Android Security

5 smart questions that'll smother most Android security scares

Start asking the right questions — and stop freaking out.

Android Security Scares
GraphicMama-team/ShortSword/JR Raphael

Android Security

Show More

I haven't looked at today's tech news too closely just yet, but I have a sneaking suspicion some evil-sounding virtual gremlin or other is probably on the brink of invading my smartphone, stealing my secrets, and setting me up for a lifetime of dread and despair.

He might even be covertly eating all the salty snacks from my kitchen this very second. ALL THE SALTY SNACKS, DAMN IT!

I don't have to scan the headlines too closely to know there's a decent chance of all of this happening — because all of this happens practically every other week here in the Android world. A solid few to several times a month, it seems, some hilariously named and made-to-seem-scary new piece of malware (ViperRat! Desert Scorpion! Ooga-Booga-Meanie-Monster!) is making its way onto our phones and into our lives. Or so we're told, rather convincingly and repeatedly. (All right, so I may have made Ooga-Booga-Meanie-Monster up just now, but c'mon: It's probably only a matter of time til we see something using that name.)

In reality, these big, bad bogeyman are almost always sought out, carefully branded, and deliberately played up by the marketing departments of companies that have plenty to gain from perpetuating the idea that our phones are constantly under attack. They're publicity stunts, plain and simple — and pretty shameless ones, at that.

But hey, you're here. You're a step ahead of the uninformed and innocent smartphone-carrying masses — the men, women, parakeets, and Poké-people who tote around Android phones and remain at the highest risk of all. Not of getting infected by some vicious Android malware monster, mind you, but of getting duped by some misleading, sensational scare campaign orchestrated by a company desperate to profit off their fear.

Luckily, there's one foolproof form of protection — and it's information. I've come up with a simple five-question test to run on any Android security scare you see on this wild, untamed internet of ours, and I promise you: It'll save you and your mobile-tech charges countless hours of undue anxiety.

So read over these questions, sing 'em out loud in the shower, tattoo 'em on your thorax — whatever it takes to internalize them and remember 'em for the future. Then, you can become the voice of reason among your less knowledgeable friends, family members, co-workers, and kittens.


1. Who's behind the "research" driving this story, and what's their motivation?

This is an important question to ask with any kind of research, really — but within the realm of Android security scares, specifically, it's rare to encounter a story that can't ultimately be traced back to some company that stands to profit from selling you security software for your Android phone.

And you know what? Such third-party security software is almost always unnecessary on Android. It's little more than mobile-tech snake oil, and that's precisely why the companies that make it have to resort to over-the-top scare-campaigns to trick you into thinking you need it.

Now, just because a company that sells security software is behind a security scare story, should you automatically disregard its findings? Of course not. But you should — nay, you have to — consider that company's motivation as part of the context.

These companies, y'see, devote a substantial amount of resources to searching for untapped security situations and then creating marketing campaigns around them. Remember, anyone can report a vulnerability to Google. These folks deliberately concoct memorable, scary-sounding names for whatever they uncover and then conduct full-fledged publicity operations to get their findings published in as many places as possible. And the narrative they push never fails to mention how their software and their software alone can protect us all from these evil malware monsters — while simultaneously downplaying the layers of protection that are already in place and making the threats of little to no real-world consequence for the vast majority of us.

And that, conveniently, brings us to our second question:

2. Is this threat related to something I'm likely to download and install, or does it revolve around some weird random app no normal person would ever encounter?

When you really stop and read the fine print of most Android malware reports, you realize that a significant percentage of them require you to sign into some obscure Russian porn forum to find and install a shady-looking app (which would then require you to authorize your phone to allow the installation of such an app in the first place — something Android doesn't permit by default and no corporate security policy is likely to allow in any circumstance).

Even if you do for some reason regularly install apps from random non-Play-Store sources, your odds of encountering something truly dangerous are still incredibly low. According to Google's latest platform-wide statistics, just 0.68 percent of devices that installed apps from outside of Google Play were affected by what the company calls "potentially harmful applications" throughout 2018. That's less than one percent, globally.

And when you look at phones that stuck to the Play Store for app installation — what most regular Android owners and certainly most business users do — the number drops down to a mere 0.08 percent.


3. On the off-chance that I did somehow install the trigger, would my phone automatically protect me from anything harmful?

Let's go down a bit of a metaphorical rabbit hole and assume you did run into and install the scary-sounding app demon of the moment. That's already overcoming an awful lot of odds and venturing into pretty hypothetical terrain — but even if we play that game, chances are your phone would still stop the offending app before it was able to do much of anything.

