Google Play Protect, the service that Google uses to scan apps installed on users' phones, is more powerful than previously thought, Google revealed today.
"Play Protect analyzes every app that it can find on the internet," the company said in a blog post that detailed how it uses machine learning to detect malicious apps.
This is a new revelation into how Google Play Protect works. Google launched this service in May 2017, as a replacement for the old Verify Apps system.
According to promotional material released at the time, such as the video above, Google Play Protect was embedded inside the Google Play Store app included with all authorized Android handsets.
ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks
When users installed or updated an app, either from the Play Store or from third-party sources, Play Protect would scan that app for signs of malicious behavior, based on a huge set of malicious indicators Google had collected in the past decade.
But today, Google revealed that they also supplement this database of malicious indicators with other data sets. One of these is the result of Google Play Protect scouring the Internet for any Android app outside the official Play Store. Google says Play Protect scans these third-party apps for malicious behavior, and then classifies and indexes them in its database.
Google describes the process; PHAs stands for Potentially Harmful Applications, and is an internal term that Google uses to describe malicious apps:
We created a dataset by decomposing each app's APK and extracting PHA signals with deep analysis. We execute various processes on each app to find particular features and behaviors that are relevant to the PHA categories in scope (for example, SMS fraud, phishing, privilege escalation). Static analysis examines the different resources inside an APK file while dynamic analysis checks the behavior of the app when it's actually running. These two approaches complement each other. For example, dynamic analysis requires the execution of the app regardless of how obfuscated its code is (obfuscation hinders static analysis), and static analysis can help detect cloaking attempts in the code that may in practice bypass dynamic analysis-based detection. In the end, this analysis produces information about the app's characteristics, which serve as a fundamental data source for machine learning algorithms.
The end result is that whenever users install one of these non-Play-Store apps, Play Protect will already have known about it, and could immediately alert users about any malware users might have installed on their devices.
Google says this process has made Google Play Protect a resounding success. According to Google's Android Security 2017 Year In Review report, in 2017, Google Play Protect automatically disabled PHAs from roughly 1 million devices, and its daily scans led to faster identification and removal of approximately 39 million PHAs.