Blog Post

Community blog
4 MIN READ

Are managed Android devices really prone to malware?

Bigdogburr's avatar
Bigdogburr
Google Team
10 days ago

The digital landscape is constantly evolving, and with it, the threats to our devices. A common question that arises, particularly in enterprise settings utilizing managed Android devices, is whether these devices are inherently susceptible to malware. The answer isn't a simple yes or no; rather, it hinges on several key factors:

 

The first question we need to consider is whether Android devices, in general, are truly that susceptible to malware. This depends significantly on user behavior, specifically whether you primarily use the Google Play Store or install apps from unapproved third-party app stores. Are you intentionally enabling the installation of downloaded APK files from unknown sources? Are you enabling Developer Options and subsequently permitting OEM Unlock and/or ADB (Android Debug Bridge)?

 

Risk Factors: App Sources and User Behavior

The choices users make regarding app installation and device settings play a crucial role in their security posture. Sticking to the official Google Play Store provides a level of scrutiny and protection that third-party stores often lack. Similarly, enabling the installation of apps from "unknown sources" bypasses built-in security measures designed to prevent the installation of potentially harmful software. Furthermore, activating Developer Options and enabling features like OEM Unlock and ADB, while useful for development purposes, can also open avenues for malware installation.

 

Why Users Deviate from Official Channels

Understanding why users might take these risks is important. Some users may seek apps not available on the Google Play Store, while others might be tempted by pirated or modified versions of popular applications. Developers need to use features like ADB for testing and debugging, but leaving these enabled on production devices can be a huge security risk.

 

Sources of Android Malware

Android malware primarily originates from unofficial sources. The Google Play Store employs various mechanisms, such as the App Defense Alliance and Google Play Protect, to identify and remove malicious apps. Third-party app stores, on the other hand, often have less stringent review processes, increasing the likelihood of encountering malware. Downloading APK files directly from the internet also carries significant risk, as these files may not have undergone any security checks.

 

Android's Built-in Protections: Google Play Protect and the Permissions Model

Android incorporates several built-in security features to protect users. Google Play Protect (GPP) is a comprehensive security service that scans apps on the Google Play Store before you download them and regularly checks your device and apps for harmful behavior. Live Threat Detection is a component of GPP that provides continuous monitoring for emerging threats.

 

The Permissions Model is another crucial security mechanism. When an app wants to access certain features or data on your device (like your camera, microphone, contacts, or location), it must request your permission. This model puts you in control of what apps can access, limiting the potential damage a malicious app can cause.

 

  

 

The Role of Cloud-Based App Scanning

Beyond on-device scanning, Google also employs cloud-based scanning to analyze apps for malicious behavior. This allows for the identification of threats even before they become widespread. By analyzing app behavior in a controlled environment, potential malware can be detected and removed from the Play Store.

 

The Growing Threat of Phishing

While technical controls are essential, it's crucial to recognize that phishing has become a significant attack vector – akin to obtaining the keys to a house. Attackers often try to trick users into clicking malicious links, downloading harmful attachments, or providing sensitive information through deceptive emails, messages, or websites. The good news is that Google Messages and Google Phone apps have new capabilities to protect users from falling victim to Spam and Phishing attempts.

 

Security of Managed Android Devices

Now, returning to the central question: are managed Android devices really prone to malware? In many ways, managed devices are much more secure than personal devices. Organizations deploying managed devices can implement policies that restrict app installations to the Google Play Store (a curated list of only approved apps), disable the installation of apps from unknown sources, and prevent users from enabling developer options. These controls significantly reduce the attack surface and limit the opportunities for malware to be introduced.

 

Furthermore, Mobile Device Management (MDM) solutions often provide additional security features, such as the ability to remotely scan devices for threats with the Play Integrity API, enforce strong password policies, and integrate with leading 3rd party Mobile Threat Detection solutions.

 

Understanding Reports of Widespread Infections

So, why do we still encounter online posts claiming “Millions of Android devices infected with XYZ” or urging users to “Uninstall these Android apps with malware”? These reports often highlight instances where malicious apps and malware are installed from 3rd party app stores, are installed on non-Google Play Protect certified Android devices, or installed on low cost AOSP or rooted devices. While these incidents are concerning, they often affect consumer users who have not adhered to basic security practices or who have ventured outside of the official app ecosystem. For managed devices with appropriate controls in place, the risk of such widespread infections is considerably lower.  In fact, in 2024, the Android Transparency Report highlights that only .009% of devices were seen with a potentially harmful app.  It’s important to highlight that of those .009% detected apps, many are simply “potentially harmful” and actually pose no threat.  These apps are often simply coded with insecure coding practices where Google Play & Google Play Protect find them.

