Android malware scanners -- should you use one?

Recently we've seen AVG, an Android "security" app marking other applications as malware when they aren't. That's called a false positive, and it's a fairly common occurrence. When it happens to a popular app, it always causes confusion and gets everybody unnecessarily stressed out. This time it also got us thinking -- do people really need to run any type of Android malware scanner, and are they doing more harm than good?

Android malware certainly exists. We take issue with the way it gets reported sometimes, as sensationalism draws focus away from real issues, but we're not foolish enough to pretend that people aren't writing apps designed to cause trouble. But who needs to worry about this sort of thing, and how to stay safe is something that needs discussed. That's what we're going to try and do today, in real-talk that everyone can understand. Hit the break and let's get started.

What is malware?

When you read the description of an application to see what it is supposed to do, that's all it is supposed to do. If the app does something different or something unadvertised, we call it malware. This is a pretty broad brush, and often folks don't bother to read just what an application can do only to cry foul later. We understand that the list of permissions is often difficult to understand, and Google is trying to make them a bit more clear, but they are there for a reason. Whether we read them and click OK, or just skip past them, we have given the app permission to do everything listed. 

When an application tries to get access to something you haven't authorized it to do, it's malware. No code is bug free, and people are skilled at writing other apps that take advantage of those bugs. 

What isn't malware?

Applications that do things like overwrite or modify system settings or preferences because that is their purpose are not malware. Apps that put spammy notifications for garbage you don't want in your system notification bar are not malware if you OK'd the ads. Apps that track your location, or read your contacts information, or intercept your browser data after declaring permission to do so are not malware. 

Basically, an app that does what is says it is going to do, or only does things that you gave it permission to do, aren't malware. They might be crummy apps designed to trick you or track you to gather information, but they aren't malware.

Why does it matter? 

Frankly, I don't care what people think about an application that puts unwanted ads in my notification bar, or tracks the things I search for to boost the value of their ad network. I will lose no sleep if everyone thinks those apps are bad, and tells all their friends not to install them. Hopefully, that will get the developers thinking about new ways to monetize that don't put links in my notification bar or tell some company that I buy my underwear at Target.

On the other hand, some apps are quite clever and can modify the way our devices operate by design. I'll not name any names, because I want to remain unbiased, but I'll bet most of us have a favorite app that does something like change our sound settings, or add in some quick toggles, or has some other behavior that affects the system. Developers who use their skill and knowledge of Android to build these types of apps are awesome.

But, as explained above, neither of these cases are necessarily malware. When an Android security application hits one with a false positive, they aren't doing anyone a service. They confuse the matter. I imagine most of us have seen false positives in Windows from some sort of software we downloaded. Keygens, cracks, or dll files included in a torrent often hit as malware because they exhibit behavior that looks suspicious. When we tell our Windows virus scanner to ignore those, we always have second thoughts and hope we did the right thing.

The same goes for Android. We know Google Play Movies and TV isn't malware, even if AVG tell us it is. But what about a cool app you've seen a friend use, from a developer you've never heard of? How do we decide when to trust a malware scanner and when not to -- especially when they've been proven wrong a few times? We can't. We roll the dice and go with our gut, making the app unnecessary. 

Who needs a malware scanner, and who doesn't

Time for that real-talk kind of talk. If you like to visit places where you can pirate paid apps, you need a malware scanner. Nothing in life is free, so you get to spend time researching all the false positives or unzipping applications to see what's inside instead of spending $0.99 on the application. Don't trust the fellow who uploaded it when he says it's "virus-free" and scan every single application you download. You will get hit with malware eventually, as the folks writing it are faster than any Android security companies when it comes to updating, and you'll end up installing malware that the scanners haven't learned yet. I still can't condone stealing a buck from a developer, and think you should actually pay for your apps, but if you're gonna steal at least do it safely.

If you only download apps from Google Play or Amazon, you do not need to use a malware scanner. Amazon checks every app before they host it, and Google uses the bouncer to actively scan the hundreds of thousands of apps in the Play store. From either store, apps will only be able to do what you gave them permission to do. When apps are new on Google Play, they may not have been scanned yet. Wait a few days or read the reviews if you just have to get it right away. Doing so will keep you safe, and you'll not need a third party application that may confuse you in the end.

It's also worth mentioning that Google is ramping things up here, and with Android 4.2 comes an on-device scanner. The first time you go to sideload an app you'll see it in action, and it scans each and every application you sideload after that if you told it to. If your phone is running 4.2, you have that extra layer of protection without any extra fuss. 

Conclusion

We don't want to try and tell you what to do with your Android device. If you want to use any of the popular malware scanners, by all means do so. But never count on them to be right, and be careful if you sideload apps. You might even want to use one for other features like device tracking or remote wipe, some are pretty good at it. But always remember -- a false positive is an issue with your virus scanner and not the application it scanned. Reserve your bad application reviews for the right people.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.