A study undertaken by the Department of Computer Science, NC State University on devices running Jelly Bean Android 4.2, indicates that in samples 1260, only 193 malware were detected, indicating a low detection rate of 15.32%.
On November 13, 2012, Google announced a new security feature called the“application verification service” to protect Android devices against harmful applications.
At the time, Google stated that that, “Now, with Jelly Bean Android 4.2 devices that have Google Play installed have the option of using Google as an application verifier. We will check for potentially harmful applications no matter where you are installing them from.”
According to the study the application verification service is meant to work in the following way:
The new service is implemented inside the official Google Play app, but is designed to work with apps from all app stores, including the official Google Play marketplace and other alternative ones. A user can turn the service on/off by going to “Settings,” “Security,” and then “Verify apps.” When an app is being installed (Step 1), the service, if turned on, will be invoked (Step 2) to collect and send information about the app (e.g., the app name, size, SHA1 value, version, and the URL associated with it) as well as information about the device (e.g., the device ID and IP address) back to the Google cloud (Step 3). After that, the Google cloud will respond with a detection result (Step 4). If the app is not safe, the user is then shown a warning popup (Step 5) flagging the app as either dangerous orpotentially dangerous. Dangerous apps are blocked from being installed, while potentially dangerous ones instead alert users and provide an option to either continue or abort the installation (Step 6) with a warning popup. In Figure 1, we show the key steps behind the service.
The study went on to highlighted that other existing third-party anti-virus engines performed much better that Google’s offering.
From the study:
Specifically, we randomly picked up a sample from each malware family and test it with the VirusTotal
service (acquired by Google in September 2012). In Table 2, we show the comparison with ten representative anti-virus engines from VirusTotal (i.e., Avast, AVG, TrendMicro, Symantec, BitDefender, ClamAV, F-Secure, Fortinet, Kaspersky, and Kingsoft). Overall, the detection rates of these representative anti-virus engines range from 51.02% to 100% while the detection rate of this new service is 20.41%.