To reduce the number of harmful apps targeting Android users, Google has announced that certified Android devices will require all apps to be registered by verified developers in order to be installed.
But this new measure is not just about malware that’s found on the Google Play Store, it’s mainly about sideloaded apps (apps downloaded from outside the official Google Play Store).
Since August 31, 2023, apps on the Play Store already were subject to a D-U-N-S (Data Universal Numbering System) number requirement. Google says this has helped reduce the number of cybercriminals exploiting anonymity to distribute malware, commit financial fraud, and steal sensitive data.
To broaden this success, Google intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. In September 2026, the requirements go into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified Android device in these regions must be registered by a verified developer. The requirements will then be rolled out globally.
This initiative, branded as ‘Developer verification,’ aims to combat the widespread problem of malware from sideloaded apps. Google says its research shows that 50 times more malware comes from sideloaded sources than from Google Play itself.
So, the new rules extend to everyone distributing Android apps, including those hosting them on third-party app stores or offering APK downloads directly. For developers who distribute their apps solely through the Google Play Store there will not be much of a change.
Yet, while legitimate developers will tell you how hard it is to get their apps accepted into the Google Play Store, cybercriminals manage to sneak in their malicious apps anyway.
For a full understanding of the new requirement, we’ll need to explain what “certified Android devices” are.
A definition for a certified Android device is: an Android product—such as a smartphone, tablet, smart TV, or streaming box—that has passed a rigorous series of Google security, compatibility, and performance tests, and is officially approved by Google. Certified devices run an official version of Android and have access to Google apps and the Play Store. Uncertified devices often lack these and may not receive updates or proper security support.
This is important to know because not all Android malware is limited to phones. Take for example, the BadBox botnet which also affects devices like TV streaming boxes, tablets, and smart TVs.
In practice, a certified device encompasses all mainstream devices from Samsung, Xiaomi, Motorola, OnePlus, Oppo, Vivo, and the Google Pixel line.
Reportedly, non-certified devices are those from Huawei, Amazon Fire tablets, and a set of Chinese TV boxes and smartphones that use heavily modified OS images.
Google encourages all developers to sign up for early access as the best way to prepare and stay informed.
“Early participants will also get:
An invitation to an exclusive community discussion forum.
Priority support for these new requirements.
The chance to provide feedback and help us shape the experience.”
Whether these controls will be effective largely depends on enforcement and public awareness, but Google feels it marks real progress toward a safer mobile ecosystem. Let us know how you feel about this in the comments.
We don’t just report on phone security—we provide it
Your McAfee Total Protection subscription also gets you premium access to the True Key password manager. In fact, you get five licenses for True Key, so five individuals in your household can each have their own personal password manager. And each of those users can install True Key on all their Windows, macOS, Android, and iOS devices simply by installing from the app store and then activating with the code you give them.
Create Your Account
You’ll find a Password Manager menu item in the My Protection menu’s Privacy section. But that doesn’t mean this component lives within the suite. When you click that panel, it sends you to the web to initialize and configure True Key.
As part of the setup process, you create a master password of at least eight characters. True Key rates your password as you type, but it’s very lax. It rated “passwor” as Weak and “password” as Very Weak, but said “pass word” with a space was Acceptable. Yes, as you’ll see below, you can configure True Key so it doesn’t even require a master password for authentication, but you should still protect your credentials using a strong master password, something that you can remember but that nobody would guess.
Get Our Best Stories!
All the Latest Tech, Tested by Our Experts
Sign up for the Lab Report to receive PCMag’s latest product reviews, buying advice, and insights.
Sign up for the Lab Report to receive PCMag’s latest product reviews, buying advice, and insights.
Your subscription has been confirmed. Keep an eye on your inbox!
Simple Tricks to Remember Insanely Secure Passwords
On Windows or macOS, True Key installs as a browser extension for Chrome, Edge, Firefox, or Safari. Just like the PassWatch component in UltraAV, there’s no separate True Key app on these desktop platforms.
True Key installs as an app on iOS, with its own internal browser. It can fill passwords in other browsers if you enable it as an AutoFill provider. On Android, True Key also installs as an app with an internal browser. It directly supports Chrome, Opera, and several other Android browsers. Once you enable True Key’s Instant Log In, it can also log in to most Android apps.
(Credit: McAfee/PCMag)
True Key works hard to ease you into password management. It starts by displaying a list of over two dozen popular websites and encouraging you to add one as a login. When you click an item, it opens that page in the browser, explaining that all you need to do is log in as usual. It also walks you through the process of clicking a saved item to automatically revisit the site and log in.
(Credit: McAfee/PCMag)
You can speed up the setup process by importing data from another password manager, but the choices are very limited. The import process supports LastPass, Dashlane, and True Key itself, as well as importing from Chrome or Edge. An option titled Other Browsers directs you to export existing passwords to a CSV file and import them into True Key. Typically, the way to make this work is to export a CSV file and duplicate its format. In this case, I simply couldn’t achieve a successful import, not even when exporting existing entries and importing them right back in.
Basic Password Management
True Key does all the basic password management tasks you’d expect. When you log in to a website, it slides in a banner offering to save your credentials. If you revisit a site whose credentials True Key already holds, it fills them in automatically. When more than one set of credentials is available, it pops up a menu so you can choose.
(Credit: McAfee/PCMag)
If True Key notices that you’re creating a new account, it offers to generate a secure password. You can also invoke the password generator at any time by clicking its button above the list of accounts.
By default, True Key creates 16-character passwords using small letters, capital letters, numbers, and special characters. You can set the length to any even number from 8 to 30. Since you don’t have to remember these passwords, consider making them 20 characters or even longer.
(Credit: McAfee/PCMag)
In testing, True Key captured all the logins I tried, including two-step ones like Google and Yahoo. Once I got a few dozen passwords in place, I found the main list a bit unwieldy. By default, it’s sorted alphabetically, though you can sort by most used or recently used. If you save a lot of logins, you’ll find the search box handy.
