Google's Android security chief: Don't bother with anti-virus. Is he serious?

Filed Under: Android, Featured, Google, Malware, Mobile

android-antivirus-170Just before the recent Google I/O developer conference, Google's chief security engineer for Android, Adrian Ludwig, told journalists that most users shouldn't bother with anti-virus.

Ludwig said "99%" of Android users wouldn't benefit from a mobile anti-virus and declared that the risk from Android malware is "overstated."

Moreover, Ludwig accused security software companies of distorting the facts about the exploding volume of Android malware, according to the Sydney Morning Herald's tech reporter Ben Grubb.

It's quite a statement coming from someone so high up the food chain - and a security engineer no less - to dismiss the value of anti-virus for the vast majority of users.

Ludwig reportedly said:

I don't think 99% plus users even get a benefit from [anti-virus]. There’s certainly no reason that they need to install something in addition to [the security we provide].

If I were to be in a line of work where I need that type of protection it would make sense for me to do that. [But] do I think the average user on Android needs to install [anti-virus]? Absolutely not.

It's understandable that Ludwig would want to downplay security threats to Android at a time when Google is expanding its Android ecosystem to include wearables like smartwatches, televisions, and even cars.

Ludwig seems to take for granted that - despite surging numbers of malicious Android applications - the risk is low for any individual user.

Truthfully, the risk of downloading Android malware is low compared to PCs, but there is still every reason to have an anti-virus.

Android has a pretty poor reputation for security - and not all of it's because of some bad marketing hype.

Bad apps in Google Play - how many have been bitten?

There are several problems with Ludwig's assertions that users don't need or won't benefit from an anti-virus.

First and foremost, Google's automated process for vetting apps in its Play Store is not ironclad, even though Ludwig said Google's review process is the best "possible" for security purposes.

Although Google's review process is undoubtedly stopping some malware, bad apps have made it into Google Play many times, where they've snagged thousands of victims.

The total number of malicious apps isn't the only thing that matters either - the amount of malware that gets downloaded depends on how popular those bad apps are.

A malicious app that slips through the net has the potential to snag thousands of users - many of whom likely believe, as does Ludwig, that Play Store's review of its apps is an adequate defense.

Recently, a malicious app called Virus Shield made it through Google's review process and shot to the top of Play Store's "Top New Paid Android Apps" page where thousands bought it - even though Virus Shield was a fake with no anti-virus functions at all.

In one day between 10,000 and 50,000 people bought Virus Shield from Play Store - at a cost of $4 a download - before Google caught on and removed it (Google refunded the people who downloaded it  - and threw in a $5 Play Store voucher on top).

It's not just malicious apps in Play that Android users should be concerned about - non-Google app markets are much more susceptible to malware.

Millions of Android users in China use third-party app markets such as Mobogenie, a market with a history of problems with automatic downloads without permissions.

Android isn't totally defenseless against malware - Google's own rudimentary scanner does what many free anti-virus apps do (there is an anti-virus built into Android 4.2 Jelly Bean and higher).


Back in 2011, another Google employee - open source program manager Chris DiBona - famously blasted security vendors for hyping up malware to sell more software.

Ludwig's rhetoric doesn't rise to same level of smugness as DiBona's epic rant on Google+, but he still points the finger at security companies for trying to offer more malware protection.

That's unfortunate - because the consequences are serious for anyone whose mobile device is hacked by a bad guy, as victims of banking malware, ransomware and spyware might attest.

Even Ludwig acknowledges that some more security conscious people or those with jobs that demand data protection will want anti-virus - so why not the rest of us?

Sorry Googlers, we think everyone ought to have anti-virus on their Androids for some pretty good reasons.

Sophos Free Anti-Virus and Security for Android is a free and simple way for Android users to protect their devices with the same sort of preventive security software they expect on desktops or laptops.

There's a threat scanner that automatically vets apps when you download them, before you run them for the first time; web and message filtering; a privacy and security advisor tool; and much more.

Image of droid and ostrich courtesy of Shutterstock.

, , , , , , , , , ,

You might like

38 Responses to Google's Android security chief: Don't bother with anti-virus. Is he serious?

  1. Anonymous · 452 days ago

    "It's understandable that Ludwig would want to downplay security threats to Android..."

    In the interests of balance, I think it's also understandable that Sophos would want to "up-play" security threats to Android, as they are an anti-virus vendor.

    • Just Me · 452 days ago

      yes, you are right, a company that provides free anti virus for android has a huge stake in promoting it ...

    • VL-S · 452 days ago

      SOPHOS allows me to use their product at no cost. How do they benefit by that apart from some possible "word of mouth" advertising from me?

