Google Play Protect adds real-time scanning to fight Android malware


Google has announced new, real-time scanning features for Google Play Protect that make it harder for malicious apps employing polymorphism to evade detection.

This represents a significant step toward enhancing safety for all Android users and aims to decrease malware infections on the platform.

Real-time code scans

Google’s Play Protect platform is Android’s built-in protection system for performing on-device scans for unwanted software and malware, powered by data derived from 125 billion daily scans.

The tool works for apps downloaded from Google Play, Android’s official app store, and APKs (Android packages) downloaded from external sources and third-party app stores.

When Play Protect detects something suspicious on an app, it warns users not to proceed with its installation.

Warning on Play Protect
Warning on Play Protect (Google)

The problem is that authors of malicious apps promoted outside Google Play have resorted to AI and polymorphic malware that frequently alters identifiable information in a malicious program to bypass automated security platforms, making those scans ineffective.

Once the apps are installed on the user’s device, they fetch additional code from an external resource, completing their malicious functionality at the post-check phase where there are no mechanisms to stop them.

To address this gap, Google has now enhanced Play Protect with the ability to perform real-time scanning at the code level and adds a recommendation to perform scans on apps that haven’t been scanned before.

The scanning will extract behavioral signals from the app, sending them to the Play Protect backend infrastructure for an in-depth code-level analysis, returning a result on the app’s safety.

“Our security protections and machine learning algorithms learn from each app submitted to Google for review, and we look at thousands of signals and compare app behavior,” explains Google in a press release.

“Google Play Protect is constantly improving with each identified app, allowing us to strengthen our protections for the entire Android ecosystem.”

It is essential to clarify that these scans do not analyze the software’s source code but rather at the behavior level, as apps are distributed as compiled binaries.

The enhanced Play Protect scanner will leverage static and dynamic analysis, alongside heuristics and machine learning, to identify patterns indicative of malicious activity. The extracted signals from the app serve as key inputs for its AI-driven analysis.

That being said, there might still be some malicious apps that can slip past the new system by adding long delays before malicious code is downloaded or other behavior.

However, the amount of undetected malware should be reduced by this new system, at least until malware authors can adjust their techniques to trick or bypass these scans.

The real-time code-level scan on Google Play Protect has already been made available in India and other select countries and will be gradually rolled out worldwide in the upcoming months.

Play Protect is part of Google Play Services, which is regularly updated independently of the device’s Android version and security patch level as long as it’s still supported (Android 11 and later). This allows Google to provide updated malware detections without waiting for the monthly Android release.



Source link