Security is always an important discussion on Android. If you stick to the Play Store, odds are you won’t run into issues, but some apps aren’t available through Google’s official portal. Rather, they have to be sideloaded as APKs, and that’s where holes open up.
Nomad case for Pixel 3
In trying to close some of those holes, Google added a feature to its package of Android services a while back. When sideloading an APK, “Verify Apps” runs a check to see if it’s malicious. However, this measure isn’t perfect. In some cases, an unsafe app would make its way around the feature and disable it.
When that occurs, there are two possible scenarios as Google details in a blog post. Either that phone has stopped working for a normal reason, like the user upgrading their device and powering down the old one, or because a malicious app has deactivated the service.
A device that has stopped checking in with Verify Apps is considering DOI (dead or insecure). By checking to see how many users have downloaded a specific app and then had their device go DOI, Google can — along with other methods — determine if that app is the causing the issue. If so, the company can mark that app as a “PHA” or potentially harmful application. That, in turn, can help protect other Android users downloading the same application.
On the other hand, Google determines if an app is safe by measuring “retention.” In this case, that means the Verify Apps feature continued working after the app was installed. By using the formula below to find the app’s “Z-score”, Google can determine whether the app is safe or a PHA.
If the app has an extremely poor Z-score, Google can immediately classify it as a PHA and use Verify App to kill existing installs and prevent future installations. Apps with more reasonable scores undergo further investigation.
Among others, the DOI score flagged many apps in three well known malware families— Hummingbad, Ghost Push, and Gooligan. Although they behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices. This approach provides us with another perspective to discover PHAs and block them before they gain popularity. Without the DOI scorer, many of these apps would have escaped the extra scrutiny of a manual review.