Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analyzed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps.
Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analyzed could be described as malicious or unwanted applications.
But the researchers focused specifically on the "who-installs-who relationships between installers and child apps" to discover the path malicious apps take to reach user devices.
The research team said it looked at 12 major categories that result in app installations, which included:
Apps installed from the official Play Store
Apps installed from alternative markets (aka third-party app stores),
Apps downloaded via web browsers
Apps installed via commercial PPI (pay-per-install) programs
Apps installed via backup and restore operations
Apps installed from an instant message (IM)
Apps installed via phone theme stores
App installed loaded on disk and installed via the local file manager
Apps installed from file sharing apps
Apps preloaded on the device (bloatware)
Apps installed via mobile device management (MDM) servers (apps installed by enterprises on their employee's devices)
Apps installed via package installers
The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.
In a distant second, with 10%, came alternative markets, dispelling a pretty common assumption that most Android malware these days comes from third-party app stores.
But the research team pointted out that despite the large number of malware originating from Google's official app store, the Play Store had a small threat-to-legitimate app install ratio (VDR), with only 0.6%, leading researchers to say that "the Play market defenses against unwanted apps work," even if some apps slipped through the cracks sometimes. However, due to the Play Store sheer size, this slippage ended up dwarfing any other source.
If we are to ignore sheer numbers and take the VDR index as a a primary indicator for maliciousness, the research shows that users are more likely to install malware by downloading it from web pages via their browsers or from alternative markets.
The research, titled "How Did That Get In My Phone? Unwanted App Distribution on Android Devices," is available for download in PDF format and was authored by researchers from NortonLifeLock and the IMDEA Software Institute in Madrid, Spain.
Article updated on November 12 at Google's request to highlight the Play's Store's low VDR index compared to other sources.