There aren’t a lot of settings to worry about, but there’s one every user should update. True Key logs you out after a period of inactivity, but unlike most competitors, the default for this period is a full week! We strongly recommend setting it to no more than 30 minutes. This is a per-device setting, not global to your account, which makes sense—you might want a different timeout on your smartphone than on your PC.
Secure Notes and Personal Wallet Data
You can save any number of free-form color-coded secure notes and access them from any device. This can be handy for things like locker combinations and other real-world secrets.
Clicking Wallet lets you add personal data in six categories: Address Book, Credit Card, Driver’s License, Memberships, Passport, and Social Security Number. You can color-code these entries if that helps you keep them organized. Note that when you store a credit card in Dashlane, you not only get to pick the color to match the physical card, but you can also apply the bank’s branding.
(Credit: McAfee/PCMag)
Most password managers that store personal data use it to help you fill out web forms. RoboForm rules this group—it started life as a form-filling tool and evolved into password management. True Key doesn’t offer form-filling aid, although you can copy data and paste it into those forms. As with secure notes, the personal items you enter become available on all your devices.
Multi-Factor Authentication
True Key’s biggest strength lies in its ability to use multiple factors for authentication. Right from the start, it requires both the master password and a trusted device. Any attempt to log in from a device that’s not yet trusted requires additional authentication. In testing, it used various techniques, including verification email and swiping a notification on an existing trusted device.
What Is Two-Factor Authentication?
You can add other factors in settings. Your trusted email account is automatically available for verification, and your master password is active by default. You can also require authentication using a second device, typically a mobile device. The second device receives a request for authentication, and you simply respond by swiping. If your PC supports Windows Hello, you can use it as an authentication factor.
(Credit: McAfee/PCMag)
In the distant past, True Key used to support biometric authentication factors, but not anymore. In addition, contrary to its seeming emphasis on multiple factors, it doesn’t work with common choices like registering an authenticator app or receiving codes through SMS. Nor does it support authentication using a hardware security key.
Password Recovery Options
True Key initially requires a master password, but you can choose to rely on a combination of other factors instead. Even if you do, the master password remains available as a fallback.
Password managers that rely on a master password usually offer a warning that if you forget that password, they can’t help you. (That also means they can’t be compelled to unlock your account for the NSA, which is a plus.) McAfee can’t unlock your account or tell you the master password you forgot, but if you’ve defined other factors, True Key lets you authenticate with those and thereby reset the master.
You’re not likely to lose a desktop computer, but it’s awfully easy to misplace a laptop or mobile device. If someone else gets hold of your device, you can remotely remove it from the trusted list.
Just the Password Management Basics
True Key is easy to set up and easy to use, and it comes with your Total Protection subscription, but it lacks advanced features. There’s no audit for weak passwords like you get with Dashlane, Keeper Password Manager, and others. The best password managers, NordPass and Proton Pass among them, provide secure sharing, along with a digital legacy to give your heirs access. True Key lacks even the simple ability to fill web forms. You may be better off choosing from the best free password managers instead.
September 12, 2025: With this update, we added Malwarebytes Ultimate, and based on updated independent lab tests, Avast One Platinum is now our security suite with the best lab scores. Our remaining picks have been vetted for currency and availability. Since our last update, we reviewed and evaluated two new security suites for potential inclusion in this roundup. We currently have one more security suite from McAfee in PC Labs for evaluation.
Award-winning antivirus
Protects Windows, macOS, Android, and iOS devices
Online management and remote control
VPN, spam filter, and parental control
Vast number of additional bonus features
Full VPN access requires a separate subscription
Parental content filter not fully effective
Support for iOS is limited
You almost certainly have security protection for your PCs, but have you protected your other devices? Bitdefender Total Security pours all the excellent features of Bitdefender Antivirus Plus into your Windows boxes and goes on to offer protection for your macOS, Android, and iOS devices. It also kicks its Windows game up a notch with password management, system optimization, an unusual anti-theft component, and more.
You can manage your installations (or launch new ones) from the handy Bitdefender Central online console. When installing protection on a Mac, you get Bitdefender Antivirus for Mac, an Editors’ Choice in its own realm, and the same limited VPN you see in Windows. Installed on Android, Total Protection brings a comprehensive collection of security features. It’s an impressive Android app. As with all cross-platform suites, Bitdefender’s iOS protection is relatively limited.
Bitdefender Total Security thoroughly protects your Windows devices, with all expected suite features and more. But Windows boxes are only part of the picture. Total Security also offers award-winning protection for your Macs, a comprehensive suite for your Android devices, and even a modicum of security for iOS. If you need to secure and manage a household full of disparate devices, this one’s for you.
Children’s identity features limited in Family Plan
You’ve installed security on your PC, your Mac, and your mobile devices. But what about your partner’s devices and all those electronic devices that so enrapture your children? You could be looking at quite an expense to get them all protected. Unless that is, you turn to McAfee+. This generous suite lets you protect every device in your household, whether it runs Windows, macOS, Android, or iOS. It even supports Chromebooks and ARM-based laptops. That protection includes the use of McAfee’s VPN with no limits on bandwidth or server choices, as well as numerous security bonus features.
McAfee+ comes in three tiers: Premium, Advanced, and Ultimate. You get basic Dark Web monitoring of personal information at all three levels. The Advanced and Ultimate levels include full-scale identity theft monitoring and remediation, roughly parallel to Norton’s LifeLock and to Bitdefender Identity Theft Protection. It doesn’t monitor quite as many different aspects of your identity, but it hits the important ones. And, like Norton and Bitdefender, it comes with a guarantee. If you suffer identity theft, McAfee will spend up to a million dollars helping you to a full recovery.
If you live in a Manhattan rent-controlled apartment with your cat, your PC, and your Android, this isn’t the suite for you. But if you have a house full of modern, digitally active people, it can be a godsend. More than 10 devices? More than 25? Relax, they’re all covered!
