Android has been getting the worst kind of compliment for its popularity: Malware authors increasingly target Google's operating system by uploading trojan-horse applications to its generally unsupervised Android Market.
But buying an Android phone does not mean you're fated to pick up a pest like the privacy-stealing DroidDream. Taking three steps before installing a new Android app can help keep you safe — and none involve anti-virus utilities.
In the example here, I'm considering the Washington Post's DC Rider app. I know this guide to the Metro system here is safe; I worked with the people responsible for it. But if you don't know where an app's authors live (or you simply haven't had a trusted source recommend it), how can you be so sure?
1. Read the app's reviews. The writeups posted in the Android Market can be gamed, but recent and coherent complaints about misbehavior should be a clear warning. In this case, the worst gripe (seen in the second screengrab from the left) was that the DC Rider app kept the phone's GPS receiver active after it had been closed — a battery-life issue, not a security flaw.
2. Check its permissions. If an Android app wants to do anything more involved than responding to your direct input, even just going online, it must ask in a "permissions list" shown before you download it. DOn't skip over the permissions. Requests for access to the phone's storage and Internet connection should be fine (assuming the app stores data and displays online info or ads). But if an app wants to do things with no clear connection to its features, think twice. In particular, beware: access to your contacts list, calendar or browsing history; monitoring or placing phone calls; sending text messages.
Once again, DC Rider looks clean. As the third screengrab shows, it doesn't seek permission to call or text anybody, while its request for access to the phone's GPS fits with the location-specific information it provides.
3. When in doubt, search. If an app's reviews are inconclusive and its permissions puzzle you, try doing a simple Web search along the lines of "[app name] malware?" A Google query for "Android DC Rider malware?" (I didn't want to see pages about this app's iPhone version) turned up no reports of trouble, as seen in the fourth screenshot. You already know to do this when you're in doubt about a Mac or Windows program… right?
True, you may still get into trouble despite taking those steps. An Android virus can target a system vulnerability; this is why I hate carriers and manufacturers who take their time delivering Google's Android updates for their phones. Con artists may try to rip you off by naming their wares after better-known titles and hoping you'll buy them by mistake. (Sorry, fraud happens in Apple's App Store too.) You may want to use Amazon's more-restrictive Appstore for Android, which requires apps to pass a separate approval process, although adding this store requires disabling a system setting blocking programs from unknown sources.
And yes, you can install an antivirus program like the free Lookout. But the actual numbers of phone viruses are so low that developers of those apps have had to add find-my-phone and remote-wipe features to deal with a much bigger security risk: losing your phone.
Credit: Rob Pegoraro/Discovery