In a new post, Google recounted how it attempted to make two billion Android devices more secure in 2017.
Google Play Protect
Google Play Protect is the built-in anti-malware solution that comes with certified Android devices. Play Protect has been available for many years on Android as the “Verify Apps” service. Google rebranded it to Play Protect in 2017 and pushed it a little more into the foreground in the Play Store app. The reasoning was that this way users can know that Google is working to protect their devices and that they may not necessarily need third-party antivirus applications.
Play Protect reviews more than 50 billion apps every day (this includes reviewing the same app on different devices). More than 60% of all “potentially harmful applications” (PHAs) were caught with machine learning algorithms, according to Google.
However, according to some antivirus reviews, this may not be quite enough. The current state of the art in machine learning still requires a large enough data set for any specific training task. That means it should take some time for the algorithms to “train” themselves against a certain type of malware. Only afterwards will Play Protect be able to detect instances of the same malware family on newly infected devices.
Play Store Still More Secure Than Alternatives
Unlike iOS, Android allows users to install applications from sources other than the Play Store. However, this tends to be risky unless you’re sure you’re downloading an application from a safe source, such as F-Droid, the alternative app store that that provides only open-source applications.
According to Google, devices that downloaded apps exclusively from the Play Store were nine times less likely to be infected with a PHA, compared to devices that downloaded apps from other sources. Google knows this because its Play Protect service also scans applications that are downloaded from other sources, not just the Play Store. Play Protect was also responsible for lowering the number of PHAs from other sources by more than 60%.
Updates have been, and so far continue to be, Android’s biggest security problem. However, Google said that it and its partners have increased the number of devices that received updates by 30% last year.
Google added that no security vulnerability was disclosed without an update being available for the Android platform. However, only a small number of manufacturers update their devices monthly, so most devices likely received those updates many months late, if at all.
New Security Features In Android Oreo
Android Oreo introduced new features such making installing apps from other sources more secure, dropping non-secure network protocols, providing more user control over identifiers, hardening the kernel, and more. The overlay API no longer allows malware makers to take over the screen and block users from dismissing those screens.
Perhaps the biggest security-related feature in Android Oreo was “Project Treble,” which should ultimately bring faster updates to users and potentially more often, too. Treble essentially makes Android more modular so that OEMs don't have to update everything at once with each new update. However, the effect of Treble on security won’t be seen until later this year and beyond, as new phones with Android Oreo and Project Treble are just now starting to come out.
Security Competitions And Rewards
To ensure that the security research community remains interested in finding Android bugs, Google has made its own Pixel smartphone available for the Pwn2Own competition, but no participant was able to break into it.
Other Android devices were hacked, but the exploits didn’t work against the unmodified AOSP source. That means that OEMs tend to make Android less secure than the open source version they get each year, when they add their own customization and modifications to it.
Last year, the Android Rewards program also paid out $1.28 million to security researchers who found bugs in Android devices. Additionally, Google increased the payout for TrustZone and Verified Boot exploits from $50,000 to $200,000, and remote kernel exploits from $30,000 to $150,000. Google also launched the Google Play Security Rewards Program to give researchers a bonus for finding serious security vulnerabilities in Play Store applications.
That still means 40% went through, if you believe Google even knows the full amount of malware delivered through the Play store. That "60%" might only be 20% or 40%.
With as much money as Google has, they could invest a lot more in checking the apps available through the Play store. There have been too many instances of apps that also came with malware payloads, and they should devote a lot more resources to investigating & stopping them.