      • Paul Ducklin · 452 days ago

        We benefit by some possible "word of mouth" advertising from you :-)

        • Peter Kirwan · 442 days ago

          certainly! I read the blog constantly and have used some of the free products but (after having done so for months) if I'm ever in a position to recommend the purchase of security stuff for my company Sophos is number 1!

          Incidentally, is the 'mobile control' app I'm seeing on Windows that is attributed to Sophos really made by you (as opposed to an imposter)?. Just wanted to check ...

    • Paul Ducklin · 452 days ago

      Ludwig also said, "I think ... paying for a product that you will probably never actually receive protection from is not a rational reduction of risk."

      Can't disagree with that, when it was Google's own Play Store that recommended - as its Top New Paid App - that you pay $4 for a security program that *truly provided no protection at all*. (In fact, Google's Top New Paid App actually reduced your security by falsely telling you that were safe without actually checking anything.)

      That $4 "Top App" wasn't an irrational product to purchase, it was an outright fraudulent one.

      For the record, I think this article (and anything we have written lately on Android malware) is very careful not to up-play the risks, to the point of choosing words like "[t]ruthfully, the risk of downloading Android malware is low."

      Anyway, Sophos Anti-Virus and Security for Android is free, and it does a bunch of handy stuff beyond just anti-virus (like web filtering, SMS filtering, privacy advice and security settings review).

      • George · 452 days ago

        I think you misunderstand how a "Top New Paid App" is determined. It is determined by an algorithm that takes into account the number of people downloading it and the ratings. It is not determined by a human nor is it recommended for its functionality or content. Sophos would have more of a drum to bang here if the app actually did something malicious, which it doesn't, it just does nothing at all. The marketing was fraudulent and I think Google could tighten up the review process to check if an app claims to do the functions it says it does. Where does Google's review process end, though? How responsible is Google for making sure that every app is bug-free?

        So, you are wrong in that it was an irrational product to purchase. It was irrational because whomever purchased it placed an irrational weight upon the comments of people and algorithms without seeking a true understanding of the application that they were purchasing.

        • Paul Ducklin · 452 days ago

          The Top New Paid App status was determined, I am afraid, by a proprietary, closed, secret, undisclosed system that had a single outcome: public endorsement by Google.

          The app says it scans for malware. Google actively promotes it on its Play Store as delivering on that promise. When you run it, it doesn't "do nothing." It pretends that it is scanning your device for malware, for just under two minutes (long enough to seem plausible; quick enough to feel efficient). Then the app - an app was in the #1 spot according to Google - says, "All good."

          How is that non-malicious? The app and the marketing are indivisible - it's not a case of someone taking a joke app and misrepresenting it. It's an app written specifically for the purposes of deceit, to support a marketing campaign operated to pull in money under false pretences.

        • Bob Hart · 430 days ago

          Just a thought, how many everyday people actually know anything whatsoever about the intricacies pertaining to-'ALGORITHMS and NUMBER of DOWNLOADS' when it comes to deciding if they should use an 'APP' or not?
          My view regarding Google's lack/fail of over site, is they make enough 'money' to dedicate staff who would/could mitigate all possible negative outcomes for their customers!
          Alas, that's not to be however, the save a dime, spend a dollar to fix the problem afterwards, is the way of today!

    • Alan · 452 days ago

      Bear in mind that they're a *business* anti-virus (and additional security software) vendor - they don't sell anything to individuals. Given that pretty much every business purchase has to go through several layers of approval, I don't think "they make this cool product I use on my smartphone" would increase sales by that much :-)

  2. RF · 452 days ago

    The odds of there being a *completely* silent car coming down the road when we want to cross is extremely low too, lower than the 1% he uses as the threat figure above.
    I don't know about anyone else, but I still check both ways before I cross a road.

    • Paul Ducklin · 452 days ago

      A electrically powered Google autonomous vehicle might be completely silent.

      But don't worry, it will have had the "best review possible" (Ludwig's own words), just like that $4 VirusShield app :-)

      • Alan · 451 days ago

        ...and probably still be more likely to stop before mowing you down than most drivers :-|

  3. Anonymous · 452 days ago

    Aren't AV apps just a battery and memory drain on Android?

    • Paul Ducklin · 452 days ago

      Try ours and see :-) I haven't noticed any difference in battery life with or without the Sophos product installed. (I'm not just saying that. I live a life that is more unwired than most, so I am generally very aware of how much power my devices have, from my USB-rechargeable bicycle lights, through my mobile phone and Android tablet to my laptop.)

  4. Bonga86 · 452 days ago

    Defense in depth? For any device in my control the more layers of protection the better.

