It happens like clockwork: Every few weeks, a new story emerges about some big, bad, scary Android malware threat and how everyone who owns an Android device is in serious soil-your-pants-style danger.
The only problem? In nearly every scenario, the threat is purely hypothetical — and the chances of an actual infection are next to none.
That’s certainly the case with our latest doom and gloom story — a fright-inducing app signature vulnerability brought into the public eye by a new security company called Bluebox (which, like almost every company that releases scary-sounding info about Android threats, is a business built around the sales of Android security software — go figure).
The vulnerability, according to Bluebox, allows hackers to modify legitimate Android apps and transform them into Trojan programs that — you guessed it — will steal your data, take control of your phone, and kill your friends and family. (Okay, maybe not that last part, but it’s only a matter of time before someone claims that, too.)
That all sounds pretty scary, right? Here’s the thing, though: In the real world, few if any people are actually in danger. Why? Because Google scans all apps within its official Play Store for this exact sort of malicious code. Given that the vast majority of Android users obtain apps from the official Google marketplace, there’s no need to panic, destroy all electronic devices and flee to the nearest forest (unless that’s just your idea of a lovely summer evening, in which case you should proceed as planned).
But wait — it’s possible to install apps from outside of the official Play Store, right? Of course, silly goose; this isn’t a dictator-controlled fruit farm. But in order to install an app from a third-party source, you’d have to first manually enable an option within your device’s settings that allows the installation of non-Play-Store apps. It’s not something that’s going to come up and bite you while you’re sleeping.
Even if you are an advanced user and have that setting enabled, you’d then have to manually opt to install an app from a dangerous third-party source before any evil genie could take over your phone. You’d go through multiple layers of warnings about the risks of installing such a program before anything bad could happen. And beyond all of that, Google’s app-scanning system actually extends to non-Play-Store installations as of the latest Android release — so even if you ignore all the other red flags and move forward, your phone could still catch the conniving code before any damage is done.
(Remember, too — that just like on your PC — if you want another layer of protection on top of everything else, you can always opt to install a third-party virus scanning utility that’ll also look over every new download for you. I don’t think it’s necessary, myself, but there are certainly plenty of options out there if it makes you feel more comfortable.)
Plain and simple, despite Bluebox’s headline-grabbing “OMG 99 PERCENT OF DEVICES ARE AFFECTED!!!” statistic, in real-world terms, this isn’t something that’s a major concern for the vast majority of normal users. And, surprise surprise, it isn’t something that’s actually caused a single real-world problem (outside of perhaps some mild fear-induced bloating, which a quick swig of Pepto will surely fix).
As for the base vulnerability that allows this situation to exist, it’s in the process of being corrected: Google has confirmed to me that it’s provided a patch to its phone-making partners, some of whom are already distributing fixes to their devices.
In the meantime, as is usually the case in these scenarios, there’s absolutely no cause for alarm. I’ve said it before and I’ll say it again: Whether you’re surfing the Web on your PC or getting online from your phone, a little caution and some common sense will go a long way in keeping you safe from the big, bad virus monsters lurking around our virtual worlds.