Under one percent of Android devices affected by potentially harmful applications

Devices configured for the Russian or Chinese languages had higher rates of infection

Based on data collected by Google, less than one percent of Android devices had a potentially harmful application installed last year. This includes devices on which users have installed applications from outside the official Google Play store.

The data was collected through a feature called Verify Apps that was first introduced in Android 4.2 back in 2012. The feature, which was also backported to Android 2.3 and higher in 2013, checks locally installed applications for potentially harmful behavior regardless of whether they were downloaded from Google Play or other sources.

Verify Apps initially scanned applications only at installation time, but since March 2014 it also performs background scans, so it can later detect malicious applications that weren't flagged when they were initially installed.

It can detect threats that fall into several categories: Generic PHA (potentially harmful application), Phishing, Rooting Malicious, Ransomware, Rooting, SMS Fraud, Backdoor, Spyware, Trojan, Harmful Site, Windows Threat, NonAndroid Threat, WAP Fraud and Call Fraud.

According to Google's data, the number of devices scanned by Verify Apps has increased steadily since the feature was first introduced, reaching over 200 million devices per day in November 2014.

Prior to October 2014, Verify Apps did not differentiate between devices that only installed apps from Google Play and devices with the "unknown sources" security setting enabled, which allow apps to also be installed from third-party apps stores and other sources, an action commonly known as sideloading.

Sideloading is believed to increase the risk of malware infection for Android devices. Unlike third-party app stores, Google Play has automated mechanisms in place to scan and detect potentially harmful apps uploaded by developers, so it's viewed as safer, even though some malicious applications do sometime make their way into the official store.

"During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA installed (excluding non-malicious Rooting apps)," Google said in a report released Thursday.

On Android, rooting is the process of gaining access to the highest privileged account on the system, called root. This is used by power users to enable advanced functionality that's normally restricted by default, or can be used by malware to escape the Android application sandbox and read data from other apps. So, rooting tools can be both non-malicious and malicious -- usually in the form of exploits.

Devices that have been rooted, intentionally or otherwise, are believed to be at higher risk so Android's Verify Apps scanner can detect both types of rooting apps.

In October, approximately 0.25% of devices had a non-malicious Rooting application installed, Google said.

Some general statistics in Google's report are based on data collected between November 2013 and November 2014, but those that break down data between devices with Google Play-only apps and those with sideloaded apps only cover a two-week period -- mid-October to Nov. 1.

During those two weeks, potentially harmful applications (excluding non-malicious rooting applications) were detected on 0.7 percent of devices with sideloaded apps and on under 0.1 percent of devices that only had apps from Google Play installed.

Verify Apps doesn't track the physical location of devices, but tracks the language (locale) configured on them. While the locale is not an accurate indication of device location, Google found that locale data generally reflected the expected Android user population across different countries, so it was used to draw some conclusions.

For example, devices with the Russian locale that allowed sideloading were more likely to have a potentially harmful application installed than devices with other locales. Between 3 and 4 percent of Russian devices had a PHA installed, Google said.

Their infection rate was considerably higher than that of devices with any other locale, including Chinese, whose rate was 0.8 percent. That's surprising given that Google Play is not available in China so most devices in the country are configured for sideloading.

Meanwhile, only 0.4 percent of devices that allowed sideloading and were configured with the US English locale had a PHA installed, 0.2 percent under the worldwide average, Google said.

When rooting apps were also taken into account, devices with Chinese locale jumped to the top, with a rate of around 8 percent.

"Chinese devices which install apps from outside of Google Play are more likely to have a non-malicious Rooting application than any other region or type of PHA," Google said. "In fact, there are numerous applications from major Chinese corporations that include rooting exploits to provide functionality that is not provided by the Android API. Some of these Rooting applications explicitly describe that they will use an exploit to root the device, but there are some applications which do not describe this functionality to users."

If we exclude Russia, the worldwide rate of PHA installations from outside Google Play has decreased by almost half between the first quarter and the second quarter of 2014, Google said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityspywaremalware

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place