Google Wallet vs. Samsung Pay: Which tap-to-pay system is best?

After Robbing You Blind, This Android Malware Erases Your Phone

Rita El Khoury / Android Authority

TL;DR

BingoMod is a remote access trojan that uses your phone to set up money transfers.

The app is spread via text message, and pretends to be security software.

Once its done stealing from you, its operators remotely wipe your phone.

Update, August 2, 2024 (04:10 PM ET): Google has reached out to us with a message of reassurance:

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Of course, the key word there is "known" versions, and as the team at Cleafy reported, BingoMod is still evolving and working on new tricks to evade detection. Play Protect isn't going to rest on its laurels, either, so expect this cat-and-mouse game to continue. And for your own part, keep using best practices when it comes to sourcing your apps.

Original article, August 2, 2024 (11:44 AM ET): Getting malware on your smartphone is just a recipe for a bad day, but even within that misery there's a spectrum of how awful things will be. Some malware may be interested in exploiting its position on your device to send spam texts or mine crypto. But the really dangerous stuff just wants to straight-up steal from you, and the example we're checking out today has a particularly nasty going-away present for your phone when it's done.

A remote access trojan (RAT) dubbed BingoMod was first spotted back in May by the researchers at Cleafy (via BleepingComputer). The software is largely spread via SMS-based phishing, where it masquerades as a security tool — one of the icons the app dresses itself up with is that from AVG antivirus. Once on your phone, it requests access to Android Accessibility Services, which it uses to get its hooks in for remotely controlling your device.

Once established, the malware's goal is setting up money transfers. It steals login data with a keylogger, and confirmation codes by intercepting SMS. And then when it has the credentials and access it needs, the threat actor controlling the malware can start transferring all your savings away. With language support for English, Romanian, and Italian, the app seems targeted at European users, and circumstantial evidence suggests Romanian devs may be behind it.

All this sounds bad, but not that different from plenty of malware, right? Well, BingoMod, it seems, is a little paranoid about being found out. Besides the numerous tricks it uses to evade automatic detection, it's got a doomsday weapon it's ready to deploy after achieving its goals and wiping your accounts clean: it wipes your phone.

While BingoMod supports a built-in command for wiping data, that's limited to external storage, which isn't going to get it very far. Instead, Cleafy's team suspects that the people controlling the malware remotely are manually executing these wipes when they're done stealing from you, just like you'd do yourself before getting rid of an old phone. Presumably, that's in the goal of destroying evidence of the hack — losing your personal data is just collateral damage.

That's a fresh kind of awful that we would be very happy never having to deal with. The good news is that you really don't have to. Get your apps from official sources, don't install software from sketchy text messages, and you'll be well on your way to not losing all your data in a malware attack.

Got a tip? Talk to us! Email our staff at news@androidauthority.Com. You can stay anonymous or get credit for the info, it's your choice.

You might like

Comments

The Best Encrypted Messaging Apps In 2024

The best encrypted messaging apps are an ideal way to protect your messages from prying eyes including the companies that make them.

This is because these apps come with encryption methods that are so strong that even government agencies can't crack them. The most common method is end-to-end encryption which means only the sender and recipient of a message can see its contents.

Apple's iMessage protocol uses end-to-end encryption as well but its Messages app also handles unencrypted SMS text messages. This makes it easy to get confused which is why you're better off using one of the best encrypted messaging apps instead if you want to ensure that all of your chats are secure. It's worth noting that Google's Messages app can also use end-to-end encryption but both people need to have RCS chats turned on.

These are the best encrypted messaging apps available right now for Android and iOS.

The best encrypted messaging apps you can download today

(Image credit: Signal Foundation)

1. Signal

The best encrypted messaging app for most people

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

Open source and encrypted

+

Disappearing messages

+

Can secure the app with a password

Reasons to avoid -

Phone number required for sign up

Signal is a fantastic messaging solution for security-conscious mobile users. It's a free all-in-one messaging, voice-call and group-chat solution that uses its own end-to-end encryption protocol. 

You can send text messages, voice calls, group messages, media and attachments to your phone contacts, all without having to mess with PIN codes or special login credentials. Updates to the app have added user-friendly features such as custom wallpapers and animated stickers, and Signal group video chats can now have up to 40 participants.

