Google Reveals How It Finds Malware When Your Device Isn't Verifying Apps




On Android platform, each app has to go through a verification process where Google
analyses it for virus and malware with the help of its security solution called Verify Apps.
 As a standard procedure, Verify Apps actively scans for the Potentially Harmful Apps
(PHA) on the device, but what happens when it stops working? There could be a number
of reasons behind it and Google has explained them along with the solution where it
deploys various methods to identify security-related reasons behind your device not
verifying apps.
On its Developers blog on Tuesday, Google detailed how it performs in such a situation
 where device is not checking with Verify Apps for security verifications of the apps.
In such cases, there could be non-security reasons like buying a fresh mobile phone,
 but for more-concerning security-related reasons, Google steps in with its solutions to
determine the exact cause. As per Google, when a device stops checking up with Verify
Apps, it falls under the category of considered Dead or Insecure (DOI) devices.
"An app with a high enough percentage of DOI devices downloading it, is considered a
 DOI app. We use the DOI metric, along with the other security systems to help determine
 if an app is a PHA to protect Android users," reads the blog, which further explains how
 Google segregates between potentially insecure apps and devices. Additionally, when
Google discovers any vulnerabilities, a patch for Android devices is released with the
security update system.
The process of flagging a DOI app is more of a mathematical equation where a certain
score decides if that particular app is DOI or not. The Android Security team has to
correlate the app install attempts and DOI devices to find apps that harm the device in
 order to protect the users. If a device keeps reporting app installs and their verification
 through Verify Apps, it is said to be 'retained' and considered safe thereafter. But if a
device doesn't do that, it's considered potentially dead or insecure (DOI).
Google mentioned that 'an app's retention rate is the percentage of all retained devices
that downloaded the app in one day.' Considering retention as a strong indicator of
device's health, Google tries to maximise that in all possible ways. And for that, Google
 follows a DOI scorer, which takes the value as assumption that all apps should have a
 similar device retention rate.

The app retention rate is calculated using the following formula, where Z is the DOI
score, N is number of devices that downloaded the app, x represents number of
retained devices that downloaded the app, and p stands for the probability of a
device downloading any app will be retained.
In Google's words, "If an app's retention rate is a couple of standard deviations lower
than average, the DOI scorer flags it." It further explains that "the DOI score indicates
an app has a statistically significant lower retention rate if the Z-score is much less than
-3.7. This means that if the null hypothesis is true, there is much less than a 0.01%
chance the magnitude of the Z-score being as high. In this case, the null hypothesis
means the app accidentally correlated with lower retention rate independent of what
the app does."
After the DOI score calculation, Google comes into action to bring offending apps to
 the top of DOI list. Following that, Google uses Verify Apps to remove existing installs
 of the app and prevent future installs of the app. The company added to this saying
that is has used this method to identify apps that contained Hummingbird, Ghost Posh,
 and Gooligan malware. Affected devices are usually factory reset or permanently
abandoned. This helps Google to discover PHAs and block them before they go on
a spree to kill further Android devices.

                                                                                                           Thankyou 

0 comments:

Post a Comment