Android Antivirus Apps Are Useless — Here’s What to Do Instead
Android has grown to become the largest computing platform on the planet, and that makes it a target. You can’t spend much time on the internet without hearing about some new piece of Android malware that’s going to definitely, 100 percent wreck your phone. These reports are always based in fact, but they can overstate the real risks of picking up a piece of malware, and the definition of malware can be quite vague. Security firms are usually pushing a virus scanning app of some sort. However, Android is by its very nature more secure than a desktop computer, so maybe you don’t need these security apps. You’ve probably already got what you need.
The Scare Tactics
In a 2019 report from AV-Comparatives, we learned that most of the antivirus apps on Android don’t even do anything to check apps for malicious behavior. They just use white/blacklists to flag apps, which is ineffective and makes them little more than advertising platforms with some fake buttons. Shocking and upsetting, right? They can get away with it because true Android viruses that take over your device are not as common as you’d expect. “Malware” can encompass milder threats like apps that harvest personal information or trigger pop-up ads. You still want to avoid those, of course, but malware scanners aren’t going to help.
Android and other mobile platforms have their roots in the modern era when programmers understood the dangers of the internet. We’ve all been programmed what to expect by PC malware, which can sneak onto your system simply because you visited the wrong website with a vulnerable browser. These “drive-by downloads” aren’t feasible on Android without a pre-existing infection. On Android, you have to physically tap on a notification to install an APK downloaded from a source outside the Play Store. Even then, there are security settings that need to be manually bypassed. That’s not to say it’s impossible for Android to have a severe zero-day bug that allows someone to sneak apps don’t your phone, but that would have to be an extremely delicate, costly operation. Unless you’re a diplomat or have high-level security clearance, it’s unlikely anyone would bother with such a scheme.
So, what about malware on the Play Store? Again, that depends on what you mean by malware. The most severe security risks will never make it into the store. Google’s platform has the ability to scan for known malware when it’s uploaded. There’s also a human review process in place for anything that looks even a little bit questionable. You might occasionally hear about some “malware” apps in the Play Store, usually related to information harvesting or advertising shenanigans. Google deals with these quickly, but anti-malware apps won’t catch this sort of thing.
The solution pushed by AV companies is to install a security suite that manually scans every app, monitors your Web traffic, and so on. These apps tend to be a drain on resources and are generally annoying with plentiful notifications and pop-ups. You probably don’t need to install Lookout, AVG, Norton, or any of the other AV apps on Android. Instead, there are some completely reasonable steps you can take that won’t drag down your phone. For example, your phone already has antivirus protection built-in.
What You Should Do to Stay Safe
Your first line of defense is simply to not mess around with Android’s default security settings. To get Google certification, each and every phone and tablet comes with “Unknown sources” disabled in the security settings. If you want to sideload an APK downloaded from outside Google Play, your phone will prompt you to enable that feature for the originating app. Leaving this disabled keeps you safe from virtually all Android malware because there’s almost none of it in the Play Store.
There are legitimate reasons to allow unknown sources, though. For example, Amazon’s Appstore client sideloads the apps and games you buy, and many reputable sites re-host official app updates that are rolling out in stages so you don’t have to wait your turn. Along with the Play Store, you also have Google Play Protect, which scans your apps for malicious activity. Updates to Play Protect roll out via Play Services, so you don’t need system updates to remain protected. In most cases, installing a third-party AV app just duplicates the work of Play Protect.
Users have been rooting their Android phones ever since the first handsets hit the market, but it’s less common these days. The platform offers many of the features people used to root in order to acquire. Using rooted Android is basically like running a computer in administrator mode. While it’s possible to run a rooted phone safely, it’s definitely a security risk. Some exploits and malware need root access to function and are otherwise harmless even if you do somehow install them. If you don’t have a good reason to root your phone or tablet, just don’t open yourself up to that possibility.
Some Android apps may not be “malware” per se, but you might not want them on your phone because they snoop through your data. Most people don’t read the permissions for the apps they install, but the Play Store does make all that information available. As of Android 6.0 and later, apps need to request access to sensitive permissions like access to your contacts, local storage, microphone, camera, and location tracking. If an app has reason to access these modules (like a social networking app), you’re probably fine. If, however, a flashlight app is asking for your contact list, you might want to think again. The system settings include tools to manually revoke permissions for any app.
It really just takes a tiny bit of common sense to avoid Android malware. If you do nothing else, keeping your downloads limited to the Play Store will keep you safe from almost all threats out there. The antivirus apps are at best redundant and at worst a detriment to your system performance.