All Signal messages can be set to self-destruct after a certain amount of time while a Chrome browser plugin lets you use Signal from your desktop as well. You can transfer Signal accounts from one Android phone to another and from one iOS device to another. In fact, you can even change phone numbers while keeping Signal account data as long as you're staying on the same device.

Signal's encryption protocol is so strong that WhatsApp and Facebook Messenger use it too. But unlike Facebook, Signal's parent company is a non-profit foundation created by an anarchist cryptographer and one of the founders of WhatsApp.

Ease of use and strong, open-source, regularly audited encryption makes Signal a favorite of the security-conscious, with accolades from Edward Snowden and other privacy advocates. User-friendliness without compromising on security makes Signal a fantastic option for users looking for an encrypted messaging and calling app. Here's our guide on how to use Signal.

Download Signal: Android, iOS

(Image credit: Natee Meepian/Shutterstock)

2. Telegram

An increasingly popular cloud-based, secure messaging app

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

Intuitive interface

+

Syncs seamlessly

Reasons to avoid -

End-to-end encryption isn't enabled by default

Like Signal and WhatsApp, Telegram lets users link their phone number to a Telegram account to send fast, encrypted messaging over the internet, with client-server encryption for standard chats. 

But Telegram is much more than just a messaging service. It has grown into a worldwide social-media platform, with huge user groups and broadcasts that let accounts reach millions of followers in an instant. It has uses far beyond secure messaging.

However, end-to-end encryption is not enabled by default on Telegram. To get it, you'll have to switch to Secret Chat mode. You can set messages to self-destruct, share videos and documents and participate in group chats of up to 200,000 users. (Yes, Telegram really does support group chats that large.) However, chats with more than two participants won't be end-to-end encrypted.

A caveat? Telegram uses its own custom MTProto encryption rather than a more proven system. Here's our guide on how to use Telegram.

Download Telegram: Android, iOS

(Image credit: Shutterstock)

3. WhatsApp

A secure messaging app many of your contacts likely already use

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

End-to-end encryption

+

Messages and images can self destruct

+

Widely used 

Reasons to avoid -

Requires phone number

-

Owned by Facebook

The world's most popular stand-alone chat and call app, WhatsApp has used Signal's end-to-end encryption protocol on all messages since 2016. 

Its developers are continuously adding tweaks to the app's security and privacy features, such as fine-tuned group invitations and controls so that you're always aware who is reading your group chats. 

The app is also testing transfers of chat history when switching between iOS and Android phones and using a single account on four different devices at once. Updates to WhatsApp have made it possible to have end-to-end-encrypted backups and have added the ability to make disappearing chats the default. You can also transfer your chat history from iPhone to Android, and the iOS beta suggests an Android-to-iPhone transfer feature is coming soon.

In 2014, WhatsApp was bought by Facebook, which later broke its promise that it wouldn't "monetize" the service which led its founders to leave and one of them co-founded Signal. Some WhatsApp user behavioral data is now shared with Facebook, which has created more demand for WhatsApp alternatives, but the messages remain entirely walled-off. 

No matter who owns it, WhatsApp remains one of the easiest ways for anyone to use end-to-end encrypted messaging. If you're not comfortable with Facebook's presence, there are plenty of other options on this page.

Users who want to be absolutely sure about their security can verify each chat's 60-digit security-verification code or QR code that you can compare with a contact to ensure that your conversation is encrypted. You'll also want to make sure your messages are backed up with WhatsApp itself and not with Apple's iCloud.

Combined with WhatsApp's ubiquity, ease of use and the ability to send voice messages, photos, and video messages, and conduct group chats, makes for a robust and fully encrypted mobile-messaging app.

Download WhatsApp: Android, iOS

(Image credit: Threema)

4. Threema

A private messaging app worth paying for

Specifications

Cost: $3.99

Platforms: Android, iOS

Reasons to buy +

End-to-end encryption

+

Private chats

+

No phone number or email required 

Reasons to avoid -

Not free

-

Few advanced features

Threema is a very secure end-to-end encrypted messaging app that uses the NaCl cryptography library to protect your communications. 

When you fire up the app, it generates a unique Threema ID key, allowing you to use the app completely anonymously — no names required. Otherwise, you can associate your account with an email address or phone number, which makes it easier for other Threema users to find you. 

You'll also get a scannable QR code that you can present to other Threema users if you meet in person but don't want to exchange names. 

