U.S. Markets closed

What you should and shouldn’t worry about in Android security

Rob Pegoraro
Contributing Editor
Your smartphone is surprisingly vulnerable to viruses and malware. But you can protect yourself.

BARCELONA — The smartphone industry has given birth to a vibrant growth sector distinguished by its creativity, drive and entrepreneurship. Unfortunately, that sector is malware.

Conversations with security professionals here at Mobile World Congress, the world’s largest mobile tech show, provided a dismaying, but necessary, reminder that the computers in our pockets are targets for authors of malware and other scams — and that many of us don’t care about those risks.

The amount of thought that consumers are giving to security is almost nonexistent,” said Gary Davis, chief consumer security evangelist at Intel (INTL).

App anxiety

The major malware risk on smartphones remains downloading a hostile app that tries to compromise your data or run up your phone bill. The best advice to avoid such threat is to stick to the Google (GOOG, GOOGL) Play Store instead of downloading apps from third-party stores or off the Web.

The fact that Google screens its Play Store apps makes the risk of malware there “dramatically less than a third-party app store, by far,” said Davis. Still, the Play Store isn’t immune from crooks.

Last month, for instance, the Slovakian security firm ESET found a trojan app on the Play Store disguised as a world weather app. Google yanked the app after ESET notified the company.

“We encounter these things … I would say every couple of months,” said ESET chief technical officer Juraj Malcho. The risk of downloading malware on iOS is vanishingly small in comparison to Android, thanks in part to the strict limits Apple (AAPL) places on how apps interact with the operating system.

A recent report by Intel’s McAfee subsidiary noted a related issue: Many customers still have copies of apps on their devices that have long since been removed from the Play Store. The report urged more notification and disclosure when apps are taken out of the marketplace.

Read the reviews, please

But many users may ignore those alerts if an app looks legit. The McAfee report noted an example of a photo app that silently signed users up for premium text messaging services — and yet still earned a 3.5 out of 5 rating on the Play Store.

ESET’s Malcho said he wished people would look past apps’ ratings and instead check users’ comments. “Many times, we encounter clear reviews in the text, ‘Don’t install this,’ ‘this is bloody malware,’  and people install it anyway.”

Some of the countries represented at MWC don’t have access to the Play Store, because their governments block Google. That leaves those users subject to whatever defenses their local app store alternatives offer.

Niloofar Amini, business developer at Tehran-based Cafe Bazaar, said his Iranian firm has a dedicated review team to assess and re-assess apps. Of course, the company also has to ensure that titles comply with the Islamic Republic’s morality laws and limits on political speech. 

If you’re in China? Good luck. Intel’s Davis described app stores there as “just riddled” with malware.

Good and bad news on phones

The show floor provides one reason for optimism about the state of Android security: fingerprint sensors. When even cheap, unlocked phones like the $229 Moto G5 Plus can be unlocked via its fingerprint sensor, we should begin to see more people securing their phones.

Today, a disturbingly high number — 28 percent of Americans, according to a Pew Research Center study released in January — don’t lock their phones at all. Without that, a stolen phone can easily be wiped and resold … after the thief abuses all the personal data on it.

“Let’s stop calling it a phone,” said Raj Samani, Intel Security’s chief technical officer for Europe, the Middle East and Africa. “It’s not even a computing device — it is our digital passport.”

Unfortunately, most of the devices on the floor don’t run the latest version of Android, which can leave them open to security holes. Demo units of Samsung’s new Tab S3 tablet, LG’s G6, Moto’s G5 Plus and HTC’s (headphone jack-deprived) U Ultra all ran Google’s Android 7.0, which shipped in August, not its subsequent updates.

The new Nokia 5 was a refreshing exception, showing the current 7.1.1 release and security patches current through March 1 — but that phone hasn’t been announced for the U.S. market yet.

Meanwhile, the majority of Android phones run older versions that lack the stronger security of 7.0, and the stricter control of apps added in 2015’s Android 6.0. Intel’s Samani called those “brownfield” devices, after the term developers use for environmentally contaminated sites that they sometimes must build on.

ESET’s Malcho mused out loud about a more extreme fix for that brownfield-phone problem: “Make the device so it dies in two years.”

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.