Remember, Android has multiple layers of security: There's the operating system itself, which uses a sandboxing system to keep every app separate from other areas of the device and limit the ways in which it can go beyond those barriers; the permissions system, which limits the types of data and system functions an app is able to access without your explicit authorization; the Verified Boot system, which verifies the integrity of system software every time your phone starts up; and then Google Play Protect, which continuously scans the Play Store and your actual device for signs of suspicious behavior (and remains active and up to date independently, without the need for any manufacturer- or carrier-provided updates).

The Chrome Android browser also watches out for any website-based threats, and Android itself keeps an eye out for any signs of SMS-based scams.

Like any security setup, those systems aren't flawless — but they fail far less frequently than the security software vendors would lead you to believe. More often than not, even on the extremely low chance that you do encounter anything dangerous, at least one of those layers will keep it from doing anything.

And if not...

4. If all systems failed (including my own common sense) and I managed not only to find Android malware but also to install it and get it running on my device, what would actually happen as a result?

When we hear about problematic apps making their way into the Play Store, the apps are by and large programs that do something shady in order to make extra money for the developer — like click fraud, which accounted for more than half of all potentially harmful app installs from the Play Store in 2018, according to Google's internal stats.

Click fraud is just a fancy way of saying an app quietly clicks on ads in the background in order to run up a tally. It's by no means good or something you want to be involved with, but it's also a far cry from identity theft, data compromise, or any of the other life-altering fears these security scare campaigns tend to play off of.

Take, for instance, this week's terrifying-sounding "Agent Smith" malware (yes, I just checked this week's headlines — and sure enough, there was no shortage of examples). Discovered and publicized by mobile security software vendor Check Point (mhmm), the malware "exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions without users' knowledge or interaction."

HOLY HELLFIRE! That's it: I'm hiding under my desk.

But wait — what's that you say? (It's hard to hear from all the way under here.) What does this blood-curdling beast actually do?

Oh: "The malware currently uses its broad access to the devices' resources to show fraudulent ads for financial gain."


Beyond that, the app has primarily been found on third-party app stores that, if you're reading this, you probably haven't ever used. And even in those stores, it's typically tucked into "barely functioning photo [utilities], games, or sex-related apps," according to some fine print in Check Point's materials (fine print that, by the by, is oh-so-conveniently not included in any of the company's widely promoted blogs or press releases).

As I've said before, Android malware is mostly the terrain of low-level pickpockets who pounce on easy opportunities to snag dangling dollars — usually indirectly, at that — and not sophisticated identity thieves who infiltrate their victims' lives.

And finally:

5. Has any normal user actually been affected by this in the real world?

Lemme ask you this: Of all the folks you know who use Android, how many have actually been affected by legitimate malware on their mobile devices? Once you factor in all the caveats we just finished discussing, the answer — for most of us — tends to be somewhere between "zero" and "none."

And the scarier the software sounds, it seems, the more likely it is to be completely irrelevant to your life. Look, for instance, at this week's thoughtfully branded "Monokle" malware. (The "k" in "Monokle" makes it seem extra unusual and intimidating — and also has the side perk of making it easy to own as a search term. See what they did there?)

"Monokle" was uncovered by Lookout, one of Android's longest-standing security-scare-campaign orchestrators. The software, according to the company, "possesses remote access trojan (RAT) functionality, uses advanced data exfiltration techniques, and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle (MITM) attacks."

Well, by golly, I think I've just soiled my trousers. Hang on, though: When exactly will this thing jump out and attack me? Oh — no one has ever actually seen this terrifying ogre out in the wild, you say? No one knows how it's distributed or has any reason to believe any normal person would ever encounter it in any way?

All righty, then.

But, take heart: "Lookout customers have been protected against Monokle since early 2018."


Here's the reality, my amigo: Android absolutely does have a troubling security epidemic. It's in the way companies take advantage of naivety among average phone-owners in order to create a persistent fear that serves business goals. Without that fear in place, these companies wouldn't be able to sell their software. And if they didn't sell their software, they wouldn't be in business.

At the end of the day, a teensy touch of Android knowledge and a healthy pinch of common sense will go a long way in keeping you safe — both from the big, bad bogeymen security software vendors love to tell tales about and, more significantly, from the software vendors themselves and the sensational exaggerations they never stop spreading.

Keep these questions handy — and make sure you're always keeping up with your own basic Android security hygiene — and you'll find there's rarely a reason to worry, no matter how much huffing and puffing the latest Android malware monster may do.

Sign up for my weekly newsletter to get more practical tips, personal recommendations, and plain-English perspective on the news that matters.

AI Newsletter

[Android Intelligence videos at Computerworld]

Copyright © 2019 IDG Communications, Inc.

It’s time to break the ChatGPT habit