In addition to the usual raft of messaging features such as encrypted text, voice, picture, and video messaging, the app also includes file sharing (20MB per file), emojis, group messaging and a polling system for getting feedback from friends and contacts.

While some other secure-messaging apps that haven't reached WhatsApp or Telegram adoption levels have pivoted toward the enterprise market to stay afloat, Threema still has one foot planted firmly in the consumer market. Charging a few bucks for the app makes that financially possible.

So what's the downside? Threema hasn't really caught on in the English-speaking world, so you may have a hard time finding other users unless you speak German. But its impeccable security is well worth spending $4 for.

Download Threema: Android, iOS

(Image credit: Wire)

5. Wire

Secure messaging and collaboration for businesses

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

End-to-end encryption

+

Independently audited

+

Easy to use

Reasons to avoid -

Email or phone number required

-

No two-factor authentication (2FA) 

Wire features end-to-end encryption for instant messages, voice and video calls, with support for GIFs, audio and video clips, and sketches, and local and Dropbox file sharing. The app also offers multiplatform cross-device syncing and support for multiple accounts, allowing you to separate personal and work communications. 

Wire uses its own Proteus encryption protocol based on the Signal protocol, and its code is open-source and subject to external security audits. The mobile and web versions of the app are free, with a premium tier available for businesses.

The parent company, Wire Swiss, was originally founded and run out of Switzerland which is famous for its privacy laws. The holding company moved to the United States in 2019, which alarmed some users, but then moved to Berlin in early 2021.

Like Silent Circle and Wickr, the company seems to have retooled its website to appeal primarily to business users. But you can still get Wire's free consumer desktop software from the "Download" link at the bottom of the site's main page, and its mobile apps on the Play Store or App Store.

Download Wire: Android, iOS

(Image credit: Viber)

6. Viber

Secure messaging, voice and video calls all in one place

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

End-to-end encryption

+

Disappearing messages

+

Hidden chats

+

Syncs across desktop and mobile

Reasons to avoid -

Not as popular as it used to be

Viber offers end-to-end encryption on all platforms. Originally developed in Israel, the app is now owned and operated by Japanese e-commerce giant Rakuten. It offers many of the same bells and whistles as Telegram, including stickers and communities, and, most recently, augmented-reality filters to jazz up selfies.

A neat feature for Viber is a color-coded lock icon to quickly show users how protected a conversation is (gray for encrypted communications, green for encrypted communications with a trusted contact, and red in the event that there is an issue with the authentication key). Viber has self-destructing Secret Chats, included in group chats and on its desktop app, plus a Hidden Chats feature for hiding chatrooms on a shared device. 

All of this is in addition to Viber's solid mobile-messaging feature set which includes text, voice, and group messaging all tied to your phone number. The app and communications with other Viber users are free, but you'll have to pay a bit for calls to non-Viber users.

Download Viber: Android, iOS

(Image credit: Meta)

7. Facebook Messenger

Encrypted messaging from the social media giant

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

End-to-end encryption

+

Disappearing messages

+

Hugely popular

+

Familiar interface

Reasons to avoid -

Sending encrypted messages could be more intuitive

The near-ubiquitous Facebook Messenger may not be the first app you think of when it comes to encrypted messaging, but the mobile versions of the app include end-to-end encrypted communication options in the form of Secret Conversations. 

Based on the same encryption system used in Signal, Secret Conversations requires users to opt into the feature. It allows them to send and receive encrypted text, pictures, and stickers to and from a single mobile device, with the option for time-limited self-destructing messages like with Snapchat. 

More recently, Messenger has added options for end-to-end encryption of one-to-one voice and video calls and for end-to-end encryption of group chats, calls and video chats.

That said, Facebook Messenger is still vulnerable to being screen-grabbed, and the opt-in and single-device limitations can be an issue. Also, it's Facebook.

Download Facebook Messenger: Android, iOS

(Image credit: Dust)

8. Dust

A secure messaging app created by Mark Cuban

Specifications

Cost: Free

Platforms: Android, iOS

Reasons to buy +

End-to-end encryption

+

Stealth search

+

Screenshot notifications

+

Data breach alerts

Dust, formerly Cyber Dust, throws in multiple security and encryption features in an attempt to maintain user privacy. 

The app uses a combination of AES-128 and RSA-2048 encryption to secure posts and messages, and it's also designed to keep direct messages in RAM as much as possible, rather than in your phone's permanent storage. Messages can be set to self-destruct within 24 hours or right after being read.

