If you install from Google Play, your chances of being compromised are steadily approaching zero.
In the name of transparency, Google has released another Android security report (officially, the Android Ecosystem Security Transparency Report) that details many aspects of exactly how secure different parts of the Android ecosystem are, and how often they're being exploited in the real world. The goal is of course to show that Android is very secure purely based on the numbers Google collects — and it has no qualms about showing off its data, because it looks really good.
We hear a lot about Android vulnerabilities that affect "millions" or "billions" of devices, but Google hits us with the hard numbers that show the reality of the situation: very few phones have so-called PHAs (potentially harmful applications) installed, and even fewer are actively exploited by those PHAs. In the first year of the report, 2014, the number of Android phones with PHAs sat at 1%, but that number has declined significantly — now in 2018, just 0.08% of Android phones installing apps solely from Google Play have PHAs.
Why's that number ludicrously low? Well, it comes down to two main attack points: better scanning on Google's side when apps are uploaded to Google Play so these PHAs don't make it up to the store in the first place, and Google Play Protect scanning on the phone side to find and remove PHAs when they're found in the wild.
That second part is applicable even for those who choose to take the risk of installing apps from outside of Google Play. Google says that among phones that have installed apps from outside of Google Play, just 0.76% have been found to have a PHA — so that means phones side-loading apps today are now less likely to have a PHA installed than any phone back in 2014. That's an incredible improvement we all benefit from.
Google is also quick to note that the rate of PHAs is lowest among newer versions of Android that are even harder to exploit — particularly since Nougat, where it's tougher to use common permission escalation-style exploits with an app and APIs give less access to data. Devices running Lollipop were found to have the highest rate of PHAs, with Nougat being less than half as likely and Pie less than half as likely again. That isn't particularly surprising since we've talked so much about Google's focus on security with new Android releases, but when the numbers back it up it's worth reiterating.
The common thread that runs through all of these security reports is that Android is less and less likely to be exploited by malicious apps with each successive year and Android release — and that's a good thing for all of us. But it also shows just how unlikely it is that your phone will be compromised by an application if you choose to only install apps from Google Play; the company's security scanning clearly works, and provides a massive benefit to the ecosystem. Stay safe out there, folks.