prevalent as some news outlets would have you believe.

Most (but not all) Android antivirus apps are terrible

This spring, AV-Comparatives tested 250 antivirus apps, finding only 80 that detected a significant amount of malicious samples. The remaining 138 either had a detection rate lower than 30%, had too many false positives, or—in many cases—weren’t really antivirus apps at all. The wannabes, instead of scanning for malware, instead relied on primitive whitelists that would allow certain known apps and block everything else. Not only is this approach incredibly annoying (since it will almost certainly block trustworthy apps you actually want to use), it’s incredibly ineffective, as malware developers can easily circumvent it.

That said, there are plenty of anti-malware apps on Android with higher detection rates, particularly those from the same trusted security companies making good antivirus programs on Windows—companies such as ESET, F-Secure, Bitdefender, and Malwarebytes, for example.

Unfortunately, even these apps can only do so much, as the technology within them is much simpler than what runs their Windows counterparts. And most apps merely detect when you download or install an app, then compare its digital signature against a database of known malicious apps. If the app is on that list, the antivirus will alert you and ask that you remove the app. This simple approach doesn’t make antivirus apps very compelling, even when you factor in the virtual private networks, call blockers, and other extra features some offer.

The best security is to avoid malware altogether

So Android malware is real and not all antivirus apps are total scams, but do you actually need protection? Well, experts are somewhat split on the issue.

While the risk of infection is low in the U.S., Clementi says it never hurts to be proactive in case the situation changes. Google itself, however, has railed against antivirus apps in the past. In 2014, for example, Google’s then-lead security engineer for Android said there was “no reason” to install an antivirus app because the risk was low and Google’s built-in protections were strong enough. Antivirus manufacturers fired back, scoffing at the notion and pointing to third-party app stores used across the globe (and a few pieces of malware that have, despite Google’s protections, snuck into Google Play).

Unfortunately, most people taking part in the discussion have some sort of skin in the game, so it’s hard to know who’s opinion to trust.

There is one thing all experts agree on, though: your first and main line of defense should be common sense and good security practices.

“Only download apps from official app stores like Google Play, or stores of reputable app makers and avoid third-party stores and side-loading,” Clementi says.

Of course, Google Play still hosts some bad apps while third-party sites may offer trustworthy downloads. The most important thing is to download apps built by well-known developers and companies you trust. And never, ever, pirate apps from sketchy sites, as these are often dangerous.

Similarly, check the permissions an app requests before you install it.

“An app that counts the steps the user takes every day, for example, has no need to access the phone book or call log,” Clementi says.

Over-reaching permissions won’t necessarily guarantee an app is malicious, but they may warrant further investigation on your part before installing.

Finally, if you can help it, don’t root your phone.

“Rooting the smartphone may gain the user more functionality, but it also increases the risk that malicious apps will take control of the device,” Clementi says.

It also helps to buy a phone that gets regular security updates. Samsung’s Galaxy line, Google’s Pixel line, and any phone in the Android One program are good choices for that reason. Many people root their phones in order to get security updates, so if you buy a well-supported device, you may not need to root at all.

These practices are the most important steps to avoiding malware, antivirus or not. If you’re the kind of person who can’t resist installing every wallpaper app and free game you come across, it may behoove you to install one of the more trustworthy antivirus apps for a modicum of protection. But you’d be much better off considering your downloads more carefully instead.