The technique is based on Android’s Verified Apps system. When an app is installed from Google Play, it is verified to make sure it’s not malicious. If a potentially harmful app is identified, Verified Apps warns you and tells you to uninstall the app.
The problems begin when a device stops talking to the Verified Apps server. Sometimes, this may be due to innocuous reasons, such as leaving your phone turned off or switching to a new device. However, it could be caused by something else, such as malware that’s left your device unusable.
When a phone hasn’t contacted Verified Apps in a while, it’s considered to be Dead or Insecure (DOI). If you recently installed an app before the device went DOI, Google creates an association between the phone and the app. If the app accumulates enough DOI phones in a short space of time, it could raise a flag that the app is malicious and forcing handsets offline.
Google uses a statistical method to work out whether an app is likely to be malicious based on the number of DOI phones associated with it. It uses an algorithm to determine if the app has a statistically significant number of DOI devices linked to it.
The algorithm considers the number of devices that downloaded the app, the number of devices that are still active after downloading it and the overall probability that any device will still be active after installing an app. If the resulting number is less than a certain threshold, the system interprets it as a signal that the app may be unsafe.
A list can then be generated of the most suspicious apps. At this point, other methods including human monitoring are used to perform final checks on the app. If it’s found to be malicious, Verify Apps can automatically withdraw it from phones.
The system is a relatively straightforward way of identifying malicious apps in the wild. In essence, Google works on a basic principal of cause and effect. If a phone appears to die shortly after installing a new app, the two events may be related. By monitoring millions of phones, patterns emerge that enable potentially harmful apps to be discovered.
The scoring system has already flagged over 25,000 apps that are based on the Hummingbad, Ghost Push and Gooligan malware families. This malware leaves Android unusable and forces users to reset their device. The phone stops talking to Verify Apps, raising flags against the malware.
Google said the technique is just one of many it uses to keep Android users safe. Manual review is also an important part of its toolset, helping ensure false positives aren’t generated for apps which do not contain malware. Using Verify Apps to monitor the impact of app installations can draw attention to apps that would otherwise be overlooked, helping Google’s human moderators to keep the Play Store clean.
