The statistics don’t lie: Most Android malware comes from outside Google Play. Downloading cracked Android apps — or any type of app — from a shady website or untrustworthy third-party app store is the way most Android devices become infected. Never mind the harm to app creators — downloading cracked Android apps and Android games is a great way to harm yourself.
Android gives you the freedom to install apps from outside Google Play, an act known as “sideloading.” You may be tempted to download cracked APKs and get paid Android apps for free — but this would be a bad idea. Most Android malware arrives through these side channels, not through trustworthy app stores like Google Play.
What Android Malware Studies Tell Us
The press (and Apple) are always talking about the prevalence of Android malware and how dangerous it is to use any Android device at all. If we look at actual studies, we find that Android malware isn’t very common — as long as you stick with legitimate app stores like Google Play and the Amazon Appstore.
For example, an F-Secure study from less than a year ago found 28,398 samples of malware, but only 146 of them came from Google Play. That means 99.5% of Android malware found in the wild came from outside Google Play — likely from cracked APKs on websites and from shady third-party app stores that offer paid Android apps for free.
FakeInstaller: The Most Popular Android Malware
You may think you’re home free because the app installs and appears to be working normally, but you could still be in trouble. One popular malware technique is to “wrap” the cracked Android app in malicious software. You’ll still be able to use the app, but the malicious software will also be able to run. This is clever because it encourages you to leave the app installed and let your guard down — if the app was blatantly malicious, you’d remove it immediately. If your phone seemed to have problems, you might restore it to its factory default settings and get rid of all the malware.
These days, malware is created to make money — often for organized crime. It’s easier for malware to make more money if it can trick you into believing there isn’t a problem and run under the radar.
For example, a McAfee study from less than a year ago found that Android.FakeInstaller was the most widespread malware family — over 60% of Android malware samples discovered by McAfee were from the FakeInstaller family. FakeInstaller malware pretends to be an installer for a legitimate application, but sends premium-rate SMS messages in the background to cost you money.
As Lookout security told InfoWorld back in 2011, “Repackaged applications have emerged as the de facto trend in how malware is spread in Android.”
Malware Can Cost You Money
On Android 4.2, Google finally added a system that prevents apps from sending SMS messages to premium-rate phone numbers in the background — but most devices out there aren’t using Android 4.2. These premium-rate SMS messages are a favorite technique of malware, as they can add charges to your bill and drain money directly from you to the malware’s creator. Sure, you could try to dispute these charges with your phone company, but they’d fight you every step of the way. That pirated version of a $2 app may start running up $10 charges on your cell phone bill.
Even if you’re using Android 4.2, you’re not completely safe. According to McAfee, the FakeInstaller malware includes a backdoor for receiving commands from a remote server, so your phone could be used as part of a botnet, your personal data could be uploaded, or the remote server could just remotely install more malware. Other types of malware can also do much more than send premium-rate SMS messsages.
Antivirus Apps Aren’t Enough Protection
Google Play scans apps that are uploaded for malware. If an app is later discovered to be malicious, Google can automatically remove it from the devices it’s been installed on. You’re giving up these protections by sideloading an APK.
Android does now offer a feature that scans apps you sideload for malware — you’ll be prompted to do so the first time you sideload an app. However, this isn’t guaranteed to catch all malware, so you can’t entirely rely on it. The same goes for Android antivirus programs, which don’t catch everything. Just as you should exercise caution and avoid downloading suspicious software on your PC, even if you’re using an antivirus program, the same goes for your phone or tablet. Some studies have shown that most Android antivirus programs don’t have very good detection rates.
For all the hype, Android is pretty secure as long as you avoid downloading pirated software from shady websites. Stick with legitimate sources like Google Play and the Amazon Appstore and you’ll be okay.
Sure, that cracked Android app you’re eying right now may be okay — but the more pirated APKs you install, the greater the odds that you’ll get infected. It’s not worth the risk.
Have you ever dealt with Android malware? If so, where did it come from? Did you pick it up after installing an app from outside Google Play? Leave a comment below and let us know if you’ve ever been infected.
Image Credit: greyweed on Flickr