We all know we’re supposed to have some form of antivirus software on our computers, but even with (hopefully) most people running some form of protection, malware is still rampant.
Panda Security reports that in 2015 32.13% of the computers it scanned were infected in some way and over 84 million new malware samples were detected.
Of those infections, not all fall under the label of viruses. The majority of infections were found to be malicious programs, known as Trojans. A virus, on the other hand, is something which attaches itself to an existing program to cause harm.
Other malware includes worms, adware and PUPs (potentially unwanted programs), the latter being unwanted software which installs at the same time as something you actually do want – more annoying than dangerous.
Yet despite smartphones basically being pocket computers, and therefore surely at risk of infection, antivirus software seems to be more seen as optional than essential.
So should we be worried about viruses and other malware on our phones? Or are there enough built in protections already?
The risks are real, but avoidable
We asked Tony Anscombe, Senior Security Evangelist at AVG Technologies whether phones really are at risk. He told techradar that: “Ultimately, all devices are at risk from malicious viruses, but as we become increasingly dependent on our smartphones for all aspects our daily lives they become a much more attractive target for hackers.
“Think about the amount of information stored on your phone: personal ID, bank and credit card details, browsing history, app data, medical notes – and that’s just scratching the surface. Today, smartphones hold everything a hacker needs to steal money and, at worst, your identity.”
Of course the answer here could simply be to change how you use your phone, so that there won’t be all that personal information for thieves to find.
It’s also perhaps unsurprising that an antivirus company would present viruses as a significant risk, yet the evidence so far seems to be that on smartphones they’re not as much of a worry as you’d expect.
There aren’t yet close to the same number of viruses on smartphones as on desktops, with a recent report from Motive Security Labs finding less than 1% of mobile devices infected with malware. Compared to PCs that’s a tiny proportion and while they still present a risk it’s a pretty tiny, and largely avoidable, one.
The way our phones pick up malware also differs from how we’re most likely to get it on a PC. Gert-Jan Schenk, VP of Lookout EMEA, told us:
“One thing to pay particular attention to is phishing. Mobile devices’ small form means we interact with them pretty differently than desktop computers,” he said.
“In fact, studies have shown that users are three times more likely to click on a malicious link from their smartphone than a PC, which makes phishing emails or messages a serious issue on mobile.”
Text messages are another vulnerable area. Anscombe explained that: “One of the most vulnerable aspects for smartphone users is text messaging – simply because we’re not conditioned to recognise malicious content in the same way when we get a text message.”
So it seems the risks could be lower still once people wise up to them. In general, if you get a link in a text message from a number that’s not in your phone it’s probably sketchy, even (or especially) if it claims to come from a reputable institution, like your bank.
Similarly, some messages will ask you to call a number, warning of – for example – suspicious activity on your account. To be on the safe side always use a number that you can identify as official, such as one that’s come directly from the institution’s website. It can take longer to hunt out, but it keeps you safer.
No OS is totally safe
The risks vary depending on which operating system you use too. Android is the highest risk, both because it has the biggest market share, making it an appealing target, and because of its open source nature.
Anscombe warned that: “Vulnerabilities found in the Android OS, such as Stagefright in 2015, highlight the issues associated with open source operating systems like Android, as opposed to the closed environment that iOS presents.
“As a result, there is always going to be a potentially greater risk that a vulnerability exists or could be introduced by a third party developer for Android smart devices, than those run on other operating systems.”
Stagefright was one of the single biggest arguments for smartphone antivirus, as it opened millions of devices up to an attack which could monitor your activity and steal your information, yet there’s no evidence that hackers were actually exploiting it.
While Stagefright only affected Android, being on iOS or Windows Phone doesn’t mean you’re completely safe, with an issue arising in 2015 when developers downloaded infected software from less reputable sources to code for iOS.
Schenk pointed out that: “Historically, iOS was certainly perceived as more secure than Android. However, that all changed this year when we saw a number of threats to iOS.
“With XcodeGhost for example, app developers unwittingly added malicious code to their applications after using a repackaged version of Apple’s development environment Xcode. The impact: for the millions of people who’ve downloaded apps with the malicious code, that code can steal sensitive data.”
That said, it’s not clear how many people actually downloaded the affected apps, how many affected apps there were or what (or how much) data was actually stolen.
Keep it official
So should we stop downloading apps if they’re such a big risk? If you stick to the official app stores the answer seems to be no. Google and Apple review applications before allowing them on their respective platforms, so the risk is typically minimal.
Apps on both iOS and Android are also run in a ‘sandbox’, which limits their ability to interact with other programs on the phone.
On top of that, on Android you can see which permissions an app requires and make a judgement call on whether you therefore want to download it. If you’re downloading an app to perform one task and it requires access to a completely different part of the phone, make a call on whether it’s legitimate. Reading reviews can help – but remember, if it’s a small number these could be faked, so stick with those that have many pieces of feedback.
The risk certainly goes up once you start using third-party stores on Android, as these often don’t have the same level of security as Google Play.
That’s less a problem on iOS, but if you jailbreak your device you’re increasing the risk of letting malware in, particularly if you download software from unofficial sources.
Schenk pointed out that: “Apps on a jailbroken device can run with escalated privileges and access sensitive data belonging to other apps. For example, the recent KeyRaider malware impacted jailbroken iOS devices and stole 225k Apple accounts.”
Stay sensible to stay safe
So with all that in mind is it worth having antivirus on your phone? Apple would seemingly say no, as it’s culled just about all antivirus software from the app store.
On Android you at least have the option and many antivirus apps come free of charge and from trusted names, but with them running and scanning in the background they can inevitably have a small but real impact on performance and battery life.
Lookout for example claims that in general its service should use less than 2% of your battery each day, but with smartphone battery life often so low to begin with that’s still a consideration. If just 10 apps on your phone are doing that in the background you’re down 20% each day before even getting to your general phone-related tasks.
If you’re generally careful and don’t use third-party app stores then the risk of infection is tiny, with or without an antivirus. But the key is to be careful and sensible online, even when using a phone.
If you’re worried about viruses and can live with the performance impact there’s no major downside to using an antivirus, but don’t become too reliant on it. Anscombe pointed out that: “Believing that any one security measure is going to completely protect you is generally incorrect and might lead you to more risky behaviour.”
You’ll never be completely safe from malware, but do all of the above and the risks are minimal. One day we might see malware become a real problem on phones, but the reality seems to be that for now, if you’re sensible, it’s not.
Whether or not you use an antivirus you should be wary of what you install and which stores you use. You should also keep your software updated and use two-factor authentication for your accounts to keep track of when and where people are trying to access your account – hopefully, it’s always you.