Google Play Protect takes on malicious apps with code-level scanning

Google is enhancing Google Play Protect’s real-time scanning to include code-level scanning, to keep Android devices safe from malicious and unwanted apps, especially those downloaded (or sideloaded) from outside of the Google Play app store – whether from third-party app stores or other sources.

What is Google Play Protect?

Google Play Protect, introduced by Google in 2017, is a security suite for Android devices that protects users’ devices and data from malicious apps.
It does that by:

• Running a safety check (scan) before the app is downloaded
• Scanning and warning about harmful apps downloaded from other sources
• Deactivating or removing harmful apps
• Warning about Unwanted Software Policy violations
• Alerting users when an app accesses personal data by getting user permissions
• Protecting user’s privacy by resetting app permissions for specific Android versions

Scanning sideloaded Android apps at the code level

With the emergence of AI, cybercriminals have been able to build malicious polymorphic apps that can easily evade detection. To address that, Google Play Protect has been enhanced with real-time scanning at the code-level.

When downloading an app unknown to Google, users will be presented with a pop-up screen reading “App scan recommended”. If they choose to proceed with the scanning and if the app is found to be harmful, the user will be encouraged not to install it.

Google Play Protect real-time scanning. (Source: Google)

“When a user tries to install an app, Play Protect conducts a real-time check of the app against known harmful or malicious samples that Google Play Protect has cataloged.. The app is also checked by on-device machine learning, similarity comparisons and other techniques to confirm if it’s suspicious,” Google explains.

“Google Play Protect also offers new protections for emerging threats that were previously not scanned before. When Play Protect does not recognize any malicious code from the collected samples, it recommends a real-time code-level scan of the app to extract important signals for evaluation by Google. This helps combat novel malicious apps that may have been altered to avoid detection.”

When installing apps from unknown sources, users may be asked to send unknown apps to Google. By turning on “Improve harmful app detection” setting, Google Play Protect does it automatically.

“Our security protections and machine learning algorithms learn from each app submitted to Google for review and we look at thousands of signals and compare app behavior,” Google noted.

Code-level scanning is being rolled out in India, and will be expanded to other regions in the upcoming months.