I’ve written a lot about Android security over the years — and more often than not, it’s the same ol’ story time and time again:
A company that sells mobile security software finds some theoretical threat — something that (a) hasn’t affected any actual users in the real world and (b) couldn’t affect any actual users in the real world, outside of a highly improbable scenario in which all native security measures are disabled and the user goes out of his way to download a questionable-looking app from some shady porn forum.
Those critical points then become footnotes in a fear-inducing narrative, complete with a carefully crafted memorable name for the Big, Bad Virus™ and a strongly worded reminder about how only such-and-such security software can possibly keep you safe.
It’s an effective form of marketing — that’s for damn sure. But it’s also about as sensational as can be.
If you’ve read this column for long, you know about the long-standing realities of Android security and why these sorts of highly publicized hype campaigns are generally best taken with a grain of salt. Lately, though, we’ve seen a handful of genuine malware situations that don’t fall into that same category of silliness — things like the headline-making WireX botnet, in which a few hundred internet-traffic-generating-apps made their way into the Play Store and onto users’ devices, or the more recent phony WhatsApp incident, in which an app pretended to be WhatsApp and then just served up ads to anyone who installed it.
Those were both the real deal, and the native Google Play Protect security system absolutely failed to recognize the breaches and stop them before they affected a fair number of Android device owners. Even if the level of direct harm to end-users was ultimately pretty minimal — basically just having their devices send out web traffic or show some stupid ads, behaviors that’d stop as soon as the offending app was uninstalled — these types of programs clearly have no place in the Play Store and shouldn’t be getting past Google’s gates.
You know what, though? There’s still no reason to panic. And, as I wrote for CSO.com this week, you still don’t need a third-party security app to stay safe. There’s a strong argument, in fact, that installing one is pointless at best — and at worst, could actually be counterproductive to your personal and/or company-oriented interests.
I’ll direct you to CSO for the full context on that point, because there are quite a few layers to it. Here, I want to delve a bit more deeply into what actually happens in a situation like WireX, when Google Play Protect fails, and how such missteps can take place on a practical level — all directly from the perspective of the company that controls the platform.
I had the chance to ask Google’s director of Android security, Adrian Ludwig, about this very area. And while the discussion proved to be a bit superfluous to my main story, I thought it made for an interesting little sidebar that’d be worth sharing here.
Here’s what Ludwig had to say:
On how these types of apps get through the gates and go undetected for as long as they occasionally do, given the layers of protection in place:
“The challenge that all detection technology runs into, inclusive of Google Play Protect, is when we see a completely new family coming from a different environment — especially if [the apps] are on the borderline of behavior that might be considered to be potentially harmful and not quite potentially harmful.”
On the success vs. failure rate:
“Most of the time when we see those variations, our automated systems are able to detect them and take action on them very quickly. In fact, the improvements that we’ve been making in machine learning over the past six months to a year have been primarily focused on — and very effective at — finding new variations on existing families.”
And on the perception of successes vs. failures:
“We have an extraordinarily high bar in terms of the expectations of what [our] protections will provide, which is being able to scan all the applications, being able to discover every potential bad behavior, and never making a mistake — and we come very, very close to that. Our goal is to get to a point where there’s fewer than one in a million apps that make it through Google Play Protect that represent a risk to the user. We’re not there yet, but we’re well above 99.9% in terms of our ability to detect things, and we’re continuing to get stronger.”
On the challenges of detecting patterns that don’t immediately raise red flags:
“It’s not necessarily a type of app we’ve seen in the past. It might [involve] relatively low-risk abusive ads, for example, or [something that] makes network connections that are not obviously harmful but that on further inspection, we’re able to track down and see that there’s an issue.”
And how working with partners, as in the WireX investigation, can be crucial to the discovery process:
“They have visibility a lot of times to what’s happening on the server side of some of these malware networks, and so sometimes it’s only in partnership with the data they have through their installations in those environments that the actual bad behavior is visible. On the Android side, there’s [sometimes] nothing about the traffic that is obviously harmful to the user.”
Finally, on the curious timing of Android malware publicity campaigns:
“Certainly by the time there’s publicity around one of these [malware] families, it’s already gonna have been cleaned up — so the publicity around the families tends to be a way to draw attention to security vendors and the products that they make available. By the time something becomes public, Google Play Protect already has rolled out its protections, [and] the applications have been taken down and removed.”
For a more detailed dive into the current state of Android security, click over to my full feature story: