Android’s new real-time app scanning aims to combat malicious sideloaded apps

Android’s built-in security engine Google Play Protect has a new feature that performs a real-time analysis of an Android app’s code and blocks the installation of the app if it is deemed potentially malicious.

Google announced in October the new real-time app scanning feature built into Google Play Protect, which the company says can help detect malicious or fake sideloaded apps installed from outside the app store. These apps will change their appearance or use AI to change the apps’ code to avoid detection.

Google said this Play Protect feature now recommends a real-time app scan for any new app that has never been scanned before. This consists of a code analysis that “extracts key signals from the app and sends them to the Play Protect backend infrastructure for code-level evaluation.”

The Android app store contains billions of apps that Google screens for malware, but not always successfully. Many device owners also turn to sideloading Android apps, which completely bypass the app store and its many lines of defense. Sideloading remains a popular feature for Android users, even if it means they have to trust that the app they install isn’t malicious.

One of the main reasons for Google to introduce its improved real-time code-level scanning feature is to combat the proliferation of predatory lending apps. These apps have led to harassment of users, which in some cases has led to victims committing suicide. Bad actors gain access to user data, including contacts and photos, which are used to harass users. TechCrunch has extensively covered the impact of predatory lending apps on Indian users. Google also said it has removed more than 3,500 such apps in the past year for violating policy requirements. Attackers still find ways to target their victims.

“Our policies make it harder for predatory apps to get listed on the Play Store. But the bad actors are inventive and finding new ways to deceive people, so we’re taking additional measures,” said Google chief Saikat Mitra. of trust and security for APAC at the Google for India event in New Delhi last month, while announcing the update to Play Protect.

The story continues

Google initially launched the Play Protect update in India, with plans to expand internationally soon. TechCrunch tried out the feature itself by loading a phone with a variety of malicious and bad apps to see what would get through.

We tried installing over thirty different malicious apps, from stalkerware and spyware to predatory lending apps and fake rip-offs of popular apps. Google Play Protect blocked almost all malicious apps with warnings like “Apps from unknown developers can sometimes be unsafe” and “This app is trying to spy on your personal data, such as text messages, photos, audio recordings, or call history,” or “This app is fake.” However, a handful of recently created predatory lending apps were successfully installed.

Screenshots show Google Play Protect’s real-time app scan check to see if an app is malicious. Image credits: Googling

To test the reach of the Play Protect update, we used a Pixel 7a with a fresh install of Android 14 running the updated Google Play Store with real-time code-level scanning.

We started testing on the Pixel 7a by attempting to install several spyware apps that had been rebranded, cloned, or otherwise had code changes that would attempt to evade detection. (We are not naming or linking to the apps due to their malicious nature.) Commercial surveillance apps, such as stalkerware or wifeware, are typically installed covertly by someone with physical access to a person’s phone, often a spouse or partner. These spyware apps silently and continuously upload the contents of the person’s phone, including messages, photos, and real-time location data, posing a major security and privacy risk to the people whose phones are compromised.

Play Protect intervened every time we tried to install spyware and stalkerware. The feature blocked the installation of the apps and labeled the apps as ‘malicious’.

We also picked out a handful of predatory lending apps disguised as popular Android apps. These lending apps upload the device’s contact list to a server under the guise of fraud prevention, and loan agents can use this access to send threatening and harassing messages and calls to their contacts. The landing page of one of the predatory lending apps looked like a regular Google Play listing, but required the user to download the app from outside the app store and manually sideload it.

The Play Protect update did not restrict installation of five predatory lending apps at the time of our testing.

We also tried installing some apps that appear to be fake versions of other popular apps listed on Google Play. The apps we tested share similar names and have nearly identical designs and user experiences, but are clearly underdeveloped knockoffs. One of the fake apps imitated a popular game and the other pretended to be a commonly used VPN app.

Play Protect allowed these two apps to be installed, although it is unclear for what purpose the fake apps were initially developed.

“With this recent improvement, we’re adding real-time code-level scanning to Google Play Protect to combat new malicious apps, whether the app is downloaded from Google Play or elsewhere,” Google spokesperson Scott Westover said in an email to TechCrunch when you are available for comment. “These capabilities will continue to evolve and improve over time, as Google Play Protect collects and analyzes new types of threats facing the Android ecosystem.”

Sideloading offers the freedom to install any Android app, but not without risk. Faced with a constant barrage of apps that are rapidly changing their appearance and code, Google’s new real-time app scanning feature is an important last line of defense for billions of users and will only improve over time.