Google’s crusade against malicious and potentially harmful apps (PHA) in the Android ecosystem is a complex endeavor anchored by its Verify Apps malware scanner and a scoring system that flags potential problems before they multiply.
The system, called Dead or Insecure (DOI), has been effective in curtailing the spread of rooting malware such as Ghost Push and Gooligan, and click-fraud threat Hummingbad.
This week, Google threw back the curtain on the formula behind its scoring system, and explained how it connects the dots between apps and devices that no longer check in with the Verify Apps scanner to determine their potential for harm. Verify Apps is a feature that regularly checks activity on an Android device and alerts users if harmful activity is happening and gives them the opportunity to uninstall the offending app.
There are cases, Google software engineer Megan Ruthven said in a post to Google’s The Keyword blog, where devices legitimately do stop checking in with Verify Apps.
“This may happen for a non-security related reason, like buying a new phone, or, it could mean something more concerning is going on,” Ruthven said. “When a device stops checking up with Verify apps, it is considered Dead or Insecure (DOI). An app with a high enough percentage of DOI devices downloading it, is considered a DOI app. We use the DOI metric, along with the other security systems to help determine if an app is a PHA to protect Android users.”
Malware such as Ghost Push or Gooligan, which tries to burrow itself in the device kernel, will turn off Verify Apps, which is on by default. Ruthven said the process starts with an attempt to correlate application installation attempts and devices considered dead or insecure.
“With these factors in mind, we then focus on ‘retention’. A device is considered retained if it continues to perform periodic Verify apps security check ups after an app download. If it doesn’t, it’s considered potentially dead or insecure (DOI),” Ruthven said. “An app’s retention rate is the percentage of all retained devices that downloaded the app in one day. Because retention is a strong indicator of device health, we work to maximize the ecosystem’s retention rate.
“Therefore, we use an app DOI scorer, which assumes that all apps should have a similar device retention rate,” Ruthven said. “If an app’s retention rate is a couple of standard deviations lower than average, the DOI scorer flags it.”
If the app’s DOI score trips a certain threshold, Google says it combines that score with other security data to determine if an app is harmful and, if so, Verify Apps will remove it and prevent it from being installed again. Ruthven said tens of thousands of apps in the Ghost Push, Gooligan and Hummingbad families were flagged in this way.
“Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices,” Ruthven said. “This approach provides us with another perspective to discover PHAs and block them before they gain popularity. Without the DOI scorer, many of these apps would have escaped the extra scrutiny of a manual review.”
