Five simple ways to avoid Android malware

Android malware really is everywhere, but you can keep yourself safe by following some simple rules.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

It's weird. Linux, which is Android's foundation, has almost no malware to speak of. Trend Micro, however, predicts that there may be as many as a million Android malware threats by the end of the year. What's going on here?

Make no mistake about it, there are a real Android malware problems. (Credit: Juniper Networks)

Part of it is that Android is being targeted because it's extremely popular. The research company Canalys found that Android is running on 59.5 percent of all smart mobile devices that were shipped in the first quarter of 2013. Thus, as Juniper Networks Mobile Threat Center (MTC) reported, "Just as commercial sales teams have learned to 'fish where the fish are,' cyber criminals are focusing the vast majority of threats on Android (PDF Link) and its open ecosystem for apps and developers. By March 2013, Android was the target of 92 percent of all detected mobile malware threats."

But Linux is popular too. Windows is still number one on the desktop, but on all other platforms Linux is on top. So, why is only Android where there's trouble? It's easy.

Android users are doing it to themselves. Android makes it far too easy to install bad software. If you want to use your Android phone or tablet safely, just obey these simple rules and you'll be much safer. 

1) Don't visit, and whatever you do download, materials from suspicious Web sites

The security company Blue Coat has found that pornography is a key threat vector. "In 2012, the most dangerous place for mobile users was pornography. More than 20 percent of the time that a user went to a malicious site, they were coming from a pornography site."

So, just avoid dodgy sites and you'll avoid a lot of malware. It's that's easy.

2) Don't download programs from third-party Android stores

Juniper Networks has found that "third-party marketplaces have become a favored distribution channel for malware writers." Juniper added, "Third-party application stores are the leading source of the most common type of Android malware, fake Installers, which pose as legitimate applications."

Sure, if your carrier company or device vendor provides you with an app store, you can use it. Generally speaking, though, if you stay away from third-party Android stories and stick to the Google Play store, you'll be a lot safer.

3) Look carefully at any program before you install it to make sure it's legitimate and it only asks for necessary permissions.

You should be wary of unknown programs even on the Google Play store. True, Google has made big strides forward in keeping malware out of the Google Play store with its Bouncer program, which detects developer-uploaded malware, but there's still bad programs within its virtual walls as well. A recent fake BlackBerry Messenger Android app made it to Google Play and was pulled only after 100,000 people downloaded it.

So even on Google Play, look carefully at each application before you install it. Are many people using it? Does it have good reviews? Is it really from who it says it is? The Blackberry malware, for example, was successful because it said it was from RIM... but Blackberry had stopped using that name in January 2013.

You should also check the permissions of any program that you install. Why should a game, for example, need to send a text?

If you're not sure what's what with permissions, look on the Google Play site to see what the developer has to say about his or her app's permissions. It he or she doesn't have anything to say, stay away.

4) Upgrade, if possible, to the latest version of Android.

Another way to improve your safety is to upgrade your phone or tablet to Android 4.2, Jelly Bean. According to Juniper, 77 percent of Android malware makes its owner money by sending premium SMS messages. With 4.2, Android notifies you if an application attempts to send SMS to premium testing services with additional charges. You can then decide if you want to allow the application to send the message or to block it.

5) Use A/V software.

Finally, while Android anti-virus (A/V) software is not a cure-all, with so much malware out there you should no more run an Android device without A/V protection these days than you would run a Windows PC without A/V protection.

If you've been using Android for a while, you might think that A/V software is useless. True, there was a time when most popular A/V software was junk. Things have changed.

Today, most Android A/V programs do a good job of protecting you. (Credit: AV-Test)

In the Februrary 2013 AV-Test Android A/V tests  (PDF Link), the AV-TEST test laboratory found that 21 A/V apps "were able to achieve excellent results." These tests were run on a Samsung Galaxy Nexus with Android 4.1.2 against a reference set of nearly 1,000 pieces of malware.

The top four programs were: First place, TrusttGo; Second went to that old favorite, Lookout; and third was a tie between Norton Mobile Security and Trend Micro's Mobile Security.

I know many of you will see this as an annoyance. Let me put it to you this way: Would you rather go to some trouble now, or pay a $500 phone bill for bad SMS calls or find all your credit card numbers have been sold off to the highest bidder?

Me? I'll go to the trouble of making sure my Android devices are as safe as I can make them.

Related Stories:

Editorial standards