How should I protect myself from malware on Android?

[Belonging to Abba]

I recently read this news article https://thehill.com/homenews/nexsta...licious-downloads-in-google-play-store-study/
that says that there were malware apps that steal banking information with 5.5 million downloads. Since I recently switched to Android, I am worried I could easily download a malware app, since I tend to download a lot of apps. One of the specific malware apps mentioned was the anatsa or teabot apps that are designed to steal debit or credit card numbers from hundreds of financial apps. These malware apps were hidden in tools like PDF or QR code readers. Since I download a lot of apps I think with Android it might be good to just make the assumption that malware is already on my phone and just not download the app for my specific bank. Also, I am wondering if I sign up for a music subscription like Spotify using a separate computer, can the malware copy my debit card number out of the Spotify website or Spotify app? If I make donations to charitable organizations using my debit card number on the website or app, could the number be captured? Should I use my secondary bank account that has less money in it for these transactions or online subscriptions? If my money is stolen, is there any guarantee I can get it back by calling my bank?

 

[AlexB23]

I recently read this news article https://thehill.com/homenews/nexsta...licious-downloads-in-google-play-store-study/
that says that there were malware apps that steal banking information with 5.5 million downloads. Since I recently switched to Android, I am worried I could easily download a malware app, since I tend to download a lot of apps. One of the specific malware apps mentioned was the anatsa or teabot apps that are designed to steal debit or credit card numbers from hundreds of financial apps. These malware apps were hidden in tools like PDF or QR code readers. Since I download a lot of apps I think with Android it might be good to just make the assumption that malware is already on my phone and just not download the app for my specific bank. Also, I am wondering if I sign up for a music subscription like Spotify using a separate computer, can the malware copy my debit card number out of the Spotify website or Spotify app? If I make donations to charitable organizations using my debit card number on the website or app, could the number be captured? Should I use my secondary bank account that has less money in it for these transactions or online subscriptions? If my money is stolen, is there any guarantee I can get it back by calling my bank?

Well, avoid the Google Play Store and use F-Droid, an open-source app store, where all apps are free and most are open-source. Also, no one needs music subscriptions, when music on YouTube is free, and one can use an ad-blocker.

F-Droid - Wikipedia

en.wikipedia.org

 

[nhaas11]

Just a note, Never use your Debit Card, that is your money, if it is stolen it could take months to get it back. Use a credit Card on your Mobile device. One call to your credit card company and the charges are usually removed in 72 hours.

F Droid is a good starting point to the anti-privacy Google Play Store - But it is not full proof. What is F-Droid and should you use it? | Proton

 

[Wookiee]

I recently read this news article https://thehill.com/homenews/nexsta...licious-downloads-in-google-play-store-study/
that says that there were malware apps that steal banking information with 5.5 million downloads. Since I recently switched to Android, I am worried I could easily download a malware app, since I tend to download a lot of apps.

Research apps thoroughly before downloading them.

One of the specific malware apps mentioned was the anatsa or teabot apps that are designed to steal debit or credit card numbers from hundreds of financial apps. These malware apps were hidden in tools like PDF or QR code readers. Since I download a lot of apps I think with Android it might be good to just make the assumption that malware is already on my phone and just not download the app for my specific bank.

Wipe your phone and start again, then. Also you're far more likely to be targeted through a web browser than an app; just FYI in case you're using the bank's site instead of its app on your phone (the app will be far more secure).

Generally when you think or know you have malware, the solution is to factory reset.

Also, I am wondering if I sign up for a music subscription like Spotify using a separate computer, can the malware copy my debit card number out of the Spotify website or Spotify app? If I make donations to charitable organizations using my debit card number on the website or app, could the number be captured?

If the device you are using is actively targeted with malware when you enter your card information, there is the possibility the number is collected from your device. If it's saved as a Notepad file or into your browser's "remember my details", there's a chance it can be.

If it's not saved (you declined remembering your credit card details, or haven't saved it anywhere), that is now stored directly on Spotify's servers. It's their problem and responsibility. It is encrypted, and can't be viewable no matter what of your credentials they have. However, if Spotify gets hacked and their payment information is decrypted... yes. You'll be in trouble. But so will everyone else.

If my money is stolen, is there any guarantee I can get it back by calling my bank?

Sometimes.

 

[Belonging to Abba]

Ok thanks. I think there is no malware on my phone yet, since it is a new Android phone, but since I tend to download a lot of apps I should be careful.

 

[Belonging to Abba]

I just signed up for a free trial of YouTube premium and I made sure to use the debit card number of my secondary bank account that has only a few hundred dollars. So the number is entered into Google Play services I think. If malware ever got on my phone in the future, could it copy the debit card number from Google?

 

[Wookiee]

I just signed up for a free trial of YouTube premium and I made sure to use the debit card number of my secondary bank account that has only a few hundred dollars. So the number is entered into Google Play services I think. If malware ever got on my phone in the future, could it copy the debit card number from Google?

They can't pull the number from Google. Once it has been entered into a service, it is their responsibility to protect the number.

However, your password can be compromised and they can use the payment information to buy things on Google Play. You should ensure all of your accounts are setup with MFA to reduce the likelihood of this happening. Even irrespective of malware concerns.

 

[JesseRaymondBassett]

Use an internet security product on it. Like AVG free or something like it. That will protect your device.