Google Shares Details on How They Spot Malicious Apps in the Play Store
Google works very hard at keeping malicious applications out of the Play Store and off of your device. They aren’t perfect at this and there are some instances when a malicious app slips through the cracks and is published in Google’s application store. Thankfully, Google will remove them if an issue is brought to their attention, but they’re still constantly scanning and checking applications and games that have already been published in the Play Store.
One of the methods Google uses to see if an application on your device is safe is with their Verify Apps feature. This will scan an application you want to install from outside of the Play Store. This scan takes place before and after it’s actually installed on your phone just to make sure the application is actually safe to be installed. This verify function is baked into the Android OS, but there are instances when a device is no longer using the feature at all (which in some cases can be for security reasons).
Google flags these devices that are no longer using the verify feature and considers them to be Dead or Insecure (DOI). Now, if Google starts to detect that an application is being installed from the Play Store on a high number of DOI devices, then that raises a flag for them. Google flags such an application as a DOI application, and Google uses this metric with many other security measures to see if it needs to be investigated. Google is even taking this a step further and finding out if an application is the cause of the phone becoming DOI.
For instance, if Google notices that a high number of devices are becoming DOI because they installed a certain application or game from the Play Store, then it makes sense that this would need to be looked into. Using these methods, Google has been able to uncover over 25,000 applications that had been infected by the Hummingbad, Ghost Push, and Gooligan malware.
Source: Android Developers Blog