Stop me if you’ve heard this one: A chilling new form of Android malware is lurking in the wild. Millions of unsuspecting users are at risk. Your corporate data could be compromised any second now — and purchasing this-or-that Android security suite is the only way to make sure you’re safe.
Sound familiar? It should: A warning like that is issued practically every month — sometimes even more often. It’s enough to make you want to collect every Android device in a 12-mile radius and bury them all in a signal-free bunker. In actuality, though, it’s a highly misleading message with no real cause for alarm.
I’ve covered Android closely since the platform’s inception, and the subject of Android security is one of the most sensationalized and misunderstood areas of tech today. The reason is simple: Mobile security is big business, and plenty of companies stand to profit from creating and continually reinforcing irrational fear.
Well, enough’s enough. It’s time to break down the realities of Android security — and see why third-party security software is almost never the right answer.
1. The vast majority of reported Android malware threats are purely theoretical
Sorry to burst the bloodcurdling bubble, but most of those big, bad Android malware threats you hear about have practically zero chance of affecting any corporate device in America. You just have to seek out the often-unstated fine print to understand why.
Let’s use a real-world example: Remember the big “Quadrooter” scare from a while back? A whopping 900 million Android devices were said to be vulnerable. If your company were to fall victim to the beast, well, you might as well just hang up your hat and call it a day.
The only answer, according to the folks at Check Point who publicized this thing, was to use an “advanced mobile threat detection and mitigation solution” — you know, kind of like the one Check Point just happens to sell to enterprise customers.
Here’s the asterisk that got lost in all that fear-mongering, though: An “advanced mobile threat detection and mitigation solution” was already present on practically every one of those aforementioned 900 million Android devices. It was known at the time as Verify Apps, a native part of the Android platform that scans devices continuously to prevent the installation of any new malicious apps — and to identify any existing apps that suddenly start acting suspiciously. (The system has since been rebranded as part of Google Play Protect.)
Verify Apps was available on every Android device with 2010’s Android 2.3 or higher — in other words, virtually all active Android devices. By the time Check Point’s publicity campaign began, Google had confirmed the system was already actively protecting users from any Quadrooter-related activity (none of which, it’s worth noting, was ever actually observed in the real world).
The same sort of scenario pops up all the time with these scares. More often than not, reports of Android malware are little more than thinly veiled marketing campaigns for unnecessary software. For perspective, Google’s most recent Android Security Year in Review report found that as of the fourth quarter of 2016, only 0.05 percent of devices that download apps exclusively from the Play Store had encountered any sort of potentially harmful application.
2. At best, third-party Android security software duplicates protection already provided by Android
For all the overhyped pseudo-threats, there is the occasional legitimate malware issue on Android. This summer’s WireX botnet attack is a perfect example: Some scofflaws managed to sneak a few hundred shady (and, from all signs, extremely questionable-looking) apps onto the Google Play Store. The programs masqueraded as things like media players and ringtone tools but actually used their host devices to conduct a widescale DDoS attack effort.
Here’s what’s significant, though: By the time the WireX effort was made public, Google had already removed the misbehaving apps both from the Play Store and from all devices on which they were installed.
Adrian Ludwig, director of Android security at Google, says when a breach like that is identified, the company typically takes such action within “a couple hours.” More frequently, he says, the process doesn’t even reach that point.
“Probably 80 or 90 percent of the apps that we take action on don’t receive any visibility — they’re either uploaded to Google Play and blocked before they get published, or we take action when they have extraordinarily small number of downloads,” Ludwig says.
At best, a third-party security app is going to duplicate that same level of protection. And while that type of redundancy won’t cause any overt harm, it also won’t add anything of meaningful value — and it will unnecessarily drain your resources, both in terms of budget (believe you me, these apps aren’t free) and device performance (particularly given how many of these programs include wildly misguided and counterproductive add-ons for “optimizing memory use” and other such snake oil).
Ask around. There’s a reason practically no one who’s knowledgeable about Android — Googlers, developers, even lowly tech journalists — uses or advocates these types of tools.
3. Even if you do happen to encounter Android malware, it’s highly unlikely to compromise corporate data
Malware on a mobile operating system is meaningfully different from malware on the desktop. When we think about infections like 2017’s Windows-based WannaCry, we think about nasty code that sneaks onto systems and gains access to everything within.
With an Android device, particularly one configured for enterprise use, that level of compromise is virtually impossible to achieve. First, applications are sandboxed and kept separate from other areas of the system with limited abilities to go beyond those virtual walls. Second, with an enterprise-ready device, an additional barrier exists to keep personal and company data detached.
“Almost none of the malware we see on Android even makes an attempt — let alone succeeds — at going across those sandbox boundaries,” Ludwig says.
Traditional computer viruses can’t operate within those parameters, in fact. Malware on Android will never sneakily “install itself” as a result of a user visiting a website or opening an ill-advised message. It requires explicit installation — maybe via manipulation, but explicit nevertheless — and even then has access only to the specific permissions granted by the user.
Mobile security lessons learned
If loading up on superfluous security software isn’t the answer, what is? First, it’s important to recognize the more realistic points of compromise on a mobile device and what you can do to address them.
According to the SANS Institute’s 2017 Endpoint Security Survey, browser-based attacks and social engineering pose the greatest risks to enterprise security today. That lines up with multiple recent reports from the Ponemon Institute that find negligent employees are the leading cause of business-oriented data breaches.
In other words, people — not technology — tend to be the weakest link. That’s certainly applicable on Android, where sound judgment and common sense are half the battle. After all, if you don’t download, install, and then grant permissions to something shady, it won’t just magically appear on your device.
In an enterprise environment, you can’t leave that responsibility solely in users’ hands. That’s why you should carefully assess manufacturers’ commitments to providing timely and ongoing software updates — both OS updates and monthly security patches — and offer devices only from vendors you can trust. (Hint: There’s really only one advisable option.) Google Play Protect will always be in place and up to date regardless, of course, but you want the foundation of your software to be as strong as the fence that surrounds it.
If your company allows employees to bring their own devices, Ludwig suggests creating a tiered approach in which more trustworthy devices — those with current software and security updates — receive elevated access to corporate data, while higher risk devices get limited or no such access.
Obvious as they might seem, don’t forget security basics. Use a mobile device management (MDM) tool to maintain minimum security standards. Require employees to use device encryption, strong passwords or biometric protection (ideally along with two-factor authentication), and virtual private networks when appropriate. Restrict app downloads to the Play Store, and reinforce the importance of downloading only reputable-looking items with reasonable ratings and reviews (qualifications that didn’t appear to be met by the apps identified as WireX transmitters).
Slapping a second security app onto your Android devices may be the easiest way to feel protected, but it’s the smartphone equivalent of putting two alarm systems on your home instead of making sure your locks work and your kids know not to let strangers in the front door. Don’t let the misleading hype guide your security decisions — and don’t let your weakest link go unaddressed.