Effective protection against dangerous and fraudulent websites
Powerful, self-sufficient firewall
Parental control unavailable on macOS
Online backup strictly for Windows
Data-broker opt-out system limited
When you buy a security suite, there’s an implied promise that it will keep you safe. Norton 360 Deluxe makes that promise explicit. As long as you choose auto-renewal, you’ve got a guarantee that Norton support will handle any malware that gets past the app’s protection. And that’s some powerful protection—the independent labs we follow frequently give Norton perfect to near-perfect scores. It also aces many of our hands-on tests.
This suite includes a robust, intelligent firewall, a basic password manager, and a dark web monitoring system to warn if your private data is exposed. Your subscription lets you protect up to five devices running Windows, macOS, Android, or iOS. It also gets you five full licenses for Norton’s VPN. That’s a plus. Many other suites make you pay extra to remove limits from their included VPN components, or reserve a no-limits VPN for their most expensive tier. And the 50GB of online storage for your backups is a nice bonus.
Norton security programs have been around for decades, and the brand has plenty of fans. This is a good choice for anyone who wants a time-tested suite that covers all the bases, but it’s especially good for those who wisely opt to protect their connections with a VPN.
Dedicated resolution specialists help remediate identity theft
Identity theft insurance
No-limits VPN
Parental content filter not fully effective
Password manager lacks advanced features
Cannot actually prevent identity theft
Bitdefender Ultimate Security is the pinnacle of the company’s security pantheon. It incorporates Bitdefender Total Security, Bitdefender Premium VPN, the SaferPass Password Manager, Bitdefender Digital Identity Protection, and more. You also get a full-scale identity protection and remediation system, complete with privacy monitoring, breach alerts, and white-glove personal assistance in the event you do experience identity theft. Bitdefender backs its identity theft with a million-dollar guarantee; two million at the highest subscription tier.
Like most suites that incorporate identity theft services, Ultimate Security’s price looks high at first. But if you sum up what you’d pay for its components individually, it begins to seem like a bargain. And if you subscribe at the family level, you can protect up to 25 devices and extend identity protection for up to five individuals.
You already know that Bitdefender is a trusted name for antivirus tools, security suites, VPNs, and more. When you want protection against identity theft, it’s only natural that you’d choose Bitdefender to supply it.
Norton’s security software can protect your devices and your local data, but it can’t reach out into the real world and protect your identity. That’s why you want Norton 360 With LifeLock. This suite starts with everything we like about Norton 360 Deluxe and adds identity monitoring and identity theft remediation supplied by identity pioneer (and Norton property) LifeLock.
Once you’ve set up LifeLock, Norton monitors the dark web for any sign that your identity has been compromised. It tracks possible misuse of your SSN, unexpected new accounts opened in your name, and anomalous financial transactions. If you lose your wallet (or have it stolen), Norton can help deal with the fallout. You get periodic credit reports, along with help freezing your credit if necessary. And if the worst happens and your identity is stolen, Norton will spend up to three million dollars on remediating the theft.
You can choose from three protection tiers, each with more identity theft features, device-protection licenses, and storage for your online backups. The top tier, $349 per year, includes all identity features, protection for unlimited devices, and 500GB of backup storage.
Are you horrified to think that some malefactor could masquerade as you, open accounts in your name, spend your money, even commit a crime while posing as you? Yes, identity theft can be a nightmare. Norton 360 With LifeLock protects your devices against malware and such, and also functions as an early warning system so you can nip identity theft in the bud. What a combination!
Identity theft protection for you and five family members
Device-level security for Android, iOS, macOS, and Windows
Excellent antivirus lab scores
24/7 support for all tech problems
Thorough monitoring of credit and data breaches
Dedicated resolution specialists help remediate identity theft
Device-level protection limited on Android, more so on iOS
Doesn’t add much to security suite features available in free edition
Cannot actually prevent identity theft
Instead of the typical squares and rectangles, Avast One Platinum decorates its display with color splotches, doodles, and happy people. If you like top-notch lab scores, you’ll be happy too. The independent antivirus testing labs all keep an eye on Avast, and it earns perfect scores in almost all of their tests. It rates near the top in our hands-on tests, too.
Antivirus protects your data locally, while a no-limits VPN protects it in transit. Among other unusual security features, Avast can keep untrusted programs from using the webcam and check if any of your passwords have been exposed in a breach. You also get a set of performance enhancement features liberated from the limits imposed in Avast’s free edition. And you can install Avast on up to 30 devices.
In addition to powerful device-level protection, the Platinum subscription includes identity theft protection for you and five family members. It alerts you to data breaches and other dangers, with easy access to dedicated resolution specialists and a promise to spend up to $2 million to remedy the damage. You also get concierge-level 24/7 support for all your tech problems.
Avast is a household name around the world, with millions relying on its free antivirus. If you’re an Avast aficionado looking to kick your security game up a notch and add whole-family identity theft protection, this suite is the way to go.
Password manager lacks secure sharing and inheritance
Though ESET’s blue-eyed cyborg mascot no longer graces its main window, ESET Home Security Ultimate still leans toward high technology. For example, it offers a Device Control system that gives you granular control over what device types and devices can connect to your PC. You could block USB drives in general, but allow the use of those you’ve personally vetted, for example. This suite has a big set of security tools, some of which are fine for all users and some of which require serious tech expertise. Going beyond ESET’s other suites, it offers a capable VPN and identity protection for the whole family.
Other ESET features include a network inspector, a firewall, a spam filter, an anti-theft system for laptops, webcam security, banking protection, and a limited parental control system. ESET’s Android edition provides a comprehensive set of security features, and the labs give it top marks. On a Mac, ESET offers antivirus, firewall, parental control, and simplified device control.
Quite a few features in the ESET Home Security Ultimate require an uncommon level of technical expertise. If you’re that rare person whose expertise rises to the necessary level, this suite is for you. Setting up identity protection and configuring the VPN should be a snap. You’ll use the Network Inspector to gain full insight into your devices, take system status snapshots with SysInspector, and build a perfect set of device control rules. Not you? Maybe look elsewhere.
