- by David Nield - Gizmodo - Monday, April 22, 2019
While you might be used to having to protect against malware and viruses on your computer, security tools are less common on phones. Should you be installing antivirus apps on your smartphone, or are the built-in protections that come as part of Android and iOS enough to keep you safe?
It’s not the most straightforward question to answer, not least because of the differences between Android and iOS. A multitude of antivirus tools is available on Android, whereas they don’t exist at all on iOS—apps aren’t granted the system-wide access on Apple’s mobile OS that an antivirus program needs to operate.
Installing apps from outside the officially approved app store is also easier to do on Android, which is why Epic Games was able to go ahead and distributed Fortnite straight to users of Android-powered phones.
The questions are really whether Android users need the proliferation of free and paid-for security tools available to them, and whether iOS users can rest easy knowing Apple has done all the work necessary to keep unwanted, malicious code off their phones.
Low risk... but not no risk
The good news is that if you keep your phone up to date with the latest patches, stick to well-known apps inside the Google Play Store (which is far from foolproof, FYI) and Apple App Store, and avoiding tapping on any suspect links that arrive on your phone, you’re largely protected against malware hitting your device.
“Assuming you stick to official app stores and don’t root your phone, we would say the risk of the smartphone becoming infected in western countries is still relatively low,” Andreas Clementi, the CEO of independent antivirus testing firm AV-Comparatives, told Gizmodo over email.
“However, we must point out that ‘low risk’ is not the same as ‘no risk’. In addition, the threat situation can change quickly and dramatically.”
The “western countries” distinction Clementi makes is a nod to the large number of rooted phones and third-party app stores available in Asia, where attempts to steal banking credentials, for example, are rife. There, the threat of dangerous apps is “greatly increased,” according to Clementi.
If you are going to install an app from outside the Play Store on Android—either to test something out or to play Fortnite, maybe—be very, very careful about checking its trustworthiness, and make sure you download it from a trusted, verified source (so the Epic Games website, in the case of Fortnite).
Assuming you follow the guidelines we’ve mentioned, built-in Android security is “as good or better than most third-party security tools,” Craig Young, Principal Security Researcher at Tripwire VERT, told Gizmodo over email.
“As long as users follow good security practices of installing updates in a timely manner and do not authorize apps to be ‘Device Administrator’, it is unlikely that their device will be infected,” Young adds.
Note the qualifications though—such as timely updates. The longer your phone maker waits to roll out the latest patches, the more at risk you are.
Though the risk of malware infection is low, installing a competent security tool on Android is going to make it lower still. AV-Comparatives’ Andreas Clementi still recommends installing “appropriate security software” on top of Android, especially to help cope with new threats that Google might not have caught up with.
In general, that means an antivirus tool that comes from one of the big, well-known security vendors and isn’t overly aggressive when it comes to keeping an eye on what apps on your phone are up to. AVG, Norton, Avast, Bitdefender, and Avira are some of the security names you can trust with Android products on offer, and you can check out AV-Comparatives’ most recent Android antivirus report here.
Kirsty Edwards, a director at mobile security specialists Lookout, agrees that some kind of protection is needed, especially for enterprise and business use.
“Like all operating systems, Android and iOS are continually being updated, and these updates include security patches,” Edwards told Gizmodo over email. “In fact, Apple’s most recent update, iOS 12.2 included fixes to 51 security flaws. And every month Google’s Android security update fixes previously unknown, critical security vulnerabilities.”
All the security experts we spoke with agree that iOS is more secure than Android out of the box, and as we’ve already explained, iPhone owners don’t have the option of installing antivirus tools anyway. But that doesn’t mean iOS can’t be targeted by malicious attacks—getting spyware on an iPhone is difficult but by no means impossible.
We’ve also seen unscrupulous software vendors use enterprise developer certificates to get hacked apps on to iOS—the same certificates that got Google and Facebook into trouble. Apple says it’s taking steps to crack down on the misuse of enterprise certificates, but it’s more evidence that iOS users can’t get complacent.
Minimizing security risk
So if the risk of malware-infected apps hitting your smartphone is relatively low, what other potential dangers should you be looking out for? Phishing is the main one—hackers trying to get you to tap on a web pop-up, or a dodgy link inside an email or SMS.
“Getting compromised is still as simple as clicking through the wrong prompt, following a malicious link, or even just receiving a malicious text message,” says Craig Young. “Users should be hyper-aware of what prompts they are clicking and whether passwords are being entered into legitimate websites.”
Typically, you might get prompted to install an unverified app, or to grant permissions that you shouldn’t be granting—or, perhaps most likely, to give away passwords and usernames to your key accounts.
“Phishing has become one of the most prevalent threats on mobile, where users are even more apt to click on a phishing link due to the small screen size, use on-the-go, and inability to hover over a link before clicking on it,” adds Kirsty Edwards.
Earlier this year we saw an iPhone phishing scam that faked an Apple support “case ID” to lure users into parting with personal information. Your phone might not get infected with malware, but access to your most important data can still be compromised.
The general rules are the same as always: Be very suspicious of following links embedded in texts or emails on your phone, and if you suspect you aren’t on the official site for whatever service you’re trying to access, go to it by typing the proper URL in your browser before logging in.
As we’ve recommended before, switch on two-factor authentication on all the services you can. This stops many phishing attacks in their tracks—like the one discovered several months ago in certain Android apps.
Finally, be wary of overreaching permission requests made by apps: The apps might not be malware in themselves (which gets them listed in the official app stores), but they could be trying to harvest data you don’t want to give away.
“An app that counts the steps the user takes every day has no need to access the phone book or call log,” says Andreas Clementi, giving a prime example of data overreach. “Of course, even if an app behaves like this, it does not necessarily mean that it is malicious, but it makes sense to consider whether it is genuine and worthy of use.”
These days we should all be largely sticking to the established, recognized apps rather than experimenting with dozens of new apps every month, which makes the chances of getting caught out by a data-harvesting app lower. That said, be on your guard: Games and utility apps are often used as cover for malicious activity.
If you are installing an app you’ve not tried before—nothing wrong with that—keep an eye on its reviews, the history of the software developers behind it, and think about how it’s actually making money. We’ve got more pointers on this here.
App permissions have progressively gotten easier to manage on both iOS and Android: Tap any app in Settings on iOS to see the permissions associated with it, or choose Apps & notifications then App permissions in Settings if you’re on Android.
Keeping your data protected and private is a slightly different issue to keeping malware off your phone, even if the two are often linked—we’re written before about all the ways your phone and your apps can keep tabs on you, and some of the methods you can use to limit that sort of data collection.
When it comes to security software on your phone though, all our experts agree that keeping your mobile OS updated along with some common sense about which apps you install and the permissions you grant them goes a long way to keeping you safe—just be aware that the malware coders and phishers are developing more sophisticated tactics all the time.