Google’s Android security chief: Don’t bother with anti-virus. Is he serious?

android-antivirus-170Just before the recent Google I/O developer conference, Google’s chief security engineer for Android, Adrian Ludwig, told journalists that most users shouldn’t bother with anti-virus.

Ludwig said “99%” of Android users wouldn’t benefit from a mobile anti-virus and declared that the risk from Android malware is “overstated.”

Moreover, Ludwig accused security software companies of distorting the facts about the exploding volume of Android malware, according to the Sydney Morning Herald’s tech reporter Ben Grubb.

It’s quite a statement coming from someone so high up the food chain – and a security engineer no less – to dismiss the value of anti-virus for the vast majority of users.

Ludwig reportedly said:

I don't think 99% plus users even get a benefit from [anti-virus]. There’s certainly no reason that they need to install something in addition to [the security we provide].

If I were to be in a line of work where I need that type of protection it would make sense for me to do that. [But] do I think the average user on Android needs to install [anti-virus]? Absolutely not.

It’s understandable that Ludwig would want to downplay security threats to Android at a time when Google is expanding its Android ecosystem to include wearables like smartwatches, televisions, and even cars.

Ludwig seems to take for granted that – despite surging numbers of malicious Android applications – the risk is low for any individual user.

Truthfully, the risk of downloading Android malware is low compared to PCs, but there is still every reason to have an anti-virus.

Android has a pretty poor reputation for security – and not all of it’s because of some bad marketing hype.

Bad apps in Google Play – how many have been bitten?

There are several problems with Ludwig’s assertions that users don’t need or won’t benefit from an anti-virus.

First and foremost, Google’s automated process for vetting apps in its Play Store is not ironclad, even though Ludwig said Google’s review process is the best “possible” for security purposes.

Although Google’s review process is undoubtedly stopping some malware, bad apps have made it into Google Play many times, where they’ve snagged thousands of victims.

The total number of malicious apps isn’t the only thing that matters either – the amount of malware that gets downloaded depends on how popular those bad apps are.

A malicious app that slips through the net has the potential to snag thousands of users – many of whom likely believe, as does Ludwig, that Play Store’s review of its apps is an adequate defense.

Recently, a malicious app called Virus Shield made it through Google’s review process and shot to the top of Play Store’s “Top New Paid Android Apps” page where thousands bought it – even though Virus Shield was a fake with no anti-virus functions at all.

In one day between 10,000 and 50,000 people bought Virus Shield from Play Store – at a cost of $4 a download – before Google caught on and removed it (Google refunded the people who downloaded it  – and threw in a $5 Play Store voucher on top).

It’s not just malicious apps in Play that Android users should be concerned about – non-Google app markets are much more susceptible to malware.

Millions of Android users in China use third-party app markets such as Mobogenie, a market with a history of problems with automatic downloads without permissions.

Android isn’t totally defenseless against malware – Google’s own rudimentary scanner does what many free anti-virus apps do (there is an anti-virus built into Android 4.2 Jelly Bean and higher).


Back in 2011, another Google employee – open source program manager Chris DiBona – famously blasted security vendors for hyping up malware to sell more software.

Ludwig’s rhetoric doesn’t rise to same level of smugness as DiBona’s epic rant on Google+, but he still points the finger at security companies for trying to offer more malware protection.

That’s unfortunate – because the consequences are serious for anyone whose mobile device is hacked by a bad guy, as victims of banking malware, ransomware and spyware might attest.

Even Ludwig acknowledges that some more security conscious people or those with jobs that demand data protection will want anti-virus – so why not the rest of us?

Sorry Googlers, we think everyone ought to have anti-virus on their Androids for some pretty good reasons.

Sophos Free Anti-Virus and Security for Android is a free and simple way for Android users to protect their devices with the same sort of preventive security software they expect on desktops or laptops.

There’s a threat scanner that automatically vets apps when you download them, before you run them for the first time; web and message filtering; a privacy and security advisor tool; and much more.

Image of droid and ostrich courtesy of Shutterstock.