Android security is in the mind of the beholder.
The details: According to new data released by Google, Android devices are nine-times less likely to download and “potentially harmful application” (PHAs) from the Google Play store than from a third-party store or sideloaded APK.
In the latest Android Ecosystem Security Transparency Report (which Google will now release quarterly after doing yearly updates since 2010), Google notes that 0.09% of devices that exclusively used Google Play had one or more PHAs downloaded. This is compared to about 0.82% of devices which installed apps from outside of Google Play in 2017 and 0.68% through the first three quarters of 2018.
The rate for potentially harmful apps (from any source) was highest with Android Lollipop (versions 5.0 and 5.1, released in 2015) with 0.66% of devices. Android KitKat (version 4.4 released in 2013) was second with 0.56% of devices. The latest version of Android—Pie, released this year) has a rate of 0.06% of devices with PHAs.
India and Indonesia were the countries with the highest rate of PHAs at 0.65% as of September 30th, 2018. The United States came in third with 0.53% of devices.
Why it matters: Compared with Apple’s iOS, the Android ecosystem has long been thought to be much less secure, given its open source ecosystem and ability to download or sideload apps from a variety of sources.
That being said, Google has a long history of protecting users from malicious Android apps through the Android Market and then Google Play. Google’s security oversight over its apps ecosystem has evolved over the years. From the simple “Bouncer”—introduced in 2012—which scanned every Android app in the store for known malware to the Google Play Protect program which scans all apps on a device (regardless of source of origin) for potentially harmful apps, released in 2017.
The rate of malware actually on people’s devices does not match Android’s reputation for being a hellpit of malicious apps and activity. Google’s machine learning has become very good at not just identifying malware, but scanning for unnecessary permissions from a downloaded app on a device.
The hacker’s perspective:
Code Red editor Dan Rowinski says,
“As we have seen with reports that world leaders’ phones being (potentially) hacked, smartphones are not impervious to attackers. But phone hacking is usually more a product of phishing or sophisticated work done by professional hackers than it is from generic malware. Most of the generic malware that has long pervaded the Web has not translated well to the apps ecosystem, where both Apple and Google have been able to build security protocols from the ground up as the volume of apps in the App Store and Google Play have swelled. This is one of the few benefits of keeping tight control over a closed ecosystem. With Google Play Protect, Google also recognized its rather large problem of people downloading potentially harmful applications from third-party sources by scanning the phone directly, as opposed to the Store itself.
That being said, Google’s constant scanning is not without a flaw or two. Days after Google’s latest Transparency Report, an ESET researcher found one app which downloaded malicious code to a device which had been on the Google Play Store for almost an entire year.”