Industry News

Android security boss says users don’t need anti-virus. He’s wrong wrong wrong

Wireless Carriers May Face FTC Investigation for Lagging Android Security Updates

Adrian Ludwig is the lead engineer for Android security at Google. In this role, he is responsible for the security of the Android platform and Google’s applications and services for Android.

So you would expect him to know a thing or two about the risks that Android users are exposed to on the platform.

Unfortunately, judging by a report in the Sydney Morning Herald of what Ludwig told journalists at a recent meeting, he appears to be living in cloud cuckoo land.

Here are some quotes from the report:

The majority of Android smartphone and tablet users do not need to install anti-virus and other security apps to protect them, despite dire warnings from security companies selling such products, Google’s head of Android security says.

Woah! That’s a strong and contentious opinion.

And he’s not alone in sharing it.

Indeed, one of Ludgwig’s former peers at Google, Chris DiBona, claimed something similar in 2011. He called companies selling anti-virus software for Android “scammers and charlatans”.

As far as I can tell, however, the only people with the opinion that Android users don’t need anti-virus are those who are either employed by Google, or know nothing about the malware threat.

Clearly this is a sensitive subject for Google, especially if the CEO of arch-rival Apple recently declared at his developer conference that Android “dominates the mobile malware market.”

“If I were to be in a line of work where I need that type of protection it would make sense for me to do that. [But] do I think the average user on Android needs to install [anti-virus]? Absolutely not.”

Hang on a minute. So, there are some lines of work where it “would make sense” to run anti-virus on your Android? I’d love to know which are those in Ludwig’s opinion.

Because, my understanding was that those who used Android were likely to use it to store family photographs, personal documents, and strongly pushed in the direction of using Google services for their email, calendar, and so forth… and those would certainly entail sensitive information that I cannot imagine any Android user wanting to fall into the hands of cybercriminals and fraudsters.

I don’t think it’s about your “line of work”. It’s about what sensitive information your phone has access to.

[Ludwig] recommended users stay on the latest Android version to stay safe.

Yeah, that’s a great idea if you can find a way to update your Android phone with the latest version of the operating system.

Unfortunately, the way that Android devices are updated with new OS versions is a much more hit-and-miss affair than iPhones – leaving it to Google, service providers and handset manufacturers to all agree and co-ordinate with the rollout of an update. Sometimes, little more than a year after a new Android handset is launched, the company will reveal it is not going to release any more OS updates for it.

The stats speak for themselves. In June this year, Apple CEO Tim Cook revealed that almost nine out of ten iOS users were running the latest version of the operating system. In comparison, a mere 9% were running the latest KitKat version of Android.

Mr Ludwig – clearly you’re doing something very wrong if you’re not making it easier for users to keep their devices up-to-date against security threats as you recommend.

“I don’t think 99 per cent plus users even get a benefit from [anti-virus],” Mr Ludwig said. “There’s certainly no reason that they need to install something in addition to [the security we provide].”

Mr Ludwig said every Android app goes through an automated system that checked for issues, and verified apps before they were made available on the app store.

“By the time a user goes to install an app they’ve had … the best review of that application that is possible,” he said.


I’m not so sure that’s right. Because malware and bogus apps keep being found in the Google Play store.

Remember the Android game in the Google Play store which secretly stole private WhatsApp chats and offered them for sale?

Or how about the bogus anti-virus products that have made it into the Google Play store?

Or were you one of the 100,000 people who downloaded a fake BlackBerry BBM Android app from the Google Play store?

I could go on. Trust me, I could go on and on and on…

Clearly it would be a good idea to not just trust Google to police its store, considering its poor track record in keeping it squeaky clean, but to have an additional layer of protection as well.

And it’s not just malware.

Last year, Bitdefender researchers revealed the sorry state of security amongst apps in the Google Play store. They looked at more than 630,000 Android apps, finding many riddled with malicious ads, transferring usernames and passwords over unsecured connections, and grabbing address books.

And that’s before we even consider that there are Android smartphones being sold that have malware pre-installed!

It’s called having defence in depth. You don’t put all your eggs in one basket and blindly trust Google to keep your Android device safe.

I’m not saying that the iPhone App Store is perfect, but its ecosystem has seen nothing like the level of malware incidents experienced by Android users.

And yes, the official Google Play store is probably a safer place to get your Android apps than a third-party unofficial source, but there have been cases of malware and shady apps getting into the official store – and I sadly expect that to continue.

I must admit, I’m deeply concerned about Google’s lackadaisical attitude to its Android users’ security if it cannot see the benefit provided by anti-virus software. They may be hurt by the comparison with the lack of malware targeting iPhones, but that doesn’t mean they should have their head in the sand.

You can download a free version of Bitdefender Antivirus for Android from the Google Play store.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Thanks for the useful and informative article!
    ‘ve never used Android, for me portable devices are PHONES, not computers, and on the desktop PC and notebook I have Windows, but still the claim that ANY operating system does not need antivirus solutions and is totally immune to any form of malware seems hard to believe …

  • Well… things aren’t as black and white as either you or the Google guys are making them appear. While everything you wrote is true – there have been malicious apps in their Store, their OS update policy sucks, proper malware defense-in-depth is better than trusting a third party – it is also similarly true that the threat landscape for Android is minuscule compared to, say, Windows. You can happily use your Android phone for years and never encounter any malware. It’s all relative.

