There is certainly no shortage of infosec headlines mentioning some new Android malware threat. There are banking Trojans, malware that can root your phone, monitor your communication or steal your data. Given the frequency and bombast of the headlines, you might even think that Android is completely insecure and overrun by malicious apps. But this isn’t true for most in the Google world.
If you live in North America, Europe, Japan or Australia, your Android device almost certainly uses the Google Play Store for app discovery and installation. Malicious apps are sometimes found in the Play Store, but those are usually apps with little usage. Plus, Google often will have removed a malicious app from the Play Store by the time you see the news story about the risk.
Google’s statistics claim that 0.16% of the apps that users attempted to install from the Play Store in 2015 were found to be malicious. And various studies show that the average Android user only installs about one app per month. Basically, you really need to be unlucky to install a malicious app out of the 2.4 million available in the Play Store.
Going outside of the Play Store does bump up your risk factor, but there is still a process to installing a malicious app that news about Android malware tends to gloss over. The vast majority of Android malware is delivered to devices via “side loading,” which is to say the app has to be actively installed by the user outside of the Google Play Store environment. This is not a simple process.
In order to be able to side load an app, a user must first go into the device settings and turn on the option to install apps from “Unknown Sources” and tap OK on the dialog that pops up warning the user that side loading apps makes “your phone and personal data more vulnerable to attack.”
Then it is a matter of getting the malicious app onto a user’s device. Often, malware is hidden inside hacked versions of popular apps that are hosted on pirate download sites. So if a user wants to get a paid app for free, they might accidentally get malware as well. However, when a user attempts to install a malicious app, Google’s Verify Apps feature kicks in. Verify Apps will present the user with a warning at the time of install (which requires two taps to bypass) and even if a user confirms the installation, Verify Apps can remove apps that register as device admins or disable apps that “compromise the device security model.”
Of course, all of this assumes the user has an Android device with Google apps and services on it. Many devices sold in Russia, China and India do not have Google apps and services, which is why Android malware is far more prevalent in those regions.
But imagine the process of delivering malware to an Android device when needing to trick the user into downloading it: First, the user is deceived into downloading the malicious app. Then the user would have to find the app on the device (which could even require a file explorer app that is not always present on the device by default), attempt to install it and be warned that the installation cannot happen without changing the “Unknown Sources” setting. The user would have to change the setting, bypass that warning, attempt to install the app again, likely be warned again, bypass that warning and complete the install. At this point, depending on what version of Android the user has, this might mean approving the app permissions at the time of install; or, it might mean opening the app and approving permissions for the app to access the device storage. Even after all of that, Google’s Verify Apps might still step in and kill the app for you or Google’s Safety Net might catch the app attempting to contact a command and control server to download malicious code and shut that down.
That’s a complicated process that often gets ignored in the rush to put up a headline about some “dangerous” new Android malware. Just remember: a malicious app can’t appear on your device by magic. So, if you stick with established apps in the Google Play Store and avoid side loading apps, your chances of being infected by a malicious app are close to zero.