Android has a bit of a malware problem. The open ecosystem’s flexibility also makes it relatively easy for tainted apps to circulate on third-party app stores or malicious websites. Worse still, malware-ridden apps sneak into the official Play Store with disappointing frequency. After grappling with the issue for a decade, Google is calling in some reinforcements.
This week, Google announced a partnership with three antivirus firms—ESET, Lookout, and Zimperium—to create an App Defense Alliance. All three companies have done extensive Android malware research over the years, and have existing relationships with Google to report problems they find. But now they’ll use their scanning and threat detection tools to evaluate new Google Play submissions before the apps go live—with the goal of catching more malware before it hits the Play Store in the first place.
“On the malware side we haven’t really had a way to scale as much as we’ve wanted to scale,” says Dave Kleidermacher, Google’s vice president of Android security and privacy. “What the App Defense Alliance enables us to do is take the open ecosystem approach to the next level. We can share information not just ad hoc, but really integrate engines together at a digital level, so that we can have real-time response, expand the review of these apps, and apply that to making users more protected.”
It’s not often that you hear someone at Google—a company of seemingly limitless size and scope—talk about trouble operating a program at the necessary scale.
Each antivirus vendor in the alliance offers a different approach to scanning app files called binaries for red flags. The companies are looking for anything from trojans, adware, and ransomware to banking malware or even phishing campaigns. ESET’s engine uses a cloud-based repository of known malicious binaries along with pattern analysis and other signals to assess apps. Lookout has a trove of 80 million binaries and app telemetry that it uses to extrapolate potential malicious activity. And Zimperium uses a machine learning engine to build a profile of potentially bad behavior. As a commercial product, Zimperium’s scanner works on the device itself for analysis and remediation rather than relying on the cloud. For Google, the company will essentially give a rapid yes or no on whether apps need to be individually examined for malware.
As Tony Anscombe, ESET’s industry partnerships ambassador puts it, “Being part of a project like this with the Android team allows us to actually start protecting at the source. It’s much better than trying to clean up afterwards.”
Setting up those systems to scan new Google Play submissions wasn’t conceptually difficult—everything runs through a purpose-built application programming interface. The challenge was adapting the scanners to make sure they could handle the firehose of apps that will flow through for analysis—likely many thousands per day. ESET already integrates with Google’s malware-removing Chrome Cleanup tool, and has partnered with Alphabet-owned cybersecurity company Chronicle. But all of the App Defense Alliance member companies said the process to create the necessary infrastructure was extensive, and the early seeds of the alliance started more than two years ago.
“Google narrowed down the vendors that they wanted to engage with and everyone did a pretty elaborate proof of concept to see if there’s any added benefit, and if we find more bad stuff together than either of us is able to independently,” says Lookout CEO Jim Dolce. “We were sharing data over a period of a month—millions of binaries effectively. And the results were very positive.”
It remains to be seen whether the alliance will actually catch significantly more malicious apps before they hit Google Play than the company was flagging on its own. Independent researchers have found that many Android antivirus services aren’t particularly effective at catching malware. And all of the alliance members emphasize that increasing Google Play’s defense will only drive malware authors to get even more creative and aggressive about distributing tainted apps through other means. (Don’t forget that these companies all have malware scanners they want to sell you.) But Google’s Kleidermacher emphasizes that the company is confident that the alliance will make a real difference in protecting Android users.
“When you’re at the massive scale that we have in these platforms, when you can get even 1 percent incremental improvement it matters,” he says.
More companies gaining access to Google Play submissions also raises the possibility that hackers could look for vulnerabilities in the Play Store pipeline itself. But Kleidermacher notes that Google has stringent contracts with all of its vendors that cover not only the analysis load they’ll handle day to day, but how they’ll secure data and use the special API.
“We have an agreement in place and there are expectations on us as providers,” says Jon Paterson, Zimperium’s chief technology officer.
While there are no guarantees that the program will make a dent in the Google Play malware problem, it seems worth a try given that app screening and monitoring are a challenge for even the most stringent app stores, be it Google’s or Apple’s or dedicated government offerings. With 2.5 billion Android devices in the world—and a problem that it hasn’t yet solved on its own—Google doesn’t have much to lose in asking for a little help from its friends.