Google says less than .001% of Android malware evades Google Play security to cause harm
Every month or so there is a new story that comes out about how much malware can be found on Android or in the Google Play Store. Unfortunately, most of the reports don't include all of the information that you'd expect. Stories about malware on devices often don't mention what harm is actually caused, nor that most malware comes from sideloading, or devices without the Google Play Store. And, stories about malware in Google Play don't tend to include stats on how quickly Google removes malicious apps.
Google wants to tell its side of the story about malware, and not surprisingly, Google has a much different story to tell. According to Google’s Android Security chief Adrian Ludwig, there are multiple layers of Android security at work that end up with just .001% of malware even being able to attempt to evade security and cause problems. Of course, it should be noted that Google's numbers only include devices that have Google Play Services, and do not include non-Google Android devices which are often cited as being the most at risk for malware in regions like China and Russia.
Interestingly, Google sees one major problem being that security researchers can estimate how many malware apps are out there, but they don't have Google's data on how often those apps are actually installed and go on to cause problems, which leads to exaggeration in reporting. Google says that the majority of malware on devices with Google Play comes from sideloaded apps, of which there have been about 1.5 billion installs. 95% of users have Verify Apps turned on, and .5% of that 1.5 billion non-Google Play installs give users a warning that they might be harmful. Of that .5%, Google estimates that 40% are community-created "rooting tools" (potentially dangerous, but not really malicious), 40% are fraudulent apps that try to steal money from the user's bill by making premium calls or text messages, and 15% are spyware, with the remaining 6% being mostly malicious apps that don't fall into the previous categories.
That warning leads to most users not installing the app at all. Just .13% will finish installing an app after a warning. This brings us to the .001% of apps that even attempt to evade runtime security, and some unknown number of apps that successfully evade security in order to cause problems. We would be interested to know what that number would be if people listened to the warning and didn't install any potentially malicious apps.
Of course, all that said, you do still need to be careful, and you especially need to be careful if you are using an Android device that does not have a trusted app store on it, as any device that doesn't have Google Play Services is at a higher risk, especially if you have to rely on sideloading to get your apps. But, it should be noted that even Google's own data here is incomplete, because it doesn't mention anything about malware that evades detection in the Google Play Store and makes it out onto devices. Still, maybe this will help to quell some of the fearmongering that often surrounds Android.