Silence is golden: How Google hunts Android malware in the wild
When mobes and gadgets stop verifying app installations, you're gonna have a bad time
To determine whether a mobile app is potentially harmful, Google listens for the sound of silence.
Android devices that support Google Play include a security mechanism called Verify Apps, which takes the form of a setting in a device's Settings app.
Verify Apps sends Google anonymized data when users install apps from outside Google Play – to say nothing about the data available from apps installed through Google Play.
"Verify Apps checks if there are potentially harmful apps (PHAs) on your device," said Megan Ruthven in a post to the Android developer blog on Tuesday. "If a PHA is found, Verify Apps warns the user and enables them [sic] to uninstall the app."
Determining whether an app qualifies as potentially harmful requires data, and one of the things Google measures to make that determination is whether devices that have downloaded the app in question have stopped invoking the Verify Apps mechanism.
Such devices are designated Dead or Insecure (DOI) by Google's security team. DOI devices are excluded when calculating an app's retention rate, the percentage of devices using Verify apps – retained devices – that downloaded the app in one day.
Google considers this figure a fairly reliable yardstick for assessing the health of a device and uses it, in conjunction with other data, to determine whether to classify an app as a PHA.
Ruthven said DOI scoring has helped flag more than 25,000 apps in three known malware families – Ghost Push, Gooligan, and Hummingbad – that degrade the Android experience sufficiently to prompt people to reset or abandon their devices.
The state of Android security looks like a guarantee of perpetual employment. Just over a week ago, Google patched a vulnerability that could have allowed a maliciously configured power charger to compromise Nexus 6 and 6p phones. ®