Very good protection against malicious and fraudulent sites
Omits some common suite components
Relatively expensive
When other antiviruses lose the battle with malware, experts turn to Malwarebytes to clean up the mess. At the premium level, Malwarebytes aced our hands-on malware protection test and also earned a perfect score from one testing lab. As the name suggests, Malwarebytes Ultimate goes beyond mere antivirus, with an integrated VPN, personal data removal, and a full-powered identity theft protection service.
This isn’t your typical security suite. It doesn’t include a firewall (though it will help you manage Windows Firewall). It doesn’t bother with parental control or spam filtering, features not everyone needs. And that can be just fine for many users.
Your antivirus protects data on your computer, and using a VPN keeps that data safe while it travels the unruly internet. Identity theft protection keeps you safe even if hackers try to take over your identity. If that sounds like just what you need, without the distraction of other security elements, take a look at Malwarebytes Ultimate.
Your subscription has been confirmed. Keep an eye on your inbox!
The Best Security Suites for 2025 Compare Specs
Buying Guide: The Best Security Suites for 2025
Basic vs. Advanced Security Suites
Most security companies offer at least three levels of security programs, including a standalone antivirus utility, an entry-level security suite, and an advanced suite with additional features and enhancements. Entry-level suites typically include antivirus, firewall, antispam, and parental control. The advanced “mega-suite” often adds a backup component and some form of system tune-up utility, and some also add password management, a VPN, or other security extras.
When a new or updated security line comes out, we start by reviewing the antivirus. In our review of the entry-level suite, we summarize results from the antivirus review and dig deeper into the suite-specific features. For a mega-suite review, we focus on the advanced features, referring to the entry-level suite review for features shared by both. Your choice of a basic or advanced security suite depends entirely on what features matter to you and what you’re willing to pay for them.
The suites we’ve rounded up here aim to protect consumers. You can use any of them in a small business, but you may need to switch to a software-as-a-service (SaaS) endpoint protection system as your company grows. This type of service lets an administrator monitor and manage security for all the company’s computers.
Is Windows Defender Good Enough?
Over the years, the Windows Defender program built into Windows 10 and 11 has evolved into Microsoft Defender Antivirus. In addition to antivirus protection, it manages Windows Firewall and other Windows security features. It doesn’t truly qualify as a suite; it’s just an antivirus that manages other Windows components. Independent antivirus test scores for Windows Defender have literally come in below zero in the distant past, but its scores have been steadily improving. You can still get better overall protection from the best third-party free antivirus utilities, but Windows Defender is looking better all the time. Even so, it can’t begin to replace a full-scale security suite.
Security Suites Fight Malware, Adware, and Spyware
Malware protection is the heart of a security suite; without an antivirus component, there’s no suite. Naturally, you want a suite whose antivirus is effective. When evaluating an antivirus, we look for high marks from the independent antivirus testing labs. The fact that the labs consider an antivirus important enough to test is a vote of confidence. The very best antivirus utilities get high ratings from many labs. All of our top picks have high scores from at least two labs.
We also perform our own hands-on testing. For one test, we use a relatively static set of malware samples that we replace once per year. We note how the antivirus reacts when we try to launch those samples and score it on how well it protects the test system. For another, we try to download new malicious files from URLs no more than a few days old. Lab test results, our own test results, and other aspects like ease of use go into our antivirus rating.
What Do You Want in a Firewall?
A typical personal firewall offers protection in two main areas. First, it monitors all network traffic to prevent inappropriate access from outside the network. Second, it monitors running applications to ensure they don’t misuse your network connection. The built-in Windows Firewall handles monitoring traffic but doesn’t include program control. A few security suites skip the firewall component, figuring Windows Firewall already does the most essential firewall tasks.
The last thing you want is a firewall that bombards you with incomprehensible queries about online activity. Program PoleznyyIdiot.exe wants to connect with IP address 212.192.156.38 on port 443. Allow or Block? Incoming or outgoing? Once, or always? Plastic or paper? Modern firewalls cut down on these queries by automatically configuring permissions for known programs. The very best also handle unknown programs by monitoring them closely for signs of improper network activity and other suspicious behaviors.
Providers Mostly Handle Spam Filtering
These days, most of us hardly ever see spam messages in our inboxes because our email providers filter them out. If you don’t get this service from your provider, it can be hard to even find your valid mail amid all the offers of male enhancements and free cryptocurrency drops.
If your provider doesn’t squelch spam, choosing a suite with built-in spam filtering is smart. Look for one that integrates with your email client. Client integration lets it divert spam into a dedicated folder and sometimes lets you train the spam filter by flagging any spam messages that got through or, worse, valid messages that wound up in the spam pile.
Prevent Phishing and Protect Your Privacy
The best antivirus in the world can’t help you if a fraudulent website tricks you into giving away your security credentials. Phishing sites masquerade as bank sites, auction sites, and even online dating sites. When you enter your username and password, your account is instantly compromised. Some clever frauds pass along your credentials to the real site to avoid raising suspicions. You can learn to avoid phishing scams, but having some backup from your security suite is important when you’re not as alert. We test phishing protection using real-world fraudulent sites scraped from the internet.
Steering users away from phishing sites helps protect privacy, but that’s not the only way suites can keep your private information out of the wrong hands. Some offer specific protection for user-defined sensitive data, credit cards, bank accounts, and that sort of thing. Any attempt to transmit sensitive data from your computer sets off an alarm. Other spyware protection techniques include foiling keyloggers, preventing misuse of your webcam, and supplying a hardened browser that lets you do online banking in an environment isolated from other processes.
Content Filtering and Parental Control
We don’t penalize a suite for omitting parental control. Not everyone has kids, and not every parent feels comfortable controlling and monitoring their children’s computer use. In fact, we don’t even recommend buying a third-party parental control utility, not when Apple, Google, and Microsoft offer such services at no cost. Even so, if a suite puts forth parental control as one of its components, it had better work properly.
Blocking inappropriate websites and controlling how much time the child spends on the internet (or on the computer) are the core components of a parental control system. Some suites add advanced features like instant message monitoring, limiting games based on ESRB ratings, and tracking the child’s location. Others can’t even manage the basics successfully.
