Android

Google has announced new, real-time scanning features for Google Play Protect that make it harder for malicious apps employing polymorphism to evade detection.

This represents a significant step toward enhancing safety for all Android users and aims to decrease malware infections on the platform.

Real-time code scans

Google's Play Protect platform is Android's built-in protection system for performing on-device scans for unwanted software and malware, powered by data derived from 125 billion daily scans.

The tool works for apps downloaded from Google Play, Android's official app store, and APKs (Android packages) downloaded from external sources and third-party app stores.

When Play Protect detects something suspicious on an app, it warns users not to proceed with its installation.

Warning on Play Protect
Warning on Play Protect (Google)

The problem is that authors of malicious apps promoted outside Google Play have resorted to AI and polymorphic malware that frequently alters identifiable information in a malicious program to bypass automated security platforms, making those scans ineffective.

Once the apps are installed on the user's device, they fetch additional code from an external resource, completing their malicious functionality at the post-check phase where there are no mechanisms to stop them.

However, Google told BleepingComputer after publishing that they re-review apps, including collecting signals of dynamic code loading to protect users when this behavior is found.

To address this gap, Google has now enhanced Play Protect with the ability to perform real-time scanning at the code level and adds a recommendation to perform scans on apps that haven't been scanned before.

The scanning will extract signals from the app, sending them to the Play Protect backend infrastructure for an in-depth code-level analysis, returning a result on the app's safety.

"Our security protections and machine learning algorithms learn from each app submitted to Google for review, and we look at thousands of signals and compare app behavior," explains Google in a press release.

"Google Play Protect is constantly improving with each identified app, allowing us to strengthen our protections for the entire Android ecosystem."

The enhanced Play Protect scanner will leverage static analysis, alongside heuristics and machine learning, to identify patterns indicative of malicious activity. The extracted signals from the app serve as key inputs for its AI-driven analysis.

That being said, there might still be some malicious apps that can slip past the new system by adding long delays before malicious code is downloaded or other behavior.

However, the amount of undetected malware should be reduced by this new system, at least until malware authors can adjust their techniques to trick or bypass these scans.

The real-time code-level scan on Google Play Protect has already been made available in India and other select countries and will be gradually rolled out worldwide in the upcoming months.

Play Protect works with and is regularly updated on the majority of Android devices, including Android 5 and later.

This allows the security system to be regularly updated independently of the monthly Android updates release.

Update 10/18/23: Added some clarifications from Google.

Related Articles:

Android 15, Google Play Protect get new anti-malware and anti-fraud features

Google Pixel 6 series phones bricked after factory reset

Chrome for Android tests feature that securely verifies your ID with sites

Google patches exploited Android zero-day on Pixel devices

Google now pays $250,000 for KVM zero-day vulnerabilities