Dust is also designed to not display user names in a message and informs you if a screenshot is taken from within the app. In addition to the secure messenger, Dust also packs in a privacy-watchdog feature and a stealth search tool for maintaining privacy while searching the web.

That said, it appears the Dust app is being maintained rather than actively developed, with no major features introduced since mid-2020 but we'll keep an eye on this.

Download Dust: Android, iOS

Do you need an encrypted messaging app?

Although regular messaging apps have certainly improved over the years, none of them can match the added security and peace of mind that comes with using one of the best encrypted messaging apps.

Unlike with SMS and MMS messages that can be seen by third parties, with an encrypted messaging app, only the intended recipients can read your messages. This is because the apps detailed above use encryption to prevent others from reading your messages as they don't have the encryption key needed to decrypt them.

Whether you're discussing sensitive personal information, business or anything else you want to keep private, using an encrypted messaging app will prevent your communications from being intercepted.

It's up to you to decide if you really need one but with the number of online threats and other dangers present in the world today, it makes sense to have the added protection for your messages available from one of the best encrypted messaging apps.

Android Security Checkup: 18 Steps To A Safer Phone

HomeBlogsAndroid IntelligenceAndroid security checkup: 18 steps to a safer phone by JR Raphael Contributing Editor

Android security checkup: 18 steps to a safer phone how-to Jul 24, 202429 mins AndroidGoogle PlayMobile

Android security doesn't have to be a source of stress. These level-headed steps are all you need to keep the boogeyman at bay.

Credit: JR Raphael/Google/OpenClipart-Vectors

Android security is always a hot topic on these here Nets of Inter — and almost always for the wrong reason.

As we've discussed ad nauseam over the years, most of the missives you read about this-or-that super-scary malware/virus/brain-eating-boogey-monster are overly sensationalized accounts tied to theoretical threats with practically zero chance of actually affecting you in the real world. If you look closely, in fact, you'll start to notice that the vast majority of those stories stem from companies that — gasp! — make their money selling malware protection programs for Android phones. (Pure coincidence, of course.)

The reality is that Google has some pretty advanced methods of protection in place for Android, and as long as you take advantage of those and maintain a teensy shred of common sense, you'll almost certainly be fine (yes, even when the Play Store guards slip up and let the occasional bad app into the gates). The biggest threat you should be thinking about is your own security surrounding your devices and accounts — and all it takes is about 20 minutes a year to make sure your setup is sound.

Take the time now to go through this checkup, then rest easy over the next 12 months with the knowledge that you're in good shape — and that the mean ol' Android malware monster won't be bangin' down your virtual door anytime soon.

[Psst: Want even more advanced Android knowledge? Check out my free Android Shortcut Supercourse to learn tons of time-saving tricks for your phone.]

Part I: App and web intelligence Android security step #1: Look over all the apps and services connected to your account

You've probably granted countless apps access to parts of your Google account over time — which is no big deal in general, but with any apps you're no longer using, it's a smart idea to close the connections.

Visit this page in Google's security settings to see a list of everything that's authorized and what exactly it can access. If you encounter anything you don't recognize or that you no longer use, click it and then click the "Delete all connections" option to give it the boot.

App connections are forever — unless you take the time to remove 'em once they're no longer needed.

JR Raphael, IDG

While you're at it, take two minutes to look through the list of apps on your phone and uninstall anything you're no longer actively using. That'll eliminate unnecessary windows to different areas of your data — and as an added bonus, it'll free up space and cut down on potentially phone-slowing resource use, too.

Android security step #2: Revisit your Android app permissions

Speaking of dusty old skeletons on your device, it's all too easy to grant an app access to some sort of information without giving it much thought during that initial setup process. That's why it's well worth checking in periodically to remind yourself what permissions the apps on your phone possess — and to see if any of 'em go beyond what seems reasonable or necessary.

With recent Android versions, you can just open up the Security & Privacy section of your system settings and look for a line that says "Permission manager." Depending on your specific software and device, you might have to first tap a line that says "Privacy" before you see it. (If you don't see anything like that, try searching your system settings for the word permissions to find the closest equivalent.)

Whatever it's called and however you get there, you should ultimately end up facing a collection of categories for all the types of permissions you've granted to apps on your device over time. Take a peek through 'em all and see what you find. If you see anything that raises an eyebrow, all you've gotta do is tap it to revoke the access.

