Google has introduced a number of different layers of security protection for Android devices recently, many of which are invisible to users. One of those protective measures is a scoring system that looks at how often a specific app has been downloaded and how many devices with the app are still checking in with Google’s app-verification system and uses the information to help determine whether the app is potentially malicious.
The system is based on Google’s Verify apps mechanism, which checks Android devices for potentially harmful apps on a regular basis. When devices stop checking with the Verify apps system, Google classifies them as dead or insecure. Devices will often stop contacting the Verify apps system when owners trade them in, lose them, or replace them, but this also will happen when malware is installed and disables the verification mechanism. Google applies the same math to apps, so it will consider apps that have a high percentage of devices that don’t check with the Verify system to be DOI apps.
“With these factors in mind, we then focus on ‘retention’. A device is considered retained if it continues to perform periodic Verify apps security check ups after an app download. If it doesn’t, it’s considered potentially dead or insecure (DOI). An app’s retention rate is the percentage of all retained devices that downloaded the app in one day. Because retention is a strong indicator of device health, we work to maximize the ecosystem’s retention rate,” Megan Ruthven, a software engineer at Google, said in a post explaining the scoring system.
“This approach provides us with another perspective to discover PHAs and block them.”
Google uses a complex formula that includes the number of downloads of a given app, the number of retained devices with that app, and the probability that a device downloading any app will be retained, and calculates a score that gives the company’s engineers more information on whether the retention rate is an indicator of a potentially malicious app. That score isn’t the sole determining factor of whether an app is considered harmful.
But Ruthven said it has been able to catch some apps infected with known Android malware.
“Among others, the DOI score flagged many apps in three well known malware families— Hummingbad, Ghost Push, and Gooligan. Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices,” Ruthven said.
“This approach provides us with another perspective to discover PHAs and block them before they gain popularity. Without the DOI scorer, many of these apps would have escaped the extra scrutiny of a manual review.”
The Gooligan malware has been particularly successful in infiltrating Android devices in the last few months. A variant of the Ghost Push malware family, Hooligan is used in a click-fraud operation and gives attackers full access to compromised Android phones. Researchers say it’s been found on more than a million devices.