    • I completely agree with this and, as a matter of fact, so does Google. As John mentioned in the article - Android has a rudimentary, built-in scanner.

      How Google can say via an official spokesperson that anti-virus is unnecessary whilst also finding it so necessary as to make it mandatory by building one into their code is, um, confusing at best.

      The whole position, and the provision of a basic scanner, recalls Apple's head-in-the-sand position circa 5 years ago.

      Since best practice demands defence in depth and since Google have conceded the need for defence on that layer by building a basic scanner into Android the only question that remains is - is the Android scanner the most effective or best value defence for that layer?

  5. I've always said: There's no such thing as antivirus on a standard mobile platform, since none of the purported apps run with privilege. It's like having a physical with your clothes on.

    • Paul Ducklin · 452 days ago

      That sounds a bit like the OS X "malware deniers" about 5 years ago, and the Linux naysayers of the 1990s :-) "It's not malware if it requires user interaction or doesn't have root privileges."

      All apps run "with privilege," for example, privilege to read files off your SD card, to read SMSes before you do, to answer and make phone calls, to make network connections, to read your location...and so on.

      • Jim · 451 days ago

        And don't forget deleting files off your SD card (or whatever). Many of the earliest viruses in the PC/Mac universe just deleted files. Later on they became more sophisticated, but just having my documents deleted was a major pain.

        I would guess that malware for hand-helds will probably evolve along similar lines: from basic trouble-making to sophisticated, purpose-driven attacks.

  6. We have two security issues here. There is the first issue of the need for Anti-Virus, and the second issue is the security of Google Play and Android itself.

    Anti-Virus is like car insurance. The odds of you actually needing to use it are relatively low. But the goal is to proactively protect, not reactively repair. For that reason EVERYONE should have anti-virus.

    But Anti-Virus doesn't protect against dumb bass phishers and thieves who write bogus security software and charge for it. In itself, Virus Shield wasn't malicious. It's purpose was to make users THINK they were getting something they weren't and charge them for it. It was theft, pure and simple. Because the software didn't do anything malicious, anti-virus software didn't catch it.

    The burden of protection in this case falls on Google, who failed to properly protect their users from the theft.

    So how does one protect themselves from the company who is supposed to be protecting them? Easy! Abstinence. Abstain from supporting Google and Android and buy an iPhone.

    • Paul Ducklin · 452 days ago

      I agree with most of what you said, except that I insist that VirusShield is malware because it deliberately lies to you about the "security" it claims to provide, showing a progress bar, pretending to scan for bad stuff and reporting nothing (not even itself :-)

      Indeed, I think that software that is written specifically to perpetrate or facilitate fraud (or theft, as you call it - I am not sure what the correct term is, but we agree it is something bad) is malware by definition - and, yes, software can be malicious for what it does not do, just as much as for what it does do.

      That's why Sophos Anti-Virus for Android classifies it as malware, under the name Andr/Vshield-A.

      As for the term "anti-virus"...strictly speaking we should avoid it and say something like "threat blocker" or "anti-malware" instead, because many people understand the word "virus" to refer very specifically to self-replicating malware.

      But "anti-virus" is what it's known as, just as the keypad on your phone is still called a "dial."

  7. Chris · 452 days ago

    It's hard to have any faith in the anti-virus apps since they all provide different results, and sometimes false posititves. I saw a posting from someone on Google+ where Lookout was giving a "virus alert" for the Settings on a phone. Settings. Really? Plus, after testing a couple, Norton can say an app is malicious and then Avast says no? Lookout reports something, Sophos doesn't?

    • Paul Ducklin · 452 days ago

      Hard to reply to your remarks when all we have a "a comment from someone on Google+."

      Sophos Anti-Virus and Security includes a feature to review your settings and warn you of risky ones (for example: "allow apps from unknown sources" :-)

      The product doesn't say or even imply that those warning are "virus alerts" - in fact, that part of the software is clearly called the Security Advisor. But I can imagine how someone might say, "I got an alert from Sophos Anti-Virus about the settings on my phone," and how someone else might turn that into a comment about a "virus alert from Sophos about settings."

      Don't you think it's highly likely that's what happened in the Lookout case you're talking about? That the "false positive" is most likely in the way the behaviour was described, rather than how the product actually behaved?

  8. Anonymous · 452 days ago

    What is malicious about Virus Shield? How does Sophos classify it? There is nothing about it in the original article. If the app is just fake, without any malicious payload - how would having AV software prevent user from downloading it?

    • Paul Ducklin · 452 days ago

      There's a link in the text above to our original Virus Shield article:

      Sophos Anti-Virus for Android detects the shonky app as Andr/Vshield-A. As I opined in an earlier comment, an app can be malicious as much for what it doesn't do as for what it does.