    I just wish Google would allow selective granting and revocation of the permissions of any given app. If Blackphone, which is running an Android fork, can do it, why can’t Google?! The current all-or-nothing policy is just plain stupid…

  • Well, it is true. Most users (I.E. the common smartphone user) do not need anti-virus. Common smartphone users generally only install a few applications, of which are recommended by friends, or are developed by a reputable company (I.E. King, Gameloft, Rovio, and such) which greatly diminishes the possibility of getting a virus. There are also users that just use the default applications, and never even touch Google Play or F-Droid.

    A way to update your phone is to install the FOSS Cyanogenmod…

  • “Mr Ludwig said every Android app goes through an automated system that checked for issues, and verified apps before they were made available on the app store.

    “By the time a user goes to install an app they’ve had … the best review of that application that is possible,” he said.”

    Really? I’ve been fairly close to batty and I’ll admit fully that I HAVE been in the past. And the past few days I’ve come very close to it. But did I really read that? I would like to believe I actually AM hallucinating. But I’m not, am I? You suggest he lives in “cloud cuckoo land” and I am glad you prepended it with cloud. Because I don’t want such an idiot here and I absolutely am not in the clouds.

    Oh dear me… I never did trust Google but there are no proper words for the above. I’ll try any way though. First part: If that is their automated system it clearly does quite a lot – of nothing useful. In general too much automation is a slippery slope. But even then, someone like me who does not even get in to mobile phones (frankly I have a longing for the older phones including rotary…. and the phone sitting on my desk is the first phone that replaced a rotary phone, at the house) … knows how bad his statement is. The same applies to any place where it involves humans. Indeed, the irony in it all is HE is far too trusting and security and trust don’t mix too well (something about scams and such, for more modern examples…). And part two: what the hell does a review have anything to do with software and security? Even if that is a review in the sense of “scan” there’s this part where heuristics can fail and it is a new strain of malware. Actually that sentence of his does not even make sense, in the lexical sense even. That or I REALLY DID lose my mind…

    “Clearly it would be a good idea to not just trust Google to police its store, considering its poor track record in keeping it squeaky clean, but to have an additional layer of protection as well.”
    Definitely. Of course I already pointed out the idea of trust (as for my response, that is). And thank you for specifically using the word layer. If more people understood this concept… it should be obvious but often isn’t. Yes: security is a layered thing. Security that is not layered (that is, one layer only or even zero layers) borders on a false sense of security rather than true security (or as true as it can be). This very concept is taken after physical security. This should be obvious too: bastion (host), DMZ, … all from real life.

  • Android users who are careful about which apps they get, they don’t need an antivirus app on their phone. unsophisticated android users who overthink things, may get into trouble getting antivirus app. my wife’s husband got a new android phone and was thinking he should do the same thing as he does on a windows pc and get various antivirus security apps for his phone. that was overkill because the only app he would get was Whatsapp. as a result, he put his phone into a booting loop that he couldn’t fix and therefore had to call me. ended up telling him don’t bother with that antivirus crap on android, and instead, just be super careful about the apps you get. he’s really more of like the typical android who uses his android like an overgrown dumb feature phone.

  • Ouch, stinging write up but spot on. I’d love to break free from the iPhone, but it’s rock solid and that’s what keeps me with it. Google is kissing away a golden opportunity by employing people like Ludwig.

  • You are totally right Graham. I think Google just tries to avoid the bad press some antivirus o related laboratories are making about them, because of their lack of capacity to keep things controlled. Good article.

  • I have to disagree with you here – based entirely on the definition of a *average* android user’s set up?

    By default, phones arn’t rooted and ‘install from unknown sources’ is disabled so you are looking at mainly Play apps being installed by an average user. Yes there are issues occasionally – but as a percentage of apps installed on user’s phones? That number must be tiny in comparision to the number of safe installed apps across the android user base.

    It would be interesting to see the most common apps installed and the range of deviations away from them but I suspect a *average* user will only have the 1million+ installed apps which, one would assume are safe.

    I’d argue the average android user is very unlikely to ever be exposed to malware.

    That, and the ineffectivness of 11 major android antivirus apps to actually work on anything other than existing threats (Fraunhofer AISEC 2013 study) means that installing one may well give users a false sense of protection and convince them it is safe to visit even less well policed apps stores.

    Overall this article is nowhere near as balanced as your normal work – almost bordering on scaremongering

  • I have been using Android phones for years. You do Not need anti-virus software on unrooted Android phones. It slows your phone down using unnecessary resources and drains your battery. You obviously are representing this scam “industry”. Same companies are adding on rubbish like Ram boosters, when it is best to let the OS manage ram. Also cache cleaners which cause their own problems. You should only use the cache cleaning option in Android itself. You can often find these companies publicizing fake viruses and you get a message that your protected. Recently CM Security came up with one called AbroadAnywhere which turns out to be totally fake. Please don’t fall for this bullshit. Don’t root your phone but even if you do, don’t download from suspect sources. If you do, the fake anti-virus software won’t protect you as it’s only using Android normal security wrapped up in pretty battery draining graphics.