Computer malware is defined as a piece of code that does something you, the user, did not want. This can vary from posting pictures onto your computer screen, destroying or encrypting parts of your computer hard drive, corrupting files or making long distance calls from your modem. And depending on where you read, computer malware is responsible for ruining more lives than natural disasters. Over the years, it has been evolved and improved as generations of hackers and computer villains have increased the complexity and sophistication of their malicious products. Unfortunately, our Android devices are not immune from the threat.
My definition of malware above is broad and vague. I would argue that many free games and apps carry malware because I don't want advertising on my device! In Android circles, malware is generally considered to be doing something to your device that you didn't want without getting something in return: so, if you're playing a game or using a free app, this is often considered an acceptable compromise. This is not to say that all applications are malware free…
There are a few ways that we can acquire malware on our devices. Websites can push or install an application or we can consciously install an application. It's also possible to have an application sent to our device via NFC, Bluetooth, a WiFi network or a USB lead. Now before you scoff at the thought of plugging your device into a random USB cable, what if you were in a coffee shop but rather than provide you with plugs, instead the owner had provided a MicroUSB lead instead? Many of us wouldn't think twice about popping a charger lead into our device whilst chatting with friends over a coffee.
It's important that I highlight how Android is a more secure operating system than some articles would have you believe. The weakness is usually the user: the royal we have a habit of downloading apps away from the relative safety Google Play Store and of allowing said apps administrator access to our devices. We don't read the warnings that our device pops up that details what services it requires access to and instead gleefully click “agree.” In the examples above, your device will likely ask you if you want to install an application. It may then ask you if you want to make the application a “Device Administrator.” If you click yes to both, you may have given control of your device to a rogue application.
Since Android 4.2, our devices have had a built-in malware scanner option in the Settings, Security menu, shown here on the Nexus 10. There's also the option to allow non-Google Play applications to be installed onto the device. For most people, I wholeheartedly recommend keeping the “Unknown Sources” option unticked and the “Verify Apps” option turned on. This will provide you with some very basic security: if a website pushes an app to your device, it won't let it be installed. If you enable Unknown Sources, your device will perform a basic malware scan of the application and will warn you before installing the file.
In my day job I'm sometimes tasked with inspecting official documents as proof of identity. It turns out that many counterfeiters aren't the best at spelling, so one of the easy ways to find a fraudulent document is because of a spelling mistake. Likewise, when it comes to looking at applications on the Google Play Store, check the spelling for any inconsistencies. It's no guarantee, but if you are searching for “Angry Birds” and the title is spelt “Anrgy Birds,” this may mean that it is not the legitimate application.
Many of the reports regarding malware infections are sponsored if not written from the very same businesses that make their money protecting users from such outbreaks. Unfortunately, this makes me cynical: the articles often big up the risks and the importance of having effective device security. User activity is often a one or two line paragraph at the end of the article.
I'd like to turn this on its head. We, the user, are the most important factor in keeping our devices safe. My advice is to stick to the beaten path: install your applications from the Google Play Store. Check that the application looks legitimate. And finally, be extremely wary of any application that wants Device Administrator permission.