      (It's still a fake anti-virus - a category pretty much universally accepted as "malware" - if it dishonestly says it's scanned and found nothing, as much as if it dishonestly says it's scanned and found something. The only real difference is that the "false negative" sort of fake anti-virus relies on getting its money in up front, in this case with Google's help, and then letting you feel you can relax; while the "false positive" sort relies on frightening you afterwards and making you feel you have to act.)

      • You're lumping together fake antivirus and rogues. While it was rogue-like (heh) in that it didn't have any valid or functional protective components, it was not a rogue in that it didn't in any way insist the system was infected with fake threats, revoke access to system components, or any of the other slew of things a typical rogue antivirus tends to do.

        Virus shield was a bad app, and an obviously fraudelent app, but in my mind, it must do something malicious; steal money via premium SMS, harvest information like contacts, SMS, browser data, stored passwords, etc.

        This application did cost 4 dollars and did not deliver on it's advertised function, however it did not do anything additional, or anything secretly.
        Flappy bird was supposed to be fun, but it is not, does that make it worth classifying as malware?

        Virus shield lied, but it didn't hurt anyone more than 4 bucks worth, which was more than double refunded.

        There are a ton of applications that reportedly charge your battery by shaking your phone, and other such ridiculous gags. This is only a hair worse than that in. Yes, it's bad, it's nasty, and it's mean.

        But.... I don't think it's malware. You could probably call it a PUP.

        • I think you're missing something else that Virus Shield did - it fooled its users into thinking they had anti-virus and thereby acted as a block to installing a real one.

          It is not benign, it reduces your security whilst it steals your money. It is at best outright fraud but at worst it's providing cover for malware.

          I don't think it can be classed as Potentially Unwanted Application because there is no use case where it would be wanted or useful. If you have it, you've been done by criminals and your phone is not protected in the way you think it is.

  9. Laurence Marks · 452 days ago

    After several bad experiences with AV on desktops, I would like to know a few things about Sophos for Android before I install it. These things don't seem to appear on the Sophos web pages or in the Play Store.

    1) Installed footprint. Will this take 10% of my non-volatile memory (equivalent to hard disk), like name-brand AV on my desktop? Will it continue to grow as updates are added but never consolidated or withdrawn?
    2) Will my phone grind to a halt each day for five minutes as updates are applied?
    3) Will my Android phone run my data bill though the roof installing 100 MB updates OTA every day, or every time it's rebooted like name-brand AV on the desktop?
    4) Will my phone grind to a halt for 60 seconds every time I use a file explorer to open a folder with lots of files, as the AV provided by the desktop OS does?
    5) Will Android apps run slower as they contend with AV for CPU cycles and CPU cache as they do on my desktop with name-brand AV? How much slower? Actual measurements, please. (I wonder if most AV suppliers ever test for this...)
    6) What is the effect on battery life? I have no desktop experience with this, but have seen laptop batteries depleted by a hard disk scan when running on battery.Actual measurements, please.
    7) The download appears to be 9 MB. Surely this is just an "installer." How big is the actual download? Why use an installer to hide the app's size?
    8) What about memory leaks? Has this AV been run for a week on a heavily-used device? How much did the memory footprint increase? Did AV hang the device at any time?

    As you may have gathered, I *hate* AV but accept it as a price to pay on the desktop. It's like buying a fast car and putting intake and exhaust restrictors on it before leaving the showroom. I suppose I'll eventually put it on my phone, but with misgivings.

    It would be nice to have detailed answers to all these questions before installing something I expect to hate.

    • Paul Ducklin · 452 days ago

      Hmmm. You state explicitly that you hate anti-virus, that you expect to hate ours and if ever you do install it, it will be with misgivings.

      So I think your best approach is the path of least resistance: don't install it.

    • Paolo · 452 days ago

      Just a few general observations on your questions from a software (non-security) perspective...

      1) As for almost every piece of software in the world, I suppose the answer is: YES, adding new features will probably increase the size of the program.
      2) Normally, programs do NOT halt while updating.
      3) By design, in Android, there is no need of rebooting in order to install an app (please, note that Android Mobile Security solutions are standard Android apps!).
      4) By design, in Android, an app cannot really interact with another one (anyway not at the level required for what you are suggesting). So, as far as I know, it does not really matter how many file explorer apps you open.
      5) Again, as for every piece of software in the world, the answer is: YES, when they run they use your device's CPU.
      6) As above.
      7) I don't even bother to answer to this one.
      8) Android is NOT Windows. An Android Mobile Security solution is a standard Android app.

