Analysis and review
Before an app becomes available for download in Google Play we analyze and review the app and its developers. Using automated detection mechanisms (for example, machine learning) and human analysts, we make every effort to ensure the apps that appear in Google Play aren't harmful to users or their devices.
Developer review
As a developer, you must agree to the Google Play Developer Distribution Agreement before you can submit your apps to Google Play. This contract is a guide to the behavior we expect of developers who publish apps in Google Play.
Additionally, Google Play uses a variety of methods to check that developers are complying with these policies. Google Play's internal risk engine analyzes information from a developer's Google account, actions, history, billing details, device information, and more. If something suspicious turns up, we manually review the transactions to ensure that the developer is compliant.
Internal app review
Applications undergo a review process to confirm that they comply with Google Play policies before they become available in Google Play. Google has developed an automated application risk analyzer that performs static and dynamic analysis of apps to detect Potentially Harmful Application (PHA) behavior. When Google's application risk analyzer discovers something suspicious, it flags the app and refers it to a security analyst for manual review.
App review outside of Google Play
Because we try to protect users from PHAs and mobile unwanted software (MUwS) regardless of the source, it's important that our systems analyze and collect data on as many apps as possible. Apps are reported by security researchers, users, and others we find by crawling the internet and inspecting installed apps from other markets.
Users can allow Google to review new apps by enabling the Improve harmful app detection feature in Google Play Protect on their device. Enabling this feature helps Google to analyze more apps and the more apps our systems analyze, the better Google Play Protect is at identifying and limiting the impact of PHAs for all devices.
Machine learning
Play Protect leverages Google's powerful machine learning algorithms to combat PHAs. Google's systems learn which apps are harmful and