AP FILE PHOTO
Smartphones using the Android operating system, such as this Motorola Moto X, are vulnerable to malware, security experts say.
Do you need to run antivirus software on a smartphone?
If you have a phone running Google Inc.’s Android operating system, it’s a good idea. In the
smartphone world, malware is largely an Android problem, security experts say. That’s not to say
that Apple Inc.’s iOS and Microsoft Corp.’s Windows Phone operating system are invulnerable. But
Android presents a bigger and, in some ways, easier-to-crack target, those experts say.
“The number of Android devices is huge,” said Ragib Hasan, an associate professor of computer
science at the University of Alabama-Birmingham who studies smartphone malware. “It makes sense for
cybercriminals to focus on that platform.”
According to a study issued by the Department of Homeland Security in July, 79 percent of the
identified smartphone malware threats were aimed at devices running Android. Most of the remaining
threats — 19 percent — were focused on Symbian, an older mobile operating system that never got
much traction in the United States.
Meanwhile, Apple’s iOS, BlackBerry and Windows Mobile devices each were targets of less than 1
percent of the malware.
Because hundreds of millions of devices today run Google’s operating system, “It’s very easy to
hit a lot of Android users with one kind of malware,” said Peter Stelzhammer, co-founder of
AV-Comparatives, a nonprofit organization that tests and rates antivirus software.
And the threat is growing. By the end of June, there were 718,000 malicious or high-risk Android
applications, the security firm Trend Micro reported in August. That was up 41 percent just from
the end of March.
About half of malware threats identified by the Homeland Security report were Trojan horses, or
Trojans, which are malicious programs disguised as legitimate ones. The ones aimed at Android
devices typically use text-messaging programs to send text messages to phone numbers that
automatically trigger a payment from the user’s account. Often those charges can be in the hundreds
or even thousands of dollars.
Another smartphone threat comes from rootkits, which are malicious pieces of software that hide
in the background of a device and record keystrokes, locations and passwords. Yet another threat
comes from application stores that impersonate Google’s Play store to trick users into downloading
Android is a target not just because it’s popular, but also because of how it works, security
IPhone users generally can’t download apps from any place other than Apple’s App Store.
Similarly, Microsoft allows Windows Phone users to download software only from its Windows Phone
store. Android allows users to install software from a variety of locations, not just from Google
Play. While there are plenty of legitimate Android storefronts around, some aren’t scrupulous about
screening out bad applications.
Android users can help protect their devices by not downloading apps from places other than
Google Play, security researchers say. Google screens the apps in its store for malicious code, and
Android users now can have Google remotely screen apps on their phone that were downloaded
elsewhere, said Adrian Ludwig, an Android security engineer at Google.
Thanks to that service and other built-in security features on Android, users don’t really need
to run other antivirus programs, Ludwig argued, noting that Google itself dissuades employees from
running such software on their devices. Google’s data indicate that while the number of malicious
apps is increasing, the frequency of infections is low and stable, he said.
But other security experts warn that even Google Play isn’t 100 percent safe. A Symantec
researcher reported recently that the security company had found 2,500 scam apps in Google’s
storefront that were posted between the beginning of the year and the end of August.
The apps typically promise to connect users with pornographic websites, but frequently charge
users $1,000 or more to sign up. Symantec found that 1,000 of the apps were listed in August alone,
although many were deleted quickly.
The risk is almost certain to grow. That’s because smartphones frequently store or transmit
sensitive data such as users’ location or financial information.
“Criminals are just discovering the vast amount of information and financial gains they can get
from mobile malware,” Hasan said.
Given that trend, it’s better to be safe than sorry, many security researchers say.
“If you can get antivirus on your phone, it’s just safer,” said Roger Thompson, chief emerging
threats researcher at ICSA Labs, a division of Verizon that tests and rates security products.
Troy Wolverton is a technology columnist for the San Jose (Calif.) Mercury News.