Google continues to improve the security and privacy of Android users
Google today released its annual security and privacy report, looking back at 2018. In the report, Google says that it has a three thronged approach to Android security. It uses layered security that all work together to protect the operating system and apps. Transparency creates openness and trust, says Google. Taking a shot at the walled gardens of iOS, the report states "closed platforms lead to distrust and a dangerous false sense of security through obscurity." The third part of Android security is called Backed by Google and means that Android is backed by world-class professionals in computer science and security who bring expertise in AI, cloud security, identity management and more.
Android's native defense system, called Google Play Protect, scans all apps on a device looking for Potentially Harmful Applications (PHAs). Google says that last year, only 0.08% of Android devices that exclusively use the Google Play Store to install apps were affected by PHAs. Android devices that sideloaded apps from outside of the Google Play Store were affected by PHAs more than eight times as often, or at a rate of .68% But even those phones with sideloaded apps installed saw 15% fewer issues with malware than seen in 2017. In 2018, Google says that .45% of all devices running Google Play Protect had installed a PHA compared to .56% the year before. That represents a 20% decline year-over-year, which Google calls an "improvement to the health of the Android ecosystem."
In the five largest Android markets, Google saw PHAs installed at a lower rate year-over-year in three of them (India, Indonesia, Brazil), while one market was flat (Russia) and one had an increase (U.S.). In the biggest market for Android, India, PHA installation declined 35% as .65% of all Android devices in the country had a PHA installed. Many of these apps were pre-loaded through the supply chain, and were on affected phones right out of the box. In the U.S., the number of Android devices with a PHA installed rose 25% from 0.4% to 0.5%. Most of the malware in the states was malware that ran hidden advertising in the background. This "click fraud" enables those behind these PHAs to collect advertising revenue illegally. Click fraud wasn't considered a PHA by Google before last year.
The inclusion of Click Fraud as a PHA led to the doubling of the PHA install rate from Google Play to 0.04% in 2018 from 0.02% in 2017. Remove this category from the data and the number of PHAs installed from the Google Play Store actually declined 31% year-over-year. And Google Play Protect also blocked 1.6 billion PHA installations from being completed last year outside of the Google Play Store.
As each new build of Android is released, Google improves the security features for its open-source operating system. Last year, .65% of devices running Android 5 Lollipop had a PHA installed compared to .55% for devices powered by Android 6 Marshmallow and .29% for devices using Android 7 Nougat. Phones and tablets running the last two builds, Android 8 Oreo and Android 9 Pie, had PHAs installed on only .19% and .18% of devices, respectively.
Google Play protect scans 50 billion apps a day on more than 2 billion devices
Every day, Google Play Protect scans 50 billion apps on over 2 billion devices. The feature is now enabled by default on all new Android phones. Last year Google also added notifications that warn Android users when they are installing an app outside of the Google Play Store, and when they are about to install a harmful app. In 2018, Google also started automatically disabling apps that created issues with privacy or had deceptive behavior or content.
Google also improved its Find My Device feature last year by adding indoor maps so that lost handsets could be found in large buildings like an airport. A work profile can now be used to register for Find My Device, and if a user locks his device remotely, he is prompted to perform a security update.
Also helping to reduce security issues is Google's monthly security update program. Working with Android manufacturers, SoC suppliers and carriers, Google has been increasing the number of devices that receive regular security updates. In fact, during the fourth quarter of last year, 84% more devices received a security update compared to the same quarter the previous year. And as of December, 95% of active Pixel 3 and Pixel 3 XL models were running a security update no older than 90 days.
As Android turned 10 last year, Google continued to make strides in its efforts to improve Android security and privacy. As long as it can stay ahead of the malicious actors looking to trick users into installing apps that play hidden ads, or steal personal data, the Android ecosystem should get safer every year.