Google Detects Malicious Apps With Device Checkups

Android DOI Retention

Google’s Verify Apps checkup system isn’t just meant to protect individual users, it’s actually an indirect method that Google uses to detect patterns that can help to detect potentially malicious apps in the Play Store. Using Verify Apps, devices check in with Google periodically to get a security checkup. If a device stops checking in, even if the user turned the feature off, it is considered to be DOI, which stands for dead or insecure. Since malicious apps usually disable this functionality to avoid being found on the next scan, when an app in the Play Store has a lot of devices disable this function after downloading, the app is flagged for further investigation, which usually involves an APK teardown that reveals malicious functionality.

Since there are reasons a device may become DOI that aren’t necessarily related to security, such as being deactivated and traded up for a new device or a user deciding to stop using Google services in a custom ROM, Google has devised a formula to calculate the average amount of devices that go DOI after downloading any app. This universal average, called a Z-Score, is compared against an app’s actual DOI count, and if the app’s DOI count is found to be significantly higher than the average, it is flagged. According to Google, they have used this approach to find hundreds of apps that contained malware from lineages like Gooligan, Hummingbad, and Ghost Push. The method is not foolproof, since by nature it requires some users to be affected by malware, but it is fairly powerful, and when combined with the Play Store’s other lines of security, it does a pretty good job of allowing users to download apps from the Play Store with no fear.

While Verify Apps and the Z-Score are some of the most obvious lines of protection for the mostly uncurated Play Store, the number of malicious apps in Google’s ecosystem is controlled in other ways, such as scanning apps before allowing them to hit the storefront. On the individual side, Android’s built-in permission system is one of the biggest ways that users are kept safe, as well as monthly security patches against exploits, and user tools like Android Device Manager, which allow a user to locate, lock, and erase a device.