We’re all used to hearing about how horrible malware is on Android, but a new report is the most disturbing yet. Security firm G Data is projecting that not only will new Android viruses and exploits reach new heights in 2017, but a new one will be discovered once every 10 seconds. But before you toss your Android phone in the trash, let’s explore how bad it really is.
While 8,400 malware discoveries every day is certainly alarming, it’s important to know that they’re not coming from the Play Store. There are millions of Android phones around the world that connect to their own dubious third-party app stores, and millions more that side-load suspect apps to bypass paying for them through the Play Store, and that’s where nearly all of the 3.5 million malware instances will come from this year.
But that’s not to say you’re completely in the clear. Android is the most popular mobile OS by a wide margin, and with popularity comes malfeasance. Android will always be a target for hackers, and as such, Google has taken great strides in Nougat and Android O to limit the chance that your phone could get infected.
There’s just one problem: According to the May distribution numbers, just 7.1 percent of all Android phones are running Nougat, less than the 7.5 percent that were running Marshmallow at this time last year. That means they’re not only missing out on some great features, they’re also behind the times when it comes to security. Many of the phones bought last year will never get the latest update, and even a brand new flagship like the Galaxy S8 is still running an OS that’s several versions behind.
And while Google has set a new standard with monthly security updates that most manufacturers do a decent job with delivering, after a short while, those start lagging behind too. Even Google’s devices have a pretty short expiration date of just two years for version updates and three years for security patches, and right on schedule, the Nexus 6 and Nexus 9 are no longer being updated.
It’s one thing to withhold certain new features that the hardware can’t support, but security updates shouldn’t have such a short end-of-life date. Microsoft has vowed to support Windows 10 through 2025, but if you buy a Pixel today, you already know that it won’t get Android Q. And that means it won’t have the latest security measures to fend off future malware.
One step behind
Android O brings a pretty major change to how outside apps are installed. Previously you only needed to flip a single toggle to allow your phone to accept installation of apps from unknown sources, but with Android O, it’s on an app-by-app basis. So, if there’s a malicious app on your phone that’s trying to muck up your system, it won’t be able to inflict any damage unless you give it explicit permission.
But most phones will never see Android O, including the Nexus 6 and Nexus 9 that were on sale just two years ago. Google is in a constant fight against malware on Android, but the struggle isn’t just against the attackers, it’s also over the delivery. Hackers love to target old exploits that people haven’t patched, and more than 90 percent of Android phones are at risk just because Android N hasn’t reached them yet.
Better cooperation between Google and its major OEMs is essential to ensure that as many phones as possible are kept up to date with security patches. Most of the 3.5 million instances of malware that crop up this year will never get close enough to infect your phones, but it only takes one. And while you can certainly protect yourself by staying away from unverified sources, there’s always the temptation to get that hot new app early or try out that cool APK that Google won’t allow in the Play Store.
And it would be nice to know that there’s a proper line of defense in place in case one of them turns against us.