Android security report confirms the two best ways to stay safe

Google is putting Android security in the spotlight, countering long-standing accusations that the OS is a Wild West of malware and exploits. The search giant has long argued that its approach to third-party apps and the Google Play store does not represent a threat to users, even though it differs significantly from how Apple handles apps in the iOS App Store.

At the core of many of the complaints has been Google's post-inclusion vetting. If an app wants to be included in the App Store, it must first go through Apple's validation process and be deemed "safe." While that hasn't completely prevented apps with nefarious intent from making it to iOS devices, it has nonetheless proved a solid barrier to most malware – not to mention a good marketing point.

Google, in contrast, has used a combination of machine learning methods to spot software will ill-intent, plus reports from users themselves. All the same, multiple reports have found that malware has made it into the store – and been downloaded potentially tens of thousands of times – before being removed by Google. Now, though, Google argues that Android is in fact more secure than ever.

In a new annual update on Android Security & Privacy in 2018, Google runs last year through the review process to highlight how its policies and processes have made the platform safer. The big number – or, really, the small number – is the classification of PHAs, or "potentially harmful applications," identified in the store. That actually increased versus 2017, but Google says that's a good thing.

0.04-percent of all downloads from the Google Play store were PHAs, Google says. In the previous year, that number was 0.02-percent.

However, Google changed what it classifies as PHAs between the two years. "This increase is due to the change in methodology of upgrading the severity level of click fraud applications from policy violations to PHAs," the company says. If click fraud is omitted, as it was in 2017, the 2018 figure drops to 0.017-percent.

Two ways to stay safe on Android

Although intended as a review, not as a set of recommendations, it's still clear from Google's report that there are two primary ways that Android users can best avoid malware and other PHAs. One of those might cost you some money, while the other demands some restraint.

One of the biggest risk factors is looking outside of the Google Play store for apps to download. "Devices that installed apps only from Google Play were 8 times less likely to be affected by PHAs," Google explains. In contrast, 0.68-percent of devices that installed apps from outside of Android's official download store were affected by one of more PHAs in 2018.

That means sideloading apps from APKs, or using third-party app stores. However other challenges there depend on market. In Brazil and India, for example, Google identified multiple incidences where new phones were infected by PHAs before they even reached users.

"Four of the top ten PHAs in Brazil were pre-installed PHAs that were shipped on devices of a single Brazilian original equipment manufacturer (OEM)," Google explains. "Two others were OEM-specific third-party stores from a different OEM that offered high numbers of PHAs to users for download."

The other safety precaution – and the one which might end up costing you some money – is to use a newer version of Android. Fragmentation of the OS, where older phones are still running older versions of Android because newer updates haven't been released, is a long-standing issue for Google's OS. It also has a real impact on security.

Android 8, for instance, has PHA rates of 0.19-percent. Android 9 comes in at just. 0.18-percent. That's in contrast to a whopping 0.65-percent for Android Lollipop, and 0.55-percent for Android Marshmallow. In short, if you can upgrade to a newer version of Android – whether that's by installing an update from your phone-maker, or by buying a more recent device – you stand a good job of being safer overall.