Android's permissions manager makes it easy to see and control exactly what permissions different apps have been granted.

JR Raphael, IDG

For even more insight, look for the "Privacy dashboard" option within that same section of your system settings (or "Permissions used in last 24 hours," in Samsung's vernacular). That'll let you see exactly which apps have actually accessed different permission-requiring areas over the past 24 hours.

And remember, too: With Android 10 and higher, you can go a step further when it comes to location and allow an app to access that only when you're actively using it. With Android 11 and up, you can get even more nuanced and grant apps only temporary, case-by-case permissions to access your location, camera, and microphone. And as of Android 12, you can fine-tune an app's location access to make it only approximate instead of precise, if you like.

You'll find all those options within any relevant app's settings, once you dig into one of those related permissions:

You can now get incredibly nuanced with certain Android app permissions to control exactly how and when an app is able to access them.

JR Raphael, IDG

Critically, in all of those cases, it's up to you to go through your settings and make the associated changes — especially when it comes to apps you had on your device before the relevant Android upgrade reached you and the latest options for permission control became available.

Android security step #3: Verify that you're using Android's app-scanning system

Android has long had the ability to monitor your device for harmful code or suspicious activity — no third-party apps or add-ons required. And while the system is now automatically enabled on any reasonably recent device, it's a good idea to occasionally confirm that everything's turned on and working the way it should, if for no other reason than to remind yourself that such a system is present and working on your behalf.

So mosey back over to the Security & Privacy section of your system settings, tap the line labeled "App security," then tap "Google Play Protect" and take a peek at the system's latest activity. You can also tap the gear icon in the upper-right corner of the screen to confirm that all available toggles are on and active.

You rarely have to think about Google Play Protect, but it's well worth being aware of its presence.

JR Raphael, IDG

That'll allow Android's app verification system to keep an eye on all apps on your device, even after they're installed, and make sure they don't do anything dangerous. The scanning will run silently in the background and won't ever bother you unless something suspicious is found.

Odds are, you'll never even know it's there. But it's a valuable piece of protection and peace of mind to have, and it's a good idea to keep it in the back of your mind that it's present.

Android security step #4: Fight phishing

Even the savviest tech user can fall prey to a well-hatched phishing scheme — an effort by some ne'er-do-well to trick you into willingly giving up sensitive info, usually by making an email, text, or other digital request look like it's from some official source that needs to confirm an account number or something else along those lines.

Suffice it to say, any extra layer of protection from such tactics can only be a good thing. And if you've got a Google Pixel phone, good news: There's a relatively new option available to you that watches out for any known deceptive patterns and warns you about 'em before they're able to manage any damage.

On any current Pixel device, head into the Security & Privacy section of your system settings, tap "More security & privacy," then scroll down and tap "Scanning for deceptive apps."

The relatively new phishing protection system is presently available on Google's own Pixel devices.

JR Raphael, IDG

Make sure the toggle on the screen that comes up next is in the on and active position, then breathe easy with the assurance that Google's got your back when it comes to any phishing attempts cast in your direction.

Android security step #5: Weave a stronger web safety net

Along with phishing, one of the most likely threats to your Android security is your own lapse in judgment whilst wading around these ever-murky web waters of ours. (Sensing a theme here yet?)

Provided you're using Google's Chrome Android browser, though, there's an easy way to create an extra layer protection in that arena as well.

Just tap the three-dot menu icon in Chrome's upper-right corner, then select "Settings" followed by "Privacy and security" and "Safe Browsing." Now, consider which level of protection seems most sensible for you:

Standard protection, which warns you if you try to open a site or download a file that's known to be dangerous.

Enhanced protection, which goes a step further and protects your Android web browsing in real-time — by instantly scanning every page you open and file you download and then warning you of anything potentially concerning, even if it isn't already a known threat. (This path does require limited data about your browsing activity to be sent to Google's servers for analysis, but Google has clear promises in place about exactly how that data is protected and secured from any manner of unexpected use.)

Pick the path you feel most comfortable pursuing, and know that your web adventures now have that extra safety net around 'em.

Android security step #6: Appraise your app-downloading IQ

If you're reading this column, I probably don't need to tell you this — but I will, anyway: While we're thinking about the subject of Android security, take on a teensy bit of responsibility and commit to letting common sense guide your app-downloading decisions.