A VPN Protects Your Communications
Local antivirus and security suites protect your data and documents, but their protection doesn’t extend to your internet communications. A virtual private network, or VPN, secures your internet traffic and can hide your IP address and location from snoops. Most VPN companies have just one product, but more and more security suite companies have ventured into the VPN realm.
Often, though, you don’t get full VPN protection as part of your suite. Some install a free edition or a free trial. Others offer a link that sends you online to subscribe. Avast One, Norton 360, McAfee+, and Malwarebytes Ultimate are exceptions, offering VPN protection without such limits.
Will a Security Suite Slow Down My PC?
One big reason to use a security suite rather than a collection of individual utilities is that the integrated suite can do its tasks using fewer processes and a smaller chunk of your system’s resources. However, hardly any modern suites have an appreciable effect on performance.
In the past, we’ve run some simple performance tests, timing three common system actions with and without the installed suite, averaging many runs of each test. One test measured system boot time, another moved and copied a large collection of files between drives, and a third would zip and unzip that same file collection repeatedly. After years of spending time on these tests only to find little to no effect on performance, we’ve retired this test.
Do I Need Backup and Tune-Up Utilities?
In a sense, having a backup of all your files is the ultimate security. Even if a sample of asteroid dust goes astray and destroys your computer, you can still restore it from a backup. And if ransomware gets past your antivirus, you can restore from backup after eliminating the attacker.
Recommended by Our Editors
Some companies reserve backup for their mega-suite offering, while others include it in the entry-level suite. Read our reviews carefully, as backup capabilities vary wildly. At the low end, some companies give you nothing you couldn’t get for free from IDrive or another online backup service. At the high end, you might get 25GB, 50GB, or even more online storage hosted by the company, possibly paired with the separate ability to make local backups.
Tuning up your system performance has no direct connection with security unless it counteracts the security suite’s performance drag. However, tune-up components often include privacy-related features such as clearing traces of browsing history, wiping out temporary files, and deleting lists of recently used documents.
What Can I Do About Identity Theft?
No software solution can guarantee that malefactors won’t capture and misuse your personal information. What they can do is alert you when they find evidence that your data has been compromised, so you can head off full-scale identity theft. This kind of dark web monitoring is becoming more common.
If the worst happens and your identity is thoroughly stolen, you can get help. McAfee+ includes identity theft remediation at its two higher pricing tiers, and Norton offers suites that include LifeLock identity protection. The top-level suites Avast One Platinum, Bitdefender Ultimate, and ESET Home Security Ultimate enhance device-level security with identity theft remediation and a no-limits VPN. Malwarebytes Ultimate also adds VPN and identity protection. All of these will assign a caseworker to help you recover and spend what it takes to remediate the problem, typically a million dollars or more.
Do Suites Provide Mac, Android, and iOS Security?
Windows still dominates the desktop, but many households include Macs as well. Cross-platform multi-device suites give you one source of protection for all your devices. Typically, you don’t get as many features on macOS. In fact, most companies just offer a Mac antivirus, not a full suite. Be sure to take advantage of the option to protect your Macs. They’re not immune to malware.
Android devices are ubiquitous, and the Android platform isn’t locked down like iOS. Even if you stay away from third-party app stores and refrain from jailbreaking your device, you can still get hit with Trojans, ransomware, and other Android malware. Smart users protect their devices with an Android antivirus. Most Android antivirus utilities include antitheft features such as locating, locking, or wiping a lost or stolen device. Some include bonus features like blocking unwanted calls or warning when you connect to an insecure Wi-Fi network.
As for iPhones and other iOS devices, Apple’s built-in security makes life tough for malware coders and antivirus writers alike. Many cross-platform suites simply skip iOS; those that don’t typically offer a seriously stripped-down experience. Given the platform’s intrinsic security, it rarely makes sense to expend one of your licenses installing protection on an iPhone.
People use VPNs for different security and privacy reasons, to access content anonymously, or to bypass content controls and age verification by pretending to be in different places. But not all VPNs are created equal. A recent report has revealed that many of them might allow others to sniff your data—and they’re not being honest about who’s behind them.
The report, called Hidden Links: Analyzing Secret Families of VPN Apps, comes from researchers at the University of Toronto’s Citizen Lab, and Arizona State University. It warns that several Android VPN apps for sale via the Google Play Store have security flaws that allow others to snoop on their traffic. They’re also deceiving users about their ownership, warns the report:
“The providers appear to be owned and operated by a Chinese company and have gone to great lengths to hide this fact from their 700+ million combined user bases.”
The researchers looked at the 100 most-downloaded VPNs and took the half of them that were not US-based. Then they scanned websites, business filings, and the VPN apps’ source code to try and find links between them. Using a combination of data points found in these resources, they found common software libraries, technical infrastructure, and business details that allowed them to group the VPN apps into three families.
Family A contained eight VPN applications linked to providers Innovative Connecting, Autumn Breeze, and Lemon Clove. These apps all shared some common security flaws. These included a hard-coded key used to create a password for Shadowsocks, a service designed to circumnavigate the Chinese government’s digital censorship system. This flaw enables anyone to decrypt communications sent using these apps.
From the report:
“On many of the VPNs we analyzed, a network eavesdropper between the VPN client and VPN server can use the hard-coded Shadowsocks password to decrypt all communications for all clients using the apps.”
Just as worrying is the undisclosed collection of user location data by these apps, even though the providers’ privacy policies claim that they don’t do this. They request the zip code of the user’s public IP from ip-api.com and upload it to a database, the researchers said.
The Tech Transparency Project has previously connected three providers responsible for these apps with Chinese cybersecurity firm Qihoo 360, which the US has sanctioned for its connections to the Peoples’ Liberation Army.
Family B consisted of six providers, who between them are responsible for apps including Global VPN, XY VPN, and Super Z VPN, all of which use the same VPN servers. They had hard-coded passwords for Shadowsocks, too. In general, the researchers warn against using apps that rely on Shadowsocks for anonymity. It was designed for getting around China’s censorship system, not maintaining anonymity, they said:
“It was counterintuitive to find deprecated ciphers and hard-coded passwords in these apps, given that they are security-sensitive apps and many of their providers are owned by Qihoo 360, a major chinese cybersecurity firm.”
Family C’s two providers were responsible for VPNs such as Fast Potato VPN and X-VPN, which also had security issues. This family, like the others, was also susceptible to other attacks, including what’s known as a blind in/on-path attack. This lets people manipulate traffic from a device using the app if they’re on the same network.
Why might companies seek to operate multiple VPNs and then hide the fact? The researchers muse that they might be trying to avoid reputational damage if something happens to one VPN. They share code because it’s simply more cost-effective to do so, the report added.
The takeaway here is that plenty of VPNs are not what they seem. That’s worrying, given that the people running the servers that the apps connect to can read all of the traffic—as can others who just reverse-engineer the passwords from the apps. So why doesn’t Google stop it?
One of the big problems is that the relationships between the different app providers are time-intensive to figure out. That makes it hard for the app store operators to automate at scale, the researchers point out. On the other hand, Google make $28.19bn in net profit for Q2 2025 alone, so maybe it could find some spare change down the back of the couch and put some manual investigators on it.
“Google is potentially exposing its brand to reputational damage by hosting and profiting from deceptive and insecure apps like the ones we investigated.”
It’s hard to know which providers to trust online. We suggest you research any security product carefully, and go for a trusted company with a solid reputation. Malwarebytes offers a VPN of our own here.
If you’ve been putting off updating your Android phone, now is the time to do so as Google has released its September 2025 security update which fixes 84 vulnerabilities—including two actively exploited zero-day flaws.
As reported by BleepingComputer, Google claims these two zero-days are currently being used in limited, targeted attacks by hackers. The first zero-day (tracked as CVE-2025-38352) is an elevation of privilege flaw in the Android kernel while the second zero-day (tracked as CVE-2025-48543) is the same type of flaw that exists in the Android Runtime component.
CVE-2025-38352 was first discovered in the Linux kernel back in July and has since been patched. However, we’re now learning that it was actively exploited in Android which is built on Linux. Hackers with the right skills can leverage this flaw to achieve denial of service, privilege escalation and even to crash Android phones that have not yet been updated.
Meanwhile, CVE-2025-48543 impacts the Android Runtime component in Google’s mobile operating system. If exploited, it could allow a malicious app to bypass Android’s sandbox restrictions to access higher-level system capabilities.
The first critical-security vulnerability (tracked as CVE-2025-48539) is a remote code execution flaw in Android’s System component. It can be used by an attacker on the same Wi-Fi network, in Bluetooth range or with physical access to a vulnerable phone to execute arbitrary code on the device without the necessary privileges or any user interaction.
The other critical-severity flaws (tracked as CVE-2025-21450, CVE-2025-21483, and CVE-2025-27034) impact Qualcomm’s proprietary components like its Snapdragon chips which are found in many of the best Android phones. Alongside these bugs, this round of Android security updates includes fixes for 27 vulnerable Qualcomm Components.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
In order to patch all of the issues addressed in this security update, you’re going to want to update your Android phone to security patch level 2025-09-01 or 2025-09-05. This can be done by heading to Settings > System > Software updates > System update and then by tapping on “Check for update.”
Unfortunately though, these fixes are only for users with phones running Android 13-16. For those still on Android 12, it’s recommended that you update to a newer device that still receives security updates. If you’re looking to avoid having to upgrade your phone for some time and want the latest security updates as soon as they become available, then your best bet is investing in one of Google’s own Pixel phones as they are some of the only Android devices that get seven years of operating system and security updates.
How to keep your Android phone safe from hackers
(Image credit: Google)
The most important thing you can do to keep your Android phone safe from hackers is to regularly update your operating system and all of the apps you have installed. However, if your phone is from a manufacturer that doesn’t put out updates that regularly, don’t worry, as there are still a number of steps you can take to secure your device and the sensitive info on it.
To stay safe when downloading new apps, you want to ensure that Google Play Protect is enabled. This free, built-in security app scans all of your existing apps and any new ones you download for malware to help keep you safe from malicious apps.
For extra protection though, you should also consider running one of the best Android antivirus apps alongside it. Not only are they updated more frequently, but many Android antivirus apps include useful extras like access to one of the best VPNs or a password manager to help protect your privacy and your credentials.
From there, it’s just a matter of being extra careful when downloading new apps, but you also want to avoid clicking on links or downloading files from unknown senders via email or text. Sideloading apps is another thing that can put you at risk but like Apple, Google is planning to lock down Android so that you soon won’t be able to do this at all.
Whether it’s your phone, tablet or computer, installing new updates and security patches in a timely manner is the easiest way to stay safe from hackers, especially as they love to target people and devices running outdated software. I know we often consider things like screen size and storage when picking a new phone but security updates and how many years of support you get are two very important things that you should absolutely take into account when shopping for your next Android device.
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
Google has long positioned its Messages app as a cornerstone of modern texting on Android, emphasizing Rich Communication Services (RCS) as a superior alternative to traditional SMS. But for users who root their devices or install custom ROMs, accessing this feature has become increasingly fraught. A recent development suggests Google is preparing to make its stance clearer: instead of allowing RCS chats to fail silently on such modified phones, the company may soon display an explicit error message citing security concerns.
This shift comes amid broader efforts by Google to tighten control over device integrity, ensuring that advanced features like RCS operate only on verified, unmodified hardware. Rooting, which grants users administrative access to alter system files, and custom ROMs, which replace the stock operating system, have been popular among enthusiasts for customization. However, these modifications can introduce vulnerabilities, prompting Google to restrict RCS functionality.
Emerging Transparency in Error Reporting
According to a report from Android Police, published on August 1, 2025, beta versions of Google Messages are testing a new notification that reads, “Your device isn’t secure enough for RCS chats.” This message would appear when users attempt to enable or use RCS on rooted devices, replacing the previous opaque failures where messages reverted to SMS without explanation.
