google verify apps defense (1)

Malware is a topic that critics of Android often like to bring up in discussion, sometimes attaching ominous sounding statistics such as Four Out of Five Malware Menaces Choose Android. Contributing to the atmosphere of distrust, security firms regularly issue reports describing far-reaching security vulnerabilities or malware outbreaks that put the users’ bank accounts and private data at risk.

But in many cases the danger posed by Android malware is greatly exaggerated, and Google has some data to prove it.

Today at the Virus Bulletin security conference in Berlin, Google security researchers Adrian Ludwig, Eric Davis, and Jon Larimer presented a paper called “Android – practical security from the ground up”, where they offer statistics on the spread and effect of Android malware based on data collected by Google from actual users.

Quartz’ Steven Max Patterson attended the conference and was able to capture some very interesting findings.

less than 0.001% of all app installations lead to harmful effects to the user

Google’s researchers estimate that less than 0.001% of all surveyed Android app installations lead to harmful effects to the user. In the slide at the top of this post, the team presented the multiple layers of protection that malware has to bypass to reach its target.

The researchers went on to claim that some of the most intensely publicized malware discoveries from the past have only affected one in a million app installations. In the future, to prevent such “extremely exaggerated” reports Google will share its data with security researchers.

Google was able to gather this data thanks to Verify Apps, the anti-malware service that debuted with Android 4.2 and later moved to Play Services, thus extending to devices running older versions of the OS. 95% of all devices have the Verify Apps service turned on by default, claims Google.

95% of all devices have the Verify Apps service turned on by default

The company collected data on 1.5 billion installations, and found that users went through with the installation of potential harmful applications (PHA) in just 0.12% of cases. Note that the installations include apps downloaded from the Play Store and from alternative sources, as well as apps that were flagged as PHA but are actually harmless.

google verify apps defense (2)

Finally, here’s a breakdown of the types of apps that actually go through Android defenses: 40% are fraudware (for instance, apps that send premium rate SMS), 40% are rooting apps that are not actually malicious, 15% are spyware, and 6% are miscellaneous.

Of course, even a penetration rate of 0.001% can result in many occurrences of malware, when billions of apps are installed every year. And it’s likely that some forms of malware and vulnerabilities are outside of Google’s data collection scope. With that said, this data does put the periodic security scares in a new light.

To finish off with a piece of advice, try to restrain yourself to the Play Store, keep Verify Apps on, and don’t just click through those security warnings.