The risks to Android phones and tablets from malware -- or software written with 'malicious intent' -- are rising rapidly. These threats are multiplying faster than gremlins in a swimming pool, so how do you protect your device from evil doers' dirty deeds?
Just like on Windows computers, malware can steal credit card information and contact lists. However, recent reports say that the most popular malware 'payloads' are currently premium SMS apps to steal your money. Another way in which malware could compromise you is by recording your phone calls and sending them on to some unscrupulous hacker.
Scared? Fret ye not, because there are ways to minimise the risks from malware and other security risks. Read on to find out how.
How malware gets onto your Android device
The ways malware gets onto your device are called attack vectors. These range from untrusted apps downloaded from the Google Play store onto your mobile, to someone simply stealing your phone. But the most likely way malicious code will be used on your device is through 'social engineering'. In other words, tricking you.
For every popular mainstream application, for example, there will be another app with a slightly different name, created in the hope of fooling users who are not discerning enough in their Play store searches. Not all of these are malicious, but do be sure to avoid them anyway. (The main benefit of Apple's closed-door policy is that the iOS App Store is largely free of these duplicates.)
Even though Android apps ask for certain permissions from you when you install them, this level of security is largely redundant, since most apps ask for multiple permissions -- even the good ones -- and who has the time to assess the potential risks with every single app? All the more reason to make sure the products you obtain are genuine and not dodgy imitations, then.
You also need to be aware that, if you've installed a custom ROM, your device is necessarily rooted. This means malware can exploit the operating system to grant itself root permission and install extra software without any interaction from you.
Basic tips and behaviours to protect your phone
The first line of defence in any form of cyber security is to modify your behaviour. For instance, keep as little personal information on your phone as possible. Don't keep passwords and credit card details in unencrypted files.
Similarly, when your mobile browser asks to remember your passwords, just say no! Instead, use a secure solution such as LastPass. See our guide on how to setup LastPass here.
Android has plenty of ways to physically restrict access too. Browse through the options in the Screen Lock section of the Security section of Settings. There you can set a PIN, password or a pattern to swipe on the screen. For more examples, see our guide on how to make your Samsung Galaxy S3 more secure.
Even if someone can't gain physical access to the user interface of your Android device, they could always try to get at your data via the USB port. To defend against this, use the built-in encryption option to encode all of your data and settings. It takes an hour to encrypt everything, so you will need a fully charged battery or run from mains power.
You should also be careful about what you install on your device from the Play store -- as the old saying goes, beware cheap imitations. To keep this threat in context, however, Symantec maintains an audit of the number of malware-infected applications in the Play store. Out of 120,472 entertainment apps, only two were known to be infected with malware. What you should think twice about doing, though, is enabling the 'Unknown sources' option in your security settings that lets you install any old .APK file.
You should always keep your device updated with the latest firmware updates -- although devices locked to a network are usually slower to receive these.
Avoid wireless promiscuity too -- don't have Bluetooth enabled if you don't need it, and avoid using unencrypted Wi-Fi hotspots as you'll end up broadcasting your Google account details to anyone with packet-sniffing software.
Most of the time, the behavioural defences above are enough to keep you safe against the statistically low chance of being infected by malware. But if you feel you're a particularly high-risk case, it's worth installing an anti-malware application to make sure your device does not get infected.
A recent survey by anti-virus benchmarking site av-test.org showed that the following anti-virus and anti-malware suites had a 90 per cent or higher success rate in detecting known threats.
- avast! Mobile Security (also features a firewall for rooted users)
- Lookout Security & Antivirus
- Dr Web Anti-virus
- F-Secure Mobile Security
- IKARUS mobile.security
- Kaspersky Mobile Security
- Zoner AntiVirus
- McAfee Antivirus & Security
- MYAndroid Protection Antivirus
- NQ Mobile Security & Antivirus
Managing a lost device
If you happen to lose your device, there are services out there that will track it for you, so you can look up its location. These services also let you remotely lock the phone or even erase all of your data in the unfortunate event that you cannot recover the device.
We've already written a guide about using Lookout on your Android device, but there are alternatives such as Klomptek's Track&Protect. Lookout also makes Plan B, which is supposed to be a retroactive solution to tracking a lost phone -- however, in my testing, it failed to work automatically as it was supposed to.
The services mentioned above usually cost money, but if you only want to track your device free of charge, then check out Where's my Droid.
Secure your networking
To stay secure, you also need to think about your network connection. If you need a firewall, DroidWall is a popular choice. Firewalls are probably overkill, as your home Wi-Fi router and your mobile network will both offer some firewall-like protection.
Virtual private networks (VPNs) allow you to encrypt all of your communications, which is invaluable if you use lots of unknown Wi-Fi, or even worse, unencrypted hotspots. Some to check out are WiTopia, Relakks and IPredator.