Security news that informs and inspires

Google Data Shows Tiny Fraction of Android Devices Run Malicious Apps

The newer the version of Android you have running on your phone, the less likely you are to have a potentially harmful app on it, new data from Google shows.

In a new transparency report on Android security, Google said that just 0.06 percent of the devices running Android 9, also known as Pie, have PHAs loaded on them. By way of comparison, devices running the previous version, known as Oreo, had a PHA rate of 0.14 percent, and Nougat devices have a PHA rate of 0.25 percent.

Google uses a rather broad definition for PHAs, and doesn’t limit it just to malware or other explicitly malicious applications.

“Apps classified as Potentially Harmful Applications overlaps mostly with the common understanding of malware but with some exceptions. Potentially Harmful Applications include but is not limited to click fraud, ransomware, spyware, and trojan apps as well as apps that attempt to install backdoors, conduct billing fraud, or execute a denial-of-service attack,” Google said by way of explanation for PHAs.

Android leverages a combination of machine and human intelligence to identify these apps and keep our users safe. Automated systems detect and classify Potentially Harmful Applications and compare behavior to make meaningful connections across billions of data points.

The new transparency report is the first one that Google has released solely with data on Android device security. The company plans to update the statistics every quarter. While Google's data shows that devices running newer versions of Android are safer, users have little control over the software update process on most Android devices. Carriers and device manufacturers control much of that ecosystems and users have to wait for carriers to push updates to their devices.

Among the major takeaways from the Android report is that not only do devices running later versions of the operating system have fewer PHAs, but so do devices that only load apps from the Google Play store. The report shows that 0.09 percent of devices that only run Play apps have PHAs on them, while 0.61 percent of devices that also run apps from third-party locations have PHAs.

Sideloading is more prevalent outside the United States, especially in countries where access to the Internet is tightly controlled.

Like Apple, Google has several layers of security checks for both the developers who submit apps to the Play store and the apps themselves. The company scans all the apps for malicious or undocumented behaviors, as well as other indicators. Google also has a mechanism called Play Protect that periodically scans Android devices for PHAs and can remove them from affected devices automatically.

“Google Play Protect is designed to detect PHAs that are installed from any source — whether they come from Google Play or not — so it is important that our systems analyze and understand as many apps as possible. All apps in Google Play undergo a review before publication,” Google said in its report.

“Similarly, to ensure we protect all users, Google crawls the public web and collects and scans apps that are not published on Play. These apps are also scanned with the same engine that protects Google Play, and the sites that distribute those apps are added to the Safe Browsing API blacklist. Browsers including Chrome use the API to provide warnings to users visiting such sites.”

The on-device protections apply to all of the apps on a device, but the Play store protections don’t extend to apps that users load from third-party app stores or other locations. Users typically have little or no visibility into an app’s developer, reputation, or security. Sideloading is more prevalent outside the United States, especially in countries where access to the Internet is tightly controlled. In Russia, for example, 0.27 percent of Android devices have PHAs on them.