Which platform would a typical IT guy be more on guard against?
While Windows has been known for decades to be a hot pot for all PC malware, Android phones are much more ubiquitous and personalized, and (as far as I know) aren’t hardened against malware in any way. I mean, it literally takes just two taps to install a rogue apk and that is notwithstanding that most OEM implementations and apps on the Play Store are ad-ridden privacy nightmares by themselves. At least when it comes to Windows, Administrators have greater control over client machines and can put in restrictions. How would someone handling infosec in an organization control security on people’s personal phones?
That’s a weird question, you are comparing a desktop OS with a phone OS (except you are talking about Windows phones, but I don’t think you are?).
All it takes to kill your Windows installation is double clicking a random .exe file (and being unlucky that Windows doesn’t warn you about this particular file). And nope, if it is a custom program your antivirus won’t detect it either. Every time I hear of a company getting a crypto locker on their systems it was over a Windows PC (mostly by email). I haven’t heard of your average company getting compromised by a phone yet (but those phones usually don’t have network access to shared drives…).
Android is relatively locked down, a lot more than Windows. Even if someone sends you malware per email, there is no easy way to execute it on your phone. It’s also not true that you can just install a rogue APK in two clicks, you have to do the following steps:
Definitely not something that happens by accident :)
Overall for your average user I’d say Android is safer.
But a rogue app can take everything from your phone - your pictures, emails, contacts, docs… without anyone being the wiser since there is no Administrator oversight. On organization Windows systems the user at least requires Administrator permission to run anything that can pose a risk, but he could do the same on Android without anyone stopping him. Dumb people will love to download and install Google_Pay_mod_Unlimited_money.apk that could scoop up all data (including company emails, slack, etc that he is running on his phone) and no one would ever know.
Ever heard of .bat files? There is no need for admin rights to steal company and user data. All it takes is opening the wrong file. Windows is also terrible about file names, per default extensions are hidden. So you can have a file named “report.pdf.bat” for example and it will show for most users as “report.pdf” with a funny icon. It’s a terrible default setting security wise.
Btw. you’re still comparing a desktop OS with a phone OS. You have to compare Android with iOS. Or Windows with Linux and macOS.