      • Laurence Marks · 450 days ago


        You seem to have selectively misinterpreted most of my concerns:
        Just a few general observations on your questions from a software (non-security) perspective...

        1) As for almost every piece of software in the world, I suppose the answer is: YES, adding new features will probably increase the size of the program.

        Of course, but how much. If AV takes more than half of my storage, it becomes unreasonable.

        2) Normally, programs do NOT halt while updating.

        Obviously you never had to run the Symantec Corporate edition. Each time you reboot it takes 100% of CPU for a few minutes while it checks and downloads updates.

        3) By design, in Android, there is no need of rebooting in order to install an app (please, note that Android Mobile Security solutions are standard Android apps!).

        I didn't actually say anything about rebooting after installation. Some versions of Symantec download updates (not the program) every time you restart.

        4) By design, in Android, an app cannot really interact with another one (anyway not at the level required for what you are suggesting). So, as far as I know, it does not really matter how many file explorer apps you open.

        You must be deliberately mis-reading my comments. If you are running Microsoft Security Essentials and open a folder (either using Windows Explorer or the File-->Open command in any program) and the folder contains a lot of files, your system will stall for at least a minute while the AV program checks every file in the folder.

        5) Again, as for every piece of software in the world, the answer is: YES, when they run they use your device's CPU.

        2 or 3% is okay. 25% is NOT okay. Notice that Duck would rather tell me to get lost than tell me the tested number for Sophos Android version.

        6) As above.

        Once again, is it 2% or 25%. Duck says "It seems okay to me." but his usage pattern could be entirely different than mine. For example if he keeps his screen on a lot, it could entirely swamp the AV usage. I asked for real measurements.

        7) I don't even bother to answer to this one.

        Do you have a phone with 128 GB of storage? or 16GB? Once again, if the AV takes 2% or 2%, no problem. If it takes 25% that's NOT okay. Why does no one want to state how much storage their product takes.

        8) Android is NOT Windows. An Android Mobile Security solution is a standard Android app.

        I understand both systems well. You don't have to be condescending.

        What I'm looking for is real product statistics, not evasive answers. And this is not a troll. I'd really like to find an AV product I could review positively and recommend to friends and family.

        • Hi Laurence,

          As you've stated in some of your responses hardware and usage patterns make a huge difference to how software behaves and, more importantly, how it's perceived.

          Objective measurements of software performance mean nothing in the face of an individual's subjective experience of software performance.

          I understand where your questions are coming from but your best test is for you to install it yourself and see how it works on your hardware and with your usage pattern.

  10. Me · 452 days ago

    i can see where lawrence is coming from,we all dislike or have misgivings about installing large programs that swell/bloat up or slow down our products when used but it sometimes is a Necessary evil that we must deal with.sometimes the benifits out weigh the flaws and vice verse.and its never a bad thing to do research on any product before acquiring it, look at virus shield Lmao.

    • Paul Ducklin · 452 days ago would you react if someone told you they *hated* (their emphasis) the type of product your company sold, expected they'd hate yours too, would only ever use it with misgivings, oh, and by the way, your products is suspiciously small. Are you cheating? *Why* are you cheating? (By blurting out the second question, you're telling me you aren't going to believe my answer to the first question anyway, so there is no point in me answering it.)

      It's a free product with a decent reputation and a fair bit of history, from a reputable company. It doesn't eat the battery on my device. (Yes, I check. See my earlier comment about "unwired life" - I keep track of where my battery power goes.) It's never frozen my device. The data usage is negligible, as far as I can tell. (My device is my full-time 3G access point, so I keep track of where my data goes.)

      Try it for a day.

      Either you will be happy with it, and keep it, or you won't and you can uninstall it. I'll refund twice your purchase price if you decide not to keep it :-)

  11. Paolo · 452 days ago

    I remember I read something similar about Google Android's Bouncer... and, some time later, I read how was easy to bypass it.

  12. hal · 447 days ago

    He is right in the sense I don't even use an antivirus in the desktop for years and in that time I have never catch anything. I regularly update my systems I don't download pirated software from any website or from dubious sources I see around (If can't pay try to use free or opensource software) and in many ways follow security minded behavior. Follow security journals etc. Is not 100% cause I could be victim of unknown bugs and companies that look trustworthy and aren't but then the antivirus is incapable to protect me in such cases therefore that helps a lot.

  13. Jehanyar Saleh · 446 days ago

    Thats "mobomarket" thats widely used in the middle east and Asia instead of overrated "google Play" which tends to say "not in tour country". And it does not auto-download or auto-update if you say dont in the settings

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.