How Google fights Android malware
Video: Five top improvements in Google Android 8.1
Security
If you just read the headlines, it sounds like Android is a security mess. There's a report about one Android malware program after another. What's not said is that often these Android viruses require a user to be a sucker to get them. But since a sucker is born every minute, Google does its best to stop malware in its tracks.
How does Google do this? Google's VP and head of security, Dave Kleidermacher, and Google Play's product manager, Andrew Ahn, explained in a blog post: "While the majority of developers have their audience's best interest at heart, some bad apps and malicious developers do attempt to evade detection and enter the Play Store to put people and their devices in harm's way."
Read also: This Android malware mimics Uber to steal your login and password
A major reason for this is the "massive scale and the global reach of Google Play make the platform a target for bad actors," according to Google. To combat them, Google said it deploys "teams of engineers, policy experts, product managers, and operations professionals who constantly monitor the store and incorporate feedback from the user community to protect people from misleading, inappropriate, or harmful apps."
So, what does that mean? In 2017, Google reported it "took down more than 700,000 apps that violated the Google Play policies, 70 percent more than the apps taken down in 2016. Not only did we remove more bad apps, we were able to identify and action against them earlier. In fact, 99 percent of apps with abusive contents were identified and rejected before anyone could install them."
Google claimed it was able to do this "through significant improvements in our ability to detect abusive app content and behaviors -- such as impersonation, inappropriate content, or malware -- through new machine learning models and techniques." In addition, "We've also developed new detection models and techniques that can identify repeat offenders and abusive developer networks at scale. This resulted in taking down of 100,000 bad developers in 2017, and made it more difficult for bad actors to create new accounts and attempt to publish yet another set of bad apps."
In other words, Google made it much harder for repeat offenders to push malware into the Play Store. Specifically, Google strengthened Android Play Store in the following areas:
Read also: This crypto-mining Android malware is so demanding it burst a smartphone
Copycats
Attempting to deceive users by impersonating famous apps is one of the most common violations. Famous titles get a lot of search traffic for particular keywords, so the bad actors try to amass installs leveraging such traffic. They do this by trying to sneak in impersonating apps to the Play Store through deceptive methods such as using confusable unicode characters or hiding impersonating app icons in a different locale. In 2017, Google took down more than a quarter of a million of impersonating apps.
Read also: Android security: Sneaky three-stage malware found in Google Play store
Inappropriate content
Google doesn't allow apps that contain or promote inappropriate content, such as pornography, extreme violence, hate, and illegal activities. The improved machine-learning models sift through massive amounts of incoming app submissions and flag them for potential violations. This helps the human reviewers in effectively detecting and enforcing on the problematic apps. Tens of thousands of apps with inappropriate content were taken down last year as a result of such improved detection methods.
Read also: BankBot Android malware sneaks into the Google Play Store - for the third time
Potentially Harmful Applications (PHAs)
PHAs are a type of malware that can harm people or their devices -- e.g., apps that conduct SMS fraud, act as trojans, or phishing user's information. While small in volume, PHAs pose a threat to Android users and Google invested heavily in keeping them out of the Play Store. Finding these bad apps is non-trivial as the malicious developers go the extra mile to make their app look as legitimate as possible. With the launch of Google Play Protect in 2017, Google reduced the rate of PHA installs by an order of magnitude compared to 2016.
Google Play Protect took several security measures that were already present in Android and improved them. These are malware scanning, application monitoring for rogue behavior, the ability to remotely locate, lock, and optionally wipe your device, and warnings about dodgy sites, which try to feed you malware or trick you out of personal information.
When it fails, and it will fail sometimes, Google's director of Android security, Adrian Ludwig, explained to ComputerWorld's J.R. Raphael: "The challenge that all detection technology runs into, inclusive of Google Play Protect, is when we see a completely new family coming from a different environment -- especially if [the apps] are on the borderline of behavior that might be considered to be potentially harmful and not quite potentially harmful." For example, no one's been able to use the Meltdown and Spectre security holes in malware... yet. When it does happen, these attacks will be hard to detect.
Still, Google's Play Store protection isn't perfect. "Despite the new and enhanced detection capabilities that led to a record-high takedowns of bad apps and malicious developers, we know a few still manage to evade and trick our layers of defense. We take these extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them. We are committed to make Google Play the most trusted and safe app store in the world," Kleidermacher and Ahn wrote.
So, is Android perfectly secure from malicious programs? Heck no! The battle against malware is never-ending and bad programs will make it through sometimes. But, Google is trying its best to make Android and its applications as safe as possible.