If you’re one of Android’s billions of users, this latest shock revelation should be a serious concern. Your phone is at risk—and critical safeguards are just not working.
For Google, the timing was unfortunate to say the least. Just a few days before Tim Cook claimed that “Android has 47 times more malware than iOS,” another security report exposed yet more very dangerous Joker malware hiding on Android devices.
While that “47 times” number might questionable, Cook is in the right ballpark. Android is both less private and less secure than iOS. “We’ve designed iOS,” Cook said, “in such a way that there’s one App Store. All of the apps are reviewed prior to going on the store. And so, that keeps a lot of that malware out of our ecosystem.”
Cook’s point was that you cannot sideload apps onto an iPhone from third-party stores in the same way you can with an Android device. But there are a couple of stark ironies here. First, Apple’s App Store has been slammed recently for its own lack of security. Back in 2016, Apple’s own head of Fraud Engineering Algorithms and Risk described its app review process as “bringing a plastic butter knife to a gun fight.” And so, while Apple devices are better protected than Androids, its safeguards are no panacea.
The second irony is that the latest set of eight Joker-laced apps targeting Android devices were not sideloaded from a questionable App Store. No, these came direct from Google’s Play Store. Which means that Google still cannot erect a safety net capable of keeping well-known malware out of its store and away from its users. Those latest apps have obviously been removed—but that’s hardly the point.
“Rogue apps can and do make their way onto the Play Store,” ESET’s Jake Moore warns. “People must carry out their own due diligence where necessary. Reviews and numbers of downloads are important places to start before installing an app as these can often give telltale signs as to what the app may actually is.”
Apple’s recent headline issues on app security have primarily centered on so-called fleeceware, where users are tricked into outrageously expensive subscription plans for basic apps. This isn’t new, as I’ve reported before, and it’s not limited to iOS. Android suffers from the same type of scams on Play Store. But Android users face a much more dangerous risk—and that’s malware that will do you much more harm.
There were multiple Joker malware stories last year, as Google continued to shore up its defenses and threat actors continued to break through. “It’s a tricky malware to detect,” Check Point Security told me at the time, describing the malware as “one of the most sophisticated threats of its kind we have ever seen… Every Joker sample we have reported has been removed from the Play Store, but there are others.”
Indeed, there are. A full year later, despite initiatives that include engaging third-party security vendors to help safeguard Play Store, those threats still materialize. “Joker has techniques to hide itself,” Check Point told me last year, citing “obfuscation or remote service to get commands” as examples.
And that’s what we have seen again this month in the report from Quick Heal, as malicious apps download Joker payloads after being installed on devices, avoiding malicious but recognizable code fragments in their Play Store binaries.
And so, despite what Tim Cook might say, despite the fact that both Apple and Google review apps before they are made available on their respective stores, there is clearly a wider issue at play. Why is Android less secure than iOS when it comes to malware?
The answer is simple, and essentially comes down to two very different philosophies at play. iOS is as locked down as Android is open. The different approaches to sideloading are not the cause, they’re just symptoms.
Check Point’s CEO Gil Shwed explained this problem when we talked earlier this year. “iPhone is a much more closed system, and Apple regulates much more what’s on that platform. With Android, it’s much easier to develop software, to use software, and that software can be more malicious than on iOS.”
And that’s Android’s issue. It’s not just that the malware can find its way into your device, it’s that it can wreak havoc when it gets there. iPhone isn’t immune, of course. We’ve seen multiple urgent updates this year as malware has been found in the wild, but those risks have been quickly patched and updates issued.
Android’s open, fragmented ecosystem is more vulnerable to threats and finds it more difficult to rush out fixes when those threats are found. It was this issue that prompted my Straight Talking Cyber co-host Davey Winder to swap his Samsung for an iPhone. And it’s this issue that makes it so dangerous when malware sneaks onto Play Store.
There is a final irony here, and that’s on the security front. Because Android is more open, security software is better able to protect users against threats. iPhone is more locked down, making it harder for malware to operate but also for security software to do its job as well. And so, this latest Joker escapade should make Android users seriously consider protecting their devices with an antivirus app.
Many of us at home and (hopefully) almost all of us at work now use some form of security software to protect our computers. Not on our cellphones, though; more than 90% of our mobile devices remain unprotected, this despite the surge in mobile malware that we have seen in recent years, and the fact that mobiles can be used to carry infections into enterprises, like shiny little Trojan horses.
Joker has likely infected millions of Android devices over the last two years. And over that time, Google has removed thousands of Joker-laced apps from the Play Store. The malware sends premium texts, makes premium-rate calls, and subscribes users to fraudulent premium-rate services. Deleting the app is not enough. If infected, you need to find which services you have been subscribed to and manually unsubscribe.
The lesson from this latest report isn’t that you should be especially worried about those eight apps and their many thousands of installs. You should be worried that this well-known malware can still break through. That if these apps have been found, there will be others. That there will be many users with infected devices out there still.
“Google Play Store protections are not enough,” Check Point told me almost exactly a year ago. “We can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.” Indeed.
Google didn’t comment ahead of publication as to how Joker still finds it way onto its Play Store. And so, the usual advice applies. Don’t casually install apps you don’t need from developers that are little known. Investigate if you notice anything unusual. Look at permissions for any new app and don’t grant those casually either. Access to your phone and SMS and contact lists and location and microphone and camera should only be granted when the functionality of the app warrants it.
“When installing anything whether it be an app on a phone or software on a computer,” Moore says, “caution must still be exercised. Making the Play Store open to developers comes with a list of pros and cons for both users and their devices.”
All very true. One area where Google has been playing catch up with Apple is on the privacy and permissions side. There are plenty of tools now available in your Android settings to help you stay safe(r). Just make sure you use them.