Let's not kid ourselves: Google's security mechanisms are invariably gonna fail on occasion. There's no getting around that. But even when a shady app makes its way into the Play Store, all it typically takes is the tiniest shred of awareness to avoid having it affect you.

Just as you do when browsing the web from a computer, look at something before you download it. Look at the number of downloads and the overall reviews. Think about what permissions the app wants and whether you're comfortable with the level of access it requires. Click the name of the developer, if you still aren't sure, and see what else they've created. And unless you really know what you're doing, don't download apps from random websites or other unestablished third-party sources. Such apps will still be scanned by Google's on-device security system before they're installed, but your odds of encountering something shady are significantly greater out in the wild than within the Play Store.

(Your Android device won't let you download apps from unknown sources by default, by the way, so if you ever try — even inadvertently — you'll be warned and prompted to authorize that specific form of non-Play-Store download. Apps on Android will never magically install themselves without your explicit authorization, nor will they ever be able to access any sensitive sensors or areas of data unless you grant 'em the associated permission.)

By and large, all it takes is a 10-second glance to size something up and see if it's worth installing. With all due respect to the dodos of the world, it doesn't take a rocket scientist to stick with reputable-looking software and avoid questionable creations.

Part II: Passwords and authentication Android security step #7: Double-check your digital sentinels

A quick no-brainer that's important to mention: If you aren't using biometric security and/or a PIN, pattern, or password on any of your devices, start doing it. Now.

Talk to any security expert, and you'll hear the same thing: The most likely cause of a security failure is simply a failure on your behalf to secure your stuff. You are the weakest link, as the cool kids said 20 to 47 years ago.

Embarrassingly dated pop culture references aside, think about it: If your phone has no passcode protecting it, all of your data is just out there and waiting for the taking anytime you leave the device unattended (intentionally or otherwise). That includes your work and personal email, work and personal documents, work and personal social media accounts, and any and all photos associated your phone (yes, even those photos — hey, I'm not here to judge).

The best part: Android makes it hassle-free as can be to keep your devices secure. The software's Smart Lock function (which is curiously in the midst of being rebranded to Extend Unlock, for reasons I can't even begin to fathom) allows you to automatically leave your phone unlocked in a variety of preapproved "safe" conditions — like when you're at home or the office, when a specific trusted Bluetooth device is connected, or even when the phone is being carried in your pocket. That means the extra security shows up only when it's really needed, and you don't have to mess with it the rest of the time.

You can typically find and set up Smart Lock/Extend Unlock in the Security section of your system settings, typically tucked away behind an "More security & privacy" option — or, on Samsung devices, within the Lock Screen section of the system settings. If all else fails, just search your system settings for Smart Lock or Extend Unlock to turn up the available options.

Extend Unlock — formerly and sometimes still known as Smart Lock — creates a smart balance of security and usability.

JR Raphael, IDG

Plain and simple, there's no excuse to leave your stuff unprotected. Head into your device's settings to get started this second, if you haven't already.

Android security step #8: Peek in on your saved passwords

One of the less frequently discussed parts of Google's security system is its ability to save passwords for websites and apps accessed via your mobile devices, as part of what's now known as Google Password Manager. So as part of your annual checkup, glance over the list of saved passwords Google has for your account to remind yourself what's there and see what, if any, of your credentials have been compromised (which Google will plainly warn you about at the top of that very same screen). 

While you're at it, take a few seconds to remove any dated items that are no longer needed and don't belong. Your future self will thank you.

Android security step #9: Assess your password management system

Google's password manager is better than nothing, but you'll get stronger security assurances, more advanced and useful features, and broader support for in-app password filling by using a dedicated password management service.

We've got some commendable Android password manager choices, too, with my own current recommendations revolving around 1Password for most people and Bitwarden for anyone who needs a free path or prefers a self-hosted setup. Both services work equally well on the desktop front and even on iOS, with the main differences revolving around cost, extra features, interfaces, and the resulting overall user experiences.

If you aren't using one of those services, now's the time to start. And if you are already using such a service, take a few minutes now to peek into the app's settings and make sure you're taking advantage of all the on-device protection it offers. With 1Password, for example, you should confirm that the app is set to be protected by either biometric security or a password and that it's configured to automatically lock within a few minutes after you stop using it. The app can also automatically clear your system clipboard of any passwords you copy after 90 seconds, which is a smart pinch of added protection to have. (All of those options are in the Security section of 1Password's settings.)