 

Conclusion

While Android devices, like any connected device, can be susceptible to malware, the level of risk is largely determined by user behavior and the security measures in place. For most users who primarily use their smart devices and exclusively install apps from the Google Play Store, the risk is significantly reduced. Managed Android devices, with their ability to enforce stricter security policies and limit risky user behaviors, are even more secure. By understanding the sources of malware, utilizing the built-in security features of Android, and remaining vigilant against threats like phishing, organizations managing Android devices can significantly mitigate the risk of malware infection.

 

Let’s keep the conversation going, it would be great to hear your thoughts on this below.

Updated 10 days ago
Version 2.0
  • Michel's avatar
    Michel
    Level 3.0: Honeycomb
    4 days ago

    Interesting article Bigdogburr , thanks for sharing. 

    I like Android's philosophy on being a platform that can be used on wide range of devices and where users are able to bypass standard settings to create a device that works for them. You are not limited to what Android can do by default, but you are able to add apps that are able to do what you want. 

     

    But thats also a big big downside when looking at the security side of things. I understand GPP helps a lot, but some of the reports about malware are about the AOSP version, shouldn't there be more focus on security on the core OS side perhaps? That might help to set Android in a more positive light. I have so many discussions with customers saying that the "other" platform is more secure than Android, its getting a bit annoying. And that coming from someone who sells and works with both Android and its alternative competitor. 

     

     

     

     

    Alex_Muc, can you tell more about the accessibility services being targeted or what you did to prevent that? 

    • Bigdogburr's avatar
      Bigdogburr
      Google Team
      3 days ago

      Hi Michel, we do not do any malware protection for AOSP, only Google Play Protect certified devices.  We do not have visibility into A Device Maker that uses AOSP devices and cannot guarantee much of any security requirements.  Those device makers are not required to stick to the guidelines and requirements that are in the Compatibility Definition Document (CDD) nor do the devices have a Google Cert embedded in hardware backed security.  We do however implement all kinds of platform security mechanisms in AOSP which are standard such as memory sanitizers, ASLR, KASLR, MAC for the Kernel Domains, etc....  But again, a device maker that makes an AOSP version can remove and alter any of the protections we put in place.

       

      I am also in the process of building a new updated AE Security course on the academy that touches on some of the platform items.  

      • Michel's avatar
        Michel
        Level 3.0: Honeycomb
        2 days ago

        ah that makes sense, thanks for adding this! 

         

        Looking forward to your security course, i have a lot the learn on that side of android

    • Alex_Muc's avatar
      Alex_Muc
      Level 2.3: Gingerbread
      4 days ago

      Michel  I think we took the hint from an older Verizon Business Mobile Security Index report. Malicious apps with permission to access the Accessibility Services can read the display content and therefore access/steal sensitive data. However, they can also manipulate the user interface and input data. However, such an attack usually goes hand in hand with sideloading.

       

      Using the Enterprise Policies, you can allow certain apps for the accessibility services via “permittedAccessibilityServices”.

      https://developers.google.com/android/management/reference/rest/v1/enterprises.policies

      • Bigdogburr's avatar
        Bigdogburr
        Google Team
        3 days ago

        Hi Alex_Muc , I think that was a screen overlay issue a few years ago.  Now by default, screen overlays are controlled with permissions and screen overlay was hardended such that apps need an identifier to access the api.

  • Alex_Muc's avatar
    Alex_Muc
    Level 2.3: Gingerbread
    8 days ago

    The question of whether managed Android devices are prone to malware is due to the flexible use of Android. And I see that as something fundamentally positive. As a user, you don't have any hard barriers, but can sometimes override security features and look for other sources for apps, for example.
    As a user, however, you should be aware of the risks. And even more importantly: as a company, you should set strict barriers to avoid common risks.

     

    We regularly check whether we need to adjust our MDM policies for device security.
    Google Play Protect, prevented sideloading and forbidden USB debugging already help enormously with device security.
    However, accessibility services should not be underestimated. A few years ago, we created an accessibility whitelist to provide additional protection. 😀
    This is because a sideloaded PHA-app that uses accessibility services can cause enormous damage to users and their data.

    • Moombas's avatar
      Moombas
      Level 4.1: Jelly Bean
      8 days ago

      Always but in general it'S like on any other OS, the biggest security risk is the end user.