Experts told TODAY that although this openness means less restrictions for users and their devices, the exposure to more risks is there.
Mr Kenny Yeo, director and head of Asia Pacific cybersecurity practice with consultancy firm Frost & Sullivan, said: “The (Android) operating system is licensed as open-source, which allows for the numerous different vendors to easily create their own Android-powered mobile devices.
“(But) this openness and ease of flexibility also unfortunately means that it can be potentially exploited by cyber criminals, by creating nefarious customisation and apps to trick users.”
Agreeing, Mr Ali Fazeli, a senior consultant at cybersecurity company Infinity Forensics, said that since Android is an open-source platform, users have more control on the phone itself and can choose to bypass certain security measures under the phone’s settings.
Android devices block the download of unknown apps by default, but if users disable this default setting, they can easily install “unknown” APK files that are not from the official Google Play Store.
Mr Ali said that users or developers do this to create apps for their private use, for instance, and may not want these personal apps to be hosted publicly on the official app store.
Having the APK option might also allow developers to bypass a specified period required to secure proper certification and onboard an app onto the official Google Play Store, he added.
Mr Terence Siau, general manager at the Centre for Strategic Cyberspace International Studies (CSCIS), said that users may also turn to third-party sites to download jailbroken apps.
WHAT SAFEGUARDS ARE THERE ON ANDROID DEVICES?
Mr Aman said that Google Play “builds protections” into its core operating system, and that it continually scans devices for malware and other harmful behaviour.
The Google Play Protect, a built-in tool on the Google Play Store, sends users a notification with options to remove, disable or uninstall a potentially harmful app, if found.
Outside of the Google Play Store, an alert is also displayed on users’ devices should they decide to download an app from an unknown source.
“Sideloading apps from an unvetted source can pose security risks to a user’s device,” Mr Aman said.
“Before users install an app from an unknown source, we remind the user to consider the risk. Then, if the users know and trust the developer, they can proceed.”
He added: “We scan more than 100 billion apps each day. Then we share our findings with the world. Because Android is open, a global community of security researchers is constantly critiquing our work.”
This allows Google to collectively improve its offerings along the way.
“We are also deepening our partnerships with government and cybersecurity agencies to identify and remove potentially harmful apps from Google Play in a timely manner, and are quick to identify and block messages on Android devices that are potentially linked to app-based spam, phishing, scams or malware,” Mr Aman said.
HOW MAY ANDROID USERS GUARD AGAINST SCAMS?
The cybersecurity experts interviewed by TODAY said that users of mobile devices are the main safeguard against such malicious apps.
Noting that the sideloading of apps is disabled by default and that alerts are also in place to warn users, Mr Yeo of Frost & Sullivan said that “device manufacturers are already putting measures in place”.
However, an unwitting user who may not truly understand the warnings may simply grant permission to an app to bypass the default setting.
“So, the most important measure possible is still the user action. The users must stop themselves from bypassing these measures,” Mr Yeo added.
As a rule of thumb, Mr Ali of Infinity Forensics said that users should download apps only from the official app store where possible. This is because the majority of these apps have already undergone a security audit.
Where an app might not be available on the official app store due to country or device limitations, users may choose to download the app from the developer’s official website.