Posted by Megan Ruthven, Software Engineer
In Android Security, we're constantly working to better understand how to make
Android devices operate more smoothly and securely. One security solution
included on all devices with Google Play is
Verify apps.
Verify apps checks if there are Potentially Harmful Apps (PHAs) on your device.
If a PHA is found, Verify apps warns the user and enables them to uninstall the
app.
But, sometimes devices stop checking up with Verify apps. This may happen for a
non-security related reason, like buying a new phone, or, it could mean
something more concerning is going on. When a device stops checking up with
Verify apps, it is considered Dead or Insecure (DOI). An app with a high enough
percentage of DOI devices downloading it, is considered a DOI app. We use the
DOI metric, along with the other security systems to help determine if an app is
a PHA to protect Android users. Additionally, when we discover vulnerabilities,
we patch Android devices with our
security update system.
This blog post explores the Android Security team's research to identify the
security-related reasons that devices stop working and prevent it from happening
in the future.
- Flagging DOI Apps
To understand this problem more deeply, the Android Security team correlates app
install attempts and DOI devices to find apps that harm the device in order to
protect our users.
With these factors in mind, we then focus on 'retention'. A device is considered
retained if it continues to perform periodic Verify apps security check ups
after an app download. If it doesn't, it's considered potentially dead or
insecure (DOI). An app's retention rate is the percentage of all retained
devices that downloaded the app in one day. Because retention is a strong
indicator of device health, we work to maximize the ecosystem's retention rate.
Therefore, we use an app DOI scorer, which assumes that all apps should have a
similar device retention rate. If an app's retention rate is a couple of
standard deviations lower than average, the DOI scorer flags it. A common way to
calculate the number of standard deviations from the average is called a
Z-score. The equation for the Z-score is below.
- N = Number of devices that downloaded the app.
- x = Number of retained devices that downloaded the app.
- p = Probability of a device downloading any app will be retained.
In this context, we call the Z-score of an app's retention rate a DOI score. The DOI score indicates an app has a statistically significant lower retention rate if the Z-score is much less than -3.7. This means that if the null hypothesis is true, there is much less than a 0.01% chance the magnitude of the Z-score being as high. In this case, the null hypothesis means the app accidentally correlated with lower retention rate independent of what the app does.
This allows for percolation of extreme apps (with low retention rate and high number of downloads) to the top of the DOI list. From there, we combine the DOI score with other information to determine whether to classify the app as a PHA. We then use Verify apps to remove existing installs of the app and prevent future installs of the app.
Difference between a regular and DOI app download on the same device.
Results in the wild
Among others, the DOI score flagged many apps in three well known malware
families�
Hummingbad,
Ghost
Push, and
Gooligan.
Although they behave differently, the DOI scorer flagged over 25,000 apps in
these three families of malware because they can degrade the Android experience
to such an extent that a non-negligible amount of users factory reset or abandon
their devices. This approach provides us with another perspective to discover
PHAs and block them before they gain popularity. Without the DOI scorer, many of
these apps would have escaped the extra scrutiny of a manual review.
The DOI scorer and all of Android's anti-malware work is one of multiple layers
protecting users and developers on Android. For an overview of Android's
security and transparency efforts, check out
our page.