Android Security: Finding Malware (Using DOI Scorer)

Can you protect your Android device WITHOUT third-party Antivirus apps?

  • Yes

    Votes: 3 25.0%
  • No

    Votes: 7 58.3%
  • I don't use Android

    Votes: 2 16.7%

  • Total voters
    12

Ink

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
<beginning of quote>

In Android Security, we're constantly working to better understand how to make Android devices operate more smoothly and securely.

<snip>

This blog post explores the Android Security team's research to identify the security-related reasons that devices stop working and prevent it from happening in the future.

Flagging Dead or Insecure (DOI) Apps

To understand this problem more deeply, the Android Security team correlates app install attempts and DOI devices to find apps that harm the device in order to protect our users.

With these factors in mind, we then focus on 'retention'. A device is considered retained if it continues to perform periodic Verify apps security check ups after an app download. If it doesn't, it's considered potentially dead or insecure (DOI). An app's retention rate is the percentage of all retained devices that downloaded the app in one day. Because retention is a strong indicator of device health, we work to maximize the ecosystem's retention rate.

Therefore, we use an app DOI scorer, which assumes that all apps should have a similar device retention rate. If an app's retention rate is a couple of standard deviations lower than average, the DOI scorer flags it. A common way to calculate the number of standard deviations from the average is called a Z-score. The equation for the Z-score is below.

FindingMalwareGoogleAndroidSecurity01.png


Difference between a regular and DOI app download on the same device.
FindingMalwareGoogleAndroidSecurity02.png

Results in the wild

Among others, the DOI score flagged many apps in three well known malware families— Hummingbad, Ghost Push, and Gooligan. Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices. This approach provides us with another perspective to discover PHAs and block them before they gain popularity. Without the DOI scorer, many of these apps would have escaped the extra scrutiny of a manual review.

The DOI scorer and all of Android's anti-malware work is one of multiple layers protecting users and developers on Android.​

<end of quote>

Read Full Blog Post: Silence speaks louder than words when finding malware | Android Developers Blog
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top