Android’s new real-time app scanning aims to combat malicious sideloaded apps
Android’s in-built security engine Google Play Protect has a new feature that conducts a real-time analysis of an Android app’s code and blocks it from installing the app if it’s considered potentially harmful.
Google announced in October the new real-time app scanning feature built into Google Play Protect that the company says can help catch malicious or fake sideloaded apps installed from outside the app store. These apps will morph their appearance or use AI to alter the apps’ code in a way that helps them avoid detection.
Google said this Play Protect feature now recommends a real-time app scan for any new app that has never been scanned before. This consists of a code analysis that will “extract important signals from the app and send them to the Play Protect backend infrastructure for a code-level evaluation.”
Android’s app store has billions of apps that Google screens for malware, though not always successfully. Many device owners also take to sideloading Android apps, which skirt the app store altogether and its many lines of defense. Sideloading remains a popular feature for Android users, even if it means having to trust that the app they are installing is not malicious.
One of the key reasons for Google to introduce its enhanced real-time code-level scanning feature is to counter the proliferation of predatory loan apps. These apps have resulted in the harassment of users, leading in some cases to victims taking their own lives. Bad actors gain access to user data, including contacts and photos, which are used to bully users. TechCrunch extensively covered the impact of predatory loan apps on Indian users. Google also said it took down over 3,500 such apps in the year for violating its policy requirements. Attackers still find ways to target their victims.
“Our policies are making it tougher for predatory apps to be listed on the Play Store. But the bad actors are inventive, and they are finding new ways to trick people and that is why we take additional measures,” said Saikat Mitra, Google’s head of trust and safety for APAC at the Google for India event in New Delhi last month, while announcing the update to Play Protect.
Google initially launched the Play Protect update in India, with plans to soon expand internationally. TechCrunch tried the feature out for ourselves by loading a phone with a variety of malicious and bad apps to see what would make it through.
We tried to install more than 30 different malicious apps, from stalkerware and spyware to predatory loan apps and fake ripoffs of popular apps. Google Play Protect blocked nearly all of the malicious apps with warnings like, “Apps from unknown developers can sometimes be unsafe,” and “This app tries to spy on your personal data, such as SMS messages, photos, audio recordings, or call history,” or, “This app is fake.” A handful of recently created predatory loan apps, however, were successfully installed.
To test out the scope of the Play Protect update, we used a Pixel 7a with a fresh install of Android 14 with the updated Google Play Store featuring real-time code-level scanning.
We began the testing on the Pixel 7a by trying to install various spyware apps that have rebranded or been cloned, or otherwise had code changes that would attempt to evade detection. (We’re not naming or linking to the apps given their malicious nature.) Commercial surveillance apps, like stalkerware or spouseware, are typically surreptitiously installed by someone with physical access to a person’s phone, often a spouse or domestic partner. These spyware apps silently and continually upload the contents of the person’s phone, including messages, photos, and real-time location data, and present a major security and privacy risk to the people whose phones are compromised.
Play Protect intervened each time we tried to install spyware and stalkerware. The feature blocked the apps from installing, labeling the apps “harmful.”
We also picked a handful of predatory loan apps that were disguised as popular Android apps. These loan apps upload the device’s contact list to a server under the guise of fraud prevention, and loan agents can use this access to send threatening and intimidating messages and calls to their contacts. The landing page of one of the predatory loan apps resembled a regular Google Play listing, but required the user to download and manually sideload the app from outside the app store.
The Play Protect update did not restrict five predatory loan apps from installing at the time of our testing.
We also tried to install a couple of apps that appear to be fake versions of other popular apps listed on Google Play. The apps we tested are similarly named and feature near-identical designs and user experiences, but are clearly underdeveloped knock-offs. One of the fake apps imitated a popular game and the other masqueraded as a widely used VPN app.
Play Protect allowed these two apps to be installed, though it’s unclear for what purpose the fake apps were initially developed.
“With this recent enhancement, we’re adding real-time scanning at the code-level to Google Play Protect to combat novel malicious apps, regardless of if the app was downloaded from Google Play or elsewhere,” said Google spokesperson Scott Westover in an email to TechCrunch when reached for comment. “These capabilities will continue to evolve and improve over time, as Google Play Protect collects and analyzes new types of threats facing the Android ecosystem.”
Sideloading allows the freedom to install any Android app but not without risk. Faced with an ongoing deluge of apps that quickly change their appearance and code, Google’s new real-time app scanning feature is an important last line of defense for billions of users and bound to only improve over time.