Like Google, most good password managers also now provide an option to analyze all of your passwords and identify any that would be advisable to change — ones that are duplicated or otherwise not as strong as they could be. That's another smart thing to check up on as part of this annual audit.

Android security step #10: Evaluate your two-factor authentication situation

A single password isn't enough to protect an important account these days — especially one as wide-reaching and valuable as your Google account. Two-factor authentication makes it so that you have to either confirm the sign-in on an approved physical device or put in a special time-sensitive code in addition to your password anytime you try to sign in. That significantly increases your level of security and decreases the odds of anyone ever being able to break in and access your personal data, since they'd need both knowledge of your password and the physical presence of your key-like device to do it.

If you don't yet have two-factor authentication enabled for your Google account, head over to this site to get started. And don't stop with just Google, either: Look into enabling two-factor authentication on any service that offers it, including your password manager, your social media accounts, and any non-Google cloud storage services that you use.

If you really want to keep your account secure, Google also offers a souped-up option called Advanced Protection. It requires you to purchase physical security keys and then use those anytime you sign into your Google account. It also severely limits the ways in which third-party apps can connect to your account. That sort of elevated and locked-down setup probably won't be sensible for most folks, but if you feel like you need the extra protection, you can learn more and enroll here.

Android security step #11: Optimize your lock screen security

Your lock screen is the guard of your Android device's gate — and there are a few things you can do to beef up its muscle and make sure it's fully prepared for the job.

First, think about the types of notifications you get and how much of that info you want to be visible on your lock screen — since anyone who gets their hands on your phone could easily see all that data. If you tend to get sensitive messages or just want to step up your security and privacy game a notch, head into the Display section of your system settings and select "Lock screen" — or, if you're using a Samsung phone, look in the separate Lock Screen section of your system settings instead.

There, you'll find tools for controlling precisely what will and won't be shown in that pre-authentication area as well as for creating a security-minded message that'll always appear on your lock screen — for instance, something like: "If found, please call Joe T. Schmo at 333-222-1111." You could even consider adding an emergency contact into your settings and then using the lock screen message to direct people to that information.

Android's lock screen security options are well worth your while to explore.

JR Raphael, IDG

And finally, provided your phone is running Android 9 or higher, an option called lockdown mode is well worth your while to activate or just remind yourself about. Lockdown mode gives you a fast way to lock your phone down from all biometric and Smart Lock/Extend Unlock security options — meaning only a pattern, PIN, or password could get a person past your lock screen and into your device.

The idea is that if you were ever in a situation where you thought you might be forced to unlock your phone with your fingerprint or face — be it by some sort of law enforcement agent or just by a regular ol' hooligan — you could activate the lockdown mode and know your data couldn't be accessed without your explicit permission. Even notifications won't show up on your lock screen when that mode is activated, and that heightened level of protection will remain in place until you manually unlock your phone (even if the device is restarted).

There's just one catch: On some devices — including Samsung phones — it's up to you to enable the option ahead of time in order for it to be available. But doing so takes only a couple of seconds: Search your system settings for lockdown and then look for the toggle to enable it. (If you don't see any such option at all, odds are, you're using a Google Pixel phone and/or a recent enough Android version that it's just on and enabled by default.)

Then, if the need ever arises, remember this: In your phone's power menu, along with the regular options for restarting and shutting down your device, you'll always find a button to activate that "Lockdown" function. Hopefully, you'll never need it — but now you're ready in case you do.

And with that, guess what? You're more than halfway done with this annual checkup. Not too painful so far, right? Only seven more steps to go…

Part III: Device access Android security step #12: Clean up your list of connected devices

Anytime you sign into a new device with your Google account — be it an Android phone, a Chromebook, or even just the Chrome browser on a regular PC — that device is added to an approved-for-access list and associated with your account.

Click over to this page in Google's security settings and give your list a once-over. If you see any old devices you no longer use, click on 'em and then click the "Sign Out" button that pops up to make sure they no longer have access to your account. And if you see any devices you've never used, remove 'em right away — and then go change your Google account password immediately.

Android security step #13: Clean up your devices in the Play Store

This one isn't directly related to security, but it's a good bit of housekeeping to perform