Google partners with ESET, Lookout, and Zimperium to improve Play Protect’s detection of malware before it hits the Play Store
The Google Play Store is the central point of app distribution on Google’s Android, enabling thousands of developers to distribute their apps to millions of users around the world. This high traffic medium thus becomes a lucrative channel for bad actors to propagate their own malware. Google realized the potential of abuse, and so, at Google I/O 2017, the company had announced Google Play Protect as a “comprehensive security service for Android“. Now, Google is leveling up Play Protect with a new collaboration with ESET, Lookout, and Zimperium, calling itself the App Defense Alliance.
Google Play Protect
Google Play Protect consists of two distinct elements within itself. The first part of Play Protect resides within Google Play Services, enabling it to be present across a vast majority of Android devices irrespective of the hardware. This part scans all apps upon installation on the device irrespective of the source of installation (Play Store or otherwise). The idea here is to warn the user about “Potentially Harmful Apps”, or PHAs. For instance, apps that can change the SELinux status of the device from enforcing to permissive are flagged by Play Protect, warning you about the danger from such apps and advising you to uninstall the app immediately.
The second element of Play Protect rests within the Google Play Store, which is where this announcement ties in. Whenever a developer submits a new app or submits an update to an existing app to the Google Play Store, Play Protect scans the app code to check for known malicious behavior. For instance, if an app is using an exploit that Google has identified previously, Play Protect will detect such instances, block the app submission and alert Google about the same.
To detect malicious app behavior, Google employs static analysis and dynamic analysis. Static analysis involves examining the code as compiled, while dynamic analysis involves examining the app behavior on runtime. As is with everything Google, machine learning also figures its way into the solution as Google employs the same to analyze existing malware code and detect slightly tweaked variations that would have otherwise evaded detection. Machine learning helped detect 60.3% of all PHAs on the Play Store as of March 2018, though the data has not been updated to reflect a more up-to-date picture. Similarly, the Android Security Report of 2018 mentioned that only 0.45% of all Android devices in 2018 installed a PHA, down from 0.56% of all devices in 2017.
App Defense Alliance
App Defense Alliance attempts to further bolster Google’s efforts on detecting PHAs when they are being uploaded to the Play Store, i.e. under the second element mentioned above. As part of this alliance, Google is integrating its Play Protect detection systems with each partner’s scanning engines, making its malware detection database more comprehensive than before. The partners, namely ESET, Lookout, and Zimperium, will also analyze the dataset and act as another set of eyes prior to an app going live on the Play Store.
While the App Defense Alliance is certainly a step that will help consumers in the long run, there will always be figurative “cracks in the wall”. Security and malware is a game of cat and mouse by its inherent nature, so the battle between security firms and malware developers will always be about who took the latest step to stay ahead of the other. For instance, even as App Defense Alliance just got announced, developers have discovered that the Play Store accepts cloned versions of banned apps.
— Till Kottmann (@deletescape) November 6, 2019
The Google Play Store has a massive quality problem, and while the focus on security is appreciated, we feel that it is high time that Google also focuses on the quality of apps on the Play Store.