Google's joins Gang of Four to guard Play Store apps from malware, and maybe not fail so much
The App Defense Alliance posse will scrutinize Android app code before release
Google, after more than a decade of dealing with Android malware, has formed an alliance with three security companies to help it defend its mobile platform.
The Chocolate Factory on Wednesday announced the App Defense Alliance, by which partners ESET, Lookout, and Zimperium will be able to scan Android apps submitted to Google Play prior to approval and distribution.
In a blog post, Dave Kleidermacher, VP of Android Security and Privacy, said the partnership involves integrating Google Play Protect malware detection systems with the scanning engines of its three partners.
"This will generate new app risk intelligence as apps are being queued to publish," said Kleidermacher. "Partners will analyze that dataset and act as another, vital set of eyes prior to an app going live on the Play Store."
Asked why Google need extra eyes, a company spokesperson said each partner has a unique approach that Google believes will complement its internal tech.
"Google scans each app multiple times before and after publish to the Play Store," a company spokesperson told The Register in an email. "With the App Defense Alliance, we will now consider the union of all detection results, including our own when looking for red flags or bad behavior."
More eyes may help, though Google's efforts in recent years appear to be moving the needle in the right direction. In its 2018 Android Security Report, the company said less than 1 per cent of devices contained potentially harmful applications (PHAs) in 2014 and that figure remained more or less steady through 2018. But the installation rate of PHAs from Google Play declined 31 per cent in 2018 from the year before, if you exclude click-fraud apps which Google just started tracking last year.
PHAs – a polite term apparently designed to mitigate the risk of being sued for unjust disparagement – include trojans, spyware, phishing, and click-fraud apps. Unwanted software, which refers to apps that gather information without consent but aren't necessarily harmful, is not part of the definition.
40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet againREAD MORE
According to Google's report, only 0.45 per cent of Android devices running Google Play Protect were found to have PHAs in 2018, down from 0.56 per cent in 2017. That's a 20 per cent year-over-year improvement.
Such small percentages look larger when translated into actual device numbers. Google says there are over 2.5bn Android devices so 0.45 per cent of that amounts to more than 11 million PHA-afflicted devices.
The App Defense Alliance should help reduce malicious apps in the Google Play Store, but it doesn't directly address Android apps installed from outside of the store, an area where Google nonetheless has been making some progress. Outside of Google Play, PHA installation attempts in 2018 declined by 20 per cent year-on-year, according to the report.
Even so, Christoph Hebeisen, director of security intelligence research at mobile security biz Lookout, suggests that access to Google Play app data will help mobile security for corporate customers, too.
"Google will be sharing app data with its partners, who will scan it and return its results to Google before app approval," Hebeisen told The Register via email. "This early and unique access to app data will inform Lookout ML engines to detect and auto-convict malicious applications targeting the enterprise."
Characteristically, Google remains focused on automated, scalable security measures rather than, say, hiring app reviewers or trying to weed out disreputable devs. The Register asked whether the App Defense Alliance will increase the scrutiny of individual developers for trustworthiness. Google's spokesperson said, "We are not discussing the scope and format of signals shared within the Alliance at this time."
We also inquired about whether the App Defense Alliance will help against code designed to play nice for a few months before going bad.
"All members of the alliance including Google Play Protect inspect app code as well as observed app behavior," Google's spokesperson said.
"While there are no 100 per cent guarantees that any given behavior will be observed when an app is run, but the combination of these techniques has proven powerful in order to find potential issues, whether they execute during testing or not."
Perhaps most importantly, the Alliance does not remove the need for the mobile security software sold by Google's partners. "The App Defense Alliance will help minimize app risks on Google Play, but a mobile threat defense solution is still needed to protect against other mobile risks, such as phishing, or device-based threats and network-based attacks," said Hebeisen. ®