The change aims to reduce user confusion, as many have reported issues without understanding the root cause—pun intended. Industry insiders note that this aligns with Google’s ongoing push for end-to-end encryption in RCS, which demands a secure environment to prevent interception or tampering.
Historical Context of RCS Restrictions
Flash back to early 2024, when reports first surfaced about Google quietly blocking RCS on rooted Android phones. A discussion on Reddit’s r/Android subreddit in March highlighted widespread frustration, with users sharing workarounds like Magisk modules to hide root status. Similarly, Android Authority detailed how Google’s campaign for RCS adoption ironically excluded a segment of its own power users.
These blocks were not arbitrary; they stemmed from Google’s Play Integrity API, which checks for device modifications. As 9to5Google reported in February 2024, unlocked bootloaders and custom ROMs triggered silent RCS denials, forcing fallback to less feature-rich SMS.
Security Imperatives Driving Policy
At the heart of Google’s decision is a commitment to security. RCS, unlike SMS, supports features like read receipts, high-quality media sharing, and encryption, but these require a tamper-proof ecosystem. Rooted devices could potentially expose users to malware or unauthorized access, undermining the protocol’s integrity. A Hacker News thread from March 2024, as captured on Y Combinator’s platform, echoed sentiments about the “war on general computing,” where users lament losing control over their devices.
Google’s approach mirrors broader industry trends, where companies like Apple have long restricted features on jailbroken iPhones. For Android, this means balancing openness with safety, especially as RCS gains traction globally.
Implications for Enthusiasts and the Market
For industry insiders, this evolution signals a maturing Android ecosystem where customization comes at a cost. Enthusiasts who root for ad-blocking or performance tweaks may need to weigh the loss of RCS against their modifications. Workarounds exist, such as spoofing device integrity, but they risk further restrictions as Google refines its detection methods.
Looking ahead, this could push more users toward stock experiences, bolstering Google’s control over messaging. As Android Police noted in a May 2024 piece on nerfed rooting benefits, the incentives for modification are dwindling, potentially reshaping the aftermarket ROM community.
Future Prospects and User Adaptation
Ultimately, Google’s move to explicit error messages may foster better dialogue with users, encouraging feedback on security trade-offs. With RCS now handling over a billion daily chats, as celebrated in a May 2025 Android Police update, the emphasis on secure devices underscores the protocol’s growth.
For rooted users, alternatives like third-party apps or unrooting remain options, but the message is clear: in the quest for seamless, secure communication, modifications may increasingly be sidelined. This policy refinement, while controversial, positions Google to lead in a more fortified messaging era.
Google already dominates the global smartphone market through Android, and now it is taking another step that has many, including myself, concerned. You see, Android powers more than 70 percent of smartphones worldwide, which gives Google unrivaled influence over how billions of people use their devices.
The company announced that starting in 2026, apps installed on certified Android devices, whether through the Play Store, sideloaded APKs, or third-party stores like F-Droid, will need to come from a developer who has gone through Google’s new verification process.
Google frames this as a security measure to protect against fraud and malware. According to its own research, apps from internet sideloading sources are over 50 times more likely to contain malware compared to those on the Play Store. The main idea here is to make it harder for repeat offenders to return under a new identity after being banned.
The irony here is hard to ignore. Despite years of security features baked into Android, sophisticated spyware like Pegasus has still managed to bypass protections and infect devices. It is difficult not to see this as Google tightening its grip on the entire Android ecosystem under the guise of safety.
The rollout begins in October 2025 with early access for some developers, expanding to all developers in March 2026. By September 2026, the requirements will be enforced in Brazil, Indonesia, Singapore, and Thailand. A global rollout is expected from 2027 onward.
The verification process will require developers to register with Google through a dedicated Android Developer Console, built specifically for those distributing outside the Play Store.
A separate dashboard will exist for student and hobbyist developers, but the system still requires sharing personal identifying information like legal name, address, and phone number with Google.
Do you see the problem with this approach?
This change will have major implications for free and open source software. F-Droid and other alternative app stores rely on independent developers, many of whom may be unwilling or unable to provide their personal details to Google.
While sideloading will technically remain possible, the barrier of developer verification means fewer apps will be available outside Google’s control.
In practice, this could turn Google into the effective gatekeeper for all apps on “certified” Android devices, which includes nearly every modern Android phone that hasn’t been rooted, aside from the likes of Huawei.
This will be difficult for competition regulators worldwide to ignore. By requiring all apps on certified Android devices to come from Google-verified developers, the company is not banning sideloading outright, but it is centralizing control over who can distribute apps at scale.
Here’s why you should opt for It’s FOSS Plus Membership:
– Even the biggest players in the Linux world don’t care about desktop Linux users. We do. – We don’t put informational content behind paywall. Your support keeps it open for everyone. Think of it like ‘pay it forward’. – Don’t like ads? With the Plus membership, you get an ad-free reading experience. – When millions of AI-generated content is being published daily, you read and learn from real human Linux users. – It costs just $2 a month, less than the cost of your favorite burger.
Become a Plus Member today and join over 300 people in supporting our work.
People often have a lot of questions for me when they find out I’m a security editor, and one of the most frequent is “what kind of antivirus/security solution should I use?” And, since my household is in need of an antivirus software right now, I thought I’d explain what I’m likely to go with, and why.
In our house right now, we’ve got three computers, two tablets, and three smartphones to cover at the moment, with Windows, Android, iOS, and a Chromebook thrown in there.
That’s a fair amount to juggle, and while I’m a security editor with over two decades of experience working for technology publications, my partner… isn’t. So I need something that’s going to work both for someone who is pretty tech savvy and for someone who is decidedly not.
I haven’t personally tested any antivirus software, but I’ve edited our reviews and I’m not unfamiliar with the in’s and out’s of how our testing procedures work. I looked at our best antivirus software buying guide and some of our reviews, as well as some other online references to think about what would meet our needs best and in the end, I think McAfee + Premium is what will work for us.
Unlimited devices
(Image credit: Tom’s Guide)
One of the best reasons to pick McAfee+ Premium over other antivirus programs is that the package covers unlimited devices, which means that the eight devices I currently need to cover for my household – and any we buy in the future are all covered. Even after the first initial year, that means I’m paying roughly $19/year per device, which isn’t unreasonable.
Features
(Image credit: Tom’s Guide)
Another reason I like McAfee as a choice for my household is both the variety of features, and the features themselves. McAfee + Premium includes two features that every antivirus package should include: a VPN and a password manager. A VPN helps protect our online activities, and the password manager is a must because I know my partner has a tendency to use some insecure password practices otherwise.
We’ve both been caught up in at least a few data breaches, so the identity monitoring is a nice feature to have included. Ditto the personal data cleanup. As a security editor, I’m usually pretty savvy when it comes to current social media and text scams; however, my partner nearly fell for that toll road scam earlier this year, so having that as a feature is appreciated.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Other features I like having included are the file shredder, the feature to identify malicious websites with color coding, and the social media settings that identify where accounts could be better locked down for privacy purposes.
Performance and protection
(Image credit: Tom’s Guide)
In independent testing, McAfee scored 99.96% in March 2025 AV-Comparatives testing and a 6 out of 6 in AV Tests Jan-Feb 2025 report, which is great overall; however, there were also 15 false positives reported in the AV-Comparatives testin,g which is pretty high.
Overall, I can deal with some false positives for a good antivirus performance as well as fast and reliable software. I also liked the multiple scan options, and that there was a full scan mode for every last file.
Interface
(Image credit: Tom’s Guide)
Lastly, the fact that the interface is clean, intuitive, and easy to navigate is a bonus both because I like a nicely designed interface and because my partner is easily frustrated by a bad one and will quickly give up on it, which means I’ll have to spend time sorting it out.
Overall
(Image credit: Tom’s Guide)
Given that there’s also a 24/7 chat and tech support line, there’s a lot that McAfee offers here that serves my household when it comes to antivirus solutions. While there are probably other features I would use if they were offered, there are no features missing here, and I’m still getting all the protection I need for the devices I have. Most importantly, this is a software that can serve my needs as someone with advanced standards while still being functional for someone who wants entry-level involvement.
Follow Tom’s Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
Android 16’s upcoming USB Protection feature enhances security by defaulting new USB connections to charging-only when the device is locked.
This security measure may interfere with fast charging, as many protocols require data negotiation between the phone and the charger to work.
If your phone isn’t fast charging, a simple workaround is to unlock the device and then reconnect the USB cable.
Of all the new features in Android 16, Advanced Protection is one of the most important. It’s a powerful toggle that activates numerous security features across the operating system and in compatible apps, shielding high-risk users from intrusions and sensitive data leaks. With a single tap, it enables over a dozen features, with more planned for future updates.
Later this year, Advanced Protection will add a feature called USB Protection, designed to guard against malicious USB devices. There’s one caveat, though: It may not work correctly with your phone’s fast charging capabilities. Fortunately, there’s a simple workaround.
According to Google, the USB Protection feature “prevent[s] physical attacks attempting to exploit the USB port by defaulting to charging only for any new USB connection while the device is locked.” By disabling data access at a hardware level, this feature stops USB-based attacks that exploit vulnerabilities in the device’s USB stack or attempt to brute-force the lock screen. Once the user unlocks their device, USB data access is restored, allowing them to use any peripheral.
If you plug in a USB device while your phone is locked, however, you’ll have to unlock it and then reconnect the peripheral to get it working. We already knew this would be the case when we reported on the feature earlier this year. What we didn’t know at the time, though, was that this behavior would also affect fast charging, at least in some cases.
In the latest Android Canary release, we noticed that Google has enabled the USB Protection feature and also tweaked its implementation. For instance, the notification that appears when you plug in a USB device while your phone is locked has been reworded and now includes a “silence” button to snooze it until you restart.
Mishaal Rahman / Android Authority
While digging through the build for other changes, we spotted new text strings that explicitly state you may need to unlock and reconnect your device for fast charging:
Code
<string name="usb_apm_usb_plugged_in_when_locked_low_power_charge_notification_text">Unlock device for fast charging and data transferring</string>
<string name="usb_apm_usb_plugged_in_when_locked_low_power_charge_replug_notification_text">You may need to unlock and reconnect your device for fast charging and data transferring</string>
<string name="usb_apm_usb_plugged_in_for_power_brick_notification_text">Unlock device for fast charging</string>
<string name="usb_apm_usb_plugged_in_for_power_brick_replug_notification_text">You may need to unlock and reconnect your device for fast charging</string>
While it’s not entirely clear why this happens, it could be a consequence of how fast charging protocols like USB Power Delivery work. To prevent damage, these protocols require a data-based negotiation between the charger and your phone to determine the correct voltage to use. USB-PD uses two dedicated lines called configuration channels for this process. Although these lines aren’t used for general data signaling, Advanced Protection might still disable them out of an abundance of caution.
When I tested this on my Pixel 8 Pro, however, I didn’t notice any difference in charging speed when I plugged it in while locked versus unlocked. I got the same speeds from several USB-PD chargers in both scenarios, and I never saw a warning about needing to replug my device. This could be because USB-PD isn’t affected or because the fast charging warning simply isn’t implemented yet. It’s possible this issue only affects proprietary fast charging protocols that use traditional USB data lines, but it’s too early to say for sure.
In any case, it’s clear that Advanced Protection’s new USB Protection feature will affect fast charging in some situations. The good news is that the workaround is simple: If you see the warning, just unlock your device and reconnect the charger.
Since this feature is live in the latest Canary release, it will likely debut in Android 16’s second quarterly platform release (QPR2). That release is scheduled for December, which lines up with Google’s promise to add USB Protection to the Advanced Protection suite later this year.
Thank you for being part of our community. Read our Comment Policy before posting.
