Google's joins Gang of Four to guard Play Store apps from malware, and maybe not fail so much

The App Defense Alliance posse will scrutinize Android app code before release

Google, after more than a decade of dealing with Android malware, has formed an alliance with three security companies to help it defend its mobile platform.

The Chocolate Factory on Wednesday announced the App Defense Alliance, by which partners ESET, Lookout, and Zimperium will be able to scan Android apps submitted to Google Play prior to approval and distribution.

In a blog post, Dave Kleidermacher, VP of Android Security and Privacy, said the partnership involves integrating Google Play Protect malware detection systems with the scanning engines of its three partners.

"This will generate new app risk intelligence as apps are being queued to publish," said Kleidermacher. "Partners will analyze that dataset and act as another, vital set of eyes prior to an app going live on the Play Store."

Asked why Google need extra eyes, a company spokesperson said each partner has a unique approach that Google believes will complement its internal tech.

"Google scans each app multiple times before and after publish to the Play Store," a company spokesperson told The Register in an email. "With the App Defense Alliance, we will now consider the union of all detection results, including our own when looking for red flags or bad behavior."

More eyes may help, though Google's efforts in recent years appear to be moving the needle in the right direction. In its 2018 Android Security Report, the company said less than 1 per cent of devices contained potentially harmful applications (PHAs) in 2014 and that figure remained more or less steady through 2018. But the installation rate of PHAs from Google Play declined 31 per cent in 2018 from the year before, if you exclude click-fraud apps which Google just started tracking last year.

PHAs – a polite term apparently designed to mitigate the risk of being sued for unjust disparagement – include trojans, spyware, phishing, and click-fraud apps. Unwanted software, which refers to apps that gather information without consent but aren't necessarily harmful, is not part of the definition.

A criminal using a phone for fraud

40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet again


According to Google's report, only 0.45 per cent of Android devices running Google Play Protect were found to have PHAs in 2018, down from 0.56 per cent in 2017. That's a 20 per cent year-over-year improvement.

Such small percentages look larger when translated into actual device numbers. Google says there are over 2.5bn Android devices so 0.45 per cent of that amounts to more than 11 million PHA-afflicted devices.

The App Defense Alliance should help reduce malicious apps in the Google Play Store, but it doesn't directly address Android apps installed from outside of the store, an area where Google nonetheless has been making some progress. Outside of Google Play, PHA installation attempts in 2018 declined by 20 per cent year-on-year, according to the report.

Even so, Christoph Hebeisen, director of security intelligence research at mobile security biz Lookout, suggests that access to Google Play app data will help mobile security for corporate customers, too.

"Google will be sharing app data with its partners, who will scan it and return its results to Google before app approval," Hebeisen told The Register via email. "This early and unique access to app data will inform Lookout ML engines to detect and auto-convict malicious applications targeting the enterprise."

Characteristically, Google remains focused on automated, scalable security measures rather than, say, hiring app reviewers or trying to weed out disreputable devs. The Register asked whether the App Defense Alliance will increase the scrutiny of individual developers for trustworthiness. Google's spokesperson said, "We are not discussing the scope and format of signals shared within the Alliance at this time."

We also inquired about whether the App Defense Alliance will help against code designed to play nice for a few months before going bad.

"All members of the alliance including Google Play Protect inspect app code as well as observed app behavior," Google's spokesperson said.

"While there are no 100 per cent guarantees that any given behavior will be observed when an app is run, but the combination of these techniques has proven powerful in order to find potential issues, whether they execute during testing or not."

Perhaps most importantly, the Alliance does not remove the need for the mobile security software sold by Google's partners. "The App Defense Alliance will help minimize app risks on Google Play, but a mobile threat defense solution is still needed to protect against other mobile risks, such as phishing, or device-based threats and network-based attacks," said Hebeisen. ®

Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Google to pay $90m to settle lawsuit over anti-competitive behavior on the Play Store
    US developers that qualify could receive more than $200,000

    Google is to pay $90 million to settle a class-action lawsuit with US developers over alleged anti-competitive behavior regarding the Google Play Store.

    Eligible for a share in the $90 million fund are US developers who earned two million dollars or less in annual revenue through Google Play between 2016 and 2021. "A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund," said Google.

    Law firm Hagens Berman announced the settlement this morning, having been one of the first to file a class case. The legal firm was one of four that secured a $100 million settlement from Apple in 2021 for US iOS developers.

    Continue reading

Biting the hand that feeds IT © 1998–2022