Here's How Google Play Scans Your Android Phone
Google has a system enacted through Google Play for Android devices called Verify Apps. Google's latest Android Security State of the Union (for the year 2014) includes clarification on what the company is scanning on your phone – both inside Google Play-downloaded apps and in apps you've downloaded elsewhere. Verify Apps scans your phone's apps for security risks in Google Play apps, and Safety Net provides protection for (and from) apps outside of Google Play. Yes, Google Play is scanning your phone – no, it's not something to freak out about.
Google Play app scanning
Inside your Android smartphone or tablet, if it has Google Play and runs Android 4.2 or later, Verify Apps is hard at work providing you with security services.
This scanning software is searching for Potentially Harmful Applications, also known as PHAs.
Google suggests that a PHA is "any application that can potentially harm the user, their device, or their data."
The first step in this is app scanning before apps are downloaded from Google Play, as part of the application security review process.
"Google's systems use machine learning to see patterns and make connections that humans would not," says Google's 2014 security report on Android. "Google Play analyzes millions of data points, asset nodes, and relationship graphs to build a high-precision security-detection system."
Fourteen different categories used for classifications of PHAs were in use by Google as of 11/1/2014.
• Generic PHA
• Phishing
• Rooting Malicious
• Ransomware
• Rooting
• SMS Fraud
• Backdoor
• Spyware
• Trojan
• Harmful Site
• Windows Threat
• Non-Android Threat
• WAP Fraud
• Call Fraud
Have you never seen a warning from Google about any of the above? You're not alone. According to Google, "the vast majority of application installs are not classified as potentially harmful, so for most installations, the users of Verify Apps will see nothing displayed at the time of install."
Verify Apps worked with Android devices downloaded from Google Play well before the start of 2014. Starting in 2014, Google extended their scanning software suite with a feature called "Safety Net."
Non-Google Play scanning with Safety Net
Safety Net is part of Verify Apps, providing security scanning for all apps, regardless of source of install. Safety Net also "detects and protects against non app-based security threats such as network attacks."
Above you'll see a chart showing growth in installs checked by Verify Apps in 2014. This includes security checks prior to publication for all apps published to Google Play as well as "millions of installs per day from outside of Google Play."
How often is my device being scanned?
According to Google, "by default, device scans are run approximately once per week." They add that this is only by default, and not always true of every device.
Running once per week, said Google, "initially introduced periodic usage spikes that have been gradually removed by introducing randomness into the schedule for each device."
The chart you see above shows how many millions of devices were scanned through the year 2014. The dip in time in June is due to a test Google ran at the time, during which devices were still protected with Verify Apps at install time.
What data is being collected?
Google suggests that Verify Apps "only collects data needed to provide and improve device security." Limited in nature, that is.
Continuing that thought, Google says that Verify Apps "does not access any personal information, nor does it check the physical location of the device."
Scans at Install doesn't check physical location, but it does check "locale." Locale information is used by Google to provide correct language and language characteristics to users for app warnings.
This data also allows Google to make fun charts like the one you see above. Look at all the data without numbers!
Why have I not heard of this before?
Because security isn't exciting. Because it'd be crazy to make a blog dedicated to Android security alone. Because when a good security system is doing its job correctly, you don't even realize it's there.
We've got reports like this one from April of 2014 when Google first added continuous Android app scans in Verify Apps – but again, it's none too exciting for the general public.
How do I turn scanning off?
After all that, you want to turn it off? You silly goose. Lucky you, Google appears to be all about options still, so if you feel so inclined, you can do the following:
1. Open Google Settings – hit the app shortcut button or access through your pull-down options menu.
2. Tap "Security."
3. Tap the on/off button for "Scan device for security threats."
4. Good luck.
NOTE: If you're using a non-Nexus phone (most of you), you might see the option appear as "Verify apps: Block or warn before installing" – or something similar.
If you do choose to turn this option off, let us know why. We'd love to have a chat about it!