4 min read

Android security boss says users don't need anti-virus. He's wrong wrong wrong


July 04, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Android security boss says users don't need anti-virus. He's wrong wrong wrong

Adrian Ludwig is the lead engineer for Android security at Google. In this role, he is responsible for the security of the Android platform and Google’s applications and services for Android.

So you would expect him to know a thing or two about the risks that Android users are exposed to on the platform.

Unfortunately, judging by a report in the Sydney Morning Herald of what Ludwig told journalists at a recent meeting, he appears to be living in cloud cuckoo land.

Here are some quotes from the report:

The majority of Android smartphone and tablet users do not need to install anti-virus and other security apps to protect them, despite dire warnings from security companies selling such products, Google`s head of Android security says.

Woah! That’s a strong and contentious opinion.

And he’s not alone in sharing it.

Indeed, one of Ludgwig’s former peers at Google, Chris DiBona, claimed something similar in 2011. He called companies selling anti-virus software for Android “scammers and charlatans”.

As far as I can tell, however, the only people with the opinion that Android users don’t need anti-virus are those who are either employed by Google, or know nothing about the malware threat.

Clearly this is a sensitive subject for Google, especially if the CEO of arch-rival Apple recently declared at his developer conference that Android “dominates the mobile malware market.”

“If I were to be in a line of work where I need that type of protection it would make sense for me to do that. [But] do I think the average user on Android needs to install [anti-virus]? Absolutely not.”

Hang on a minute. So, there are some lines of work where it “would make sense” to run anti-virus on your Android? I’d love to know which are those in Ludwig’s opinion.

Because, my understanding was that those who used Android were likely to use it to store family photographs, personal documents, and strongly pushed in the direction of using Google services for their email, calendar, and so forth… and those would certainly entail sensitive information that I cannot imagine any Android user wanting to fall into the hands of cybercriminals and fraudsters.

I don’t think it’s about your “line of work”. It’s about what sensitive information your phone has access to.

[Ludwig] recommended users stay on the latest Android version to stay safe.

Yeah, that’s a great idea if you can find a way to update your Android phone with the latest version of the operating system.

Unfortunately, the way that Android devices are updated with new OS versions is a much more hit-and-miss affair than iPhones – leaving it to Google, service providers and handset manufacturers to all agree and co-ordinate with the rollout of an update. Sometimes, little more than a year after a new Android handset is launched, the company will reveal it is not going to release any more OS updates for it.

The stats speak for themselves. In June this year, Apple CEO Tim Cook revealed that almost nine out of ten iOS users were running the latest version of the operating system. In comparison, a mere 9% were running the latest KitKat version of Android.

Mr Ludwig – clearly you’re doing something very wrong if you’re not making it easier for users to keep their devices up-to-date against security threats as you recommend.

“I don`t think 99 per cent plus users even get a benefit from [anti-virus],” Mr Ludwig said. “There`s certainly no reason that they need to install something in addition to [the security we provide].”

Mr Ludwig said every Android app goes through an automated system that checked for issues, and verified apps before they were made available on the app store.

“By the time a user goes to install an app they`ve had … the best review of that application that is possible,” he said.


I’m not so sure that’s right. Because malware and bogus apps keep being found in the Google Play store.

Remember the Android game in the Google Play store which secretly stole private WhatsApp chats and offered them for sale?

Or how about the bogus anti-virus products that have made it into the Google Play store?

Or were you one of the 100,000 people who downloaded a fake BlackBerry BBM Android app from the Google Play store?

I could go on. Trust me, I could go on and on and on…

Clearly it would be a good idea to not just trust Google to police its store, considering its poor track record in keeping it squeaky clean, but to have an additional layer of protection as well.

And it’s not just malware.

Last year, Bitdefender researchers revealed the sorry state of security amongst apps in the Google Play store. They looked at more than 630,000 Android apps, finding many riddled with malicious ads, transferring usernames and passwords over unsecured connections, and grabbing address books.

And that’s before we even consider that there are Android smartphones being sold that have malware pre-installed!

It’s called having defence in depth. You don’t put all your eggs in one basket and blindly trust Google to keep your Android device safe.

I’m not saying that the iPhone App Store is perfect, but its ecosystem has seen nothing like the level of malware incidents experienced by Android users.

And yes, the official Google Play store is probably a safer place to get your Android apps than a third-party unofficial source, but there have been cases of malware and shady apps getting into the official store – and I sadly expect that to continue.

I must admit, I’m deeply concerned about Google’s lackadaisical attitude to its Android users’ security if it cannot see the benefit provided by anti-virus software. They may be hurt by the comparison with the lack of malware targeting iPhones, but that doesn’t mean they should have their head in the sand.

You can download a free version of Bitdefender Antivirus for Android from the Google Play store.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like