Mobile Menace Monday: Implications of Google Play Protect

Mobile Menace Monday: Implications of Google Play Protect

Along with the recent release of Google’s new OS, Android 8.0 Oreo, they also released a new security suite known as Google Play Protect. As blogged about in July in Play Protect: Android’s new security system is now available, this new suite has been available since mid-May.

To reiterate

As noted in our July blog, the new Find My Phone does exactly what the name implies. You can also lock the phone remotely, display a message on the phone, call the phone through a browser, or even erase all the data on the phone with this feature. I personally hope this will help alleviate the use of shady monitoring apps. There is also Google’s Safe Browsing that stops you before you proceed to an unsafe site via Chrome. This feature has been around for a while.

50 billion apps, oh my!

Of most interest is Google’s security suite is its new scanning capabilities. Google boasts it can scan 50 billion apps daily, and uses machine learning to weed out the bad stuff. For quite some time, Google has been vetting apps before allowing them in the Google Play Store. Until now, they had no way to verify that the apps stayed vetted after install. This new capability allows Google to scan apps after installation, as well. Not only does it scan apps installed from Google Play, but it also scans apps installed from third-party sites.

The ability to scan apps after install will aid in detecting apps that are set to hide their malicious activity for a set amount of time or after an update — i.e., a malicious app may wait a week before doing anything malicious to hide its presence from malware researchers and scanners. Google claims that if an app that was once acting safely is suddenly doing something malicious, it will flag it.

This machine learning you talk about…

The use of machine learning to detect malware is far from a new concept. Regarding malware detection, it typically works by pooling things into two groups — a good group and a bad group. It then learns every trait it can about each group. If anything looks out of the ordinary from the good group and/or displays traits from the bad group, it’s flagged.

I can only assume Google is using anything on Google Play, that per Google “undergo rigorous security testing,” to pool in the good group. If the trait of the app changes from when it was verified to get into Google Play — bam, it’s flagged!

Grey is the new black

This all sounds great, but malware authors are already ahead of the curve. We have seen the rise of apps that lie in the “gray” area or better known as Potentially Unwanted Programs (PUPs).  Rather than making obviously malicious (black) apps, malware authors are creating apps that are rather questionable.

Most come in the form of a PUP subcategory known as adware.  Ads aren’t inherently malicious, and many apps from the Google Play Store have ads to keep the apps free. There’s a thin line between a good ad and what we call adware. If the ad behavior starts acting overly aggressive or does something out of line like collecting overly personal information, it’s considered adware.  The uncertainty of whether an ad is good or not can mean adware can slip into Google Play undetected for long periods of time. If my hunch is correct, these apps would also be in the machine learners “good” group if they made it into Google Play.

Clickers, too

Another concern is the more malicious Trojan.Clicker. This malware simply “clicks” on ad websites in the background repeatedly to gain revenue. The simplicity of the code makes it difficult to detect. Malicious clicker apps have been known to slip into Google Play.

Kudos to Google

I, for one, am very happy to see Google taking more steps to keep users safe. Concerning machine learning, the more data you have, the better it will be at detecting. Google has an abundance of data, which gives me high hopes of its abilities.

As a malware researcher, should I start beefing up my resume to find a new field now that Google is on the case? Not likely as malware authors have and always will find ways around detection. The new scanner will indeed help things, but it certainly isn’t a stop-all for mobile malware. Trust me, if I could retire from the mobile malware industry knowing the world is safe to a less stressful job as a goat herder, I would. Until then, stay safe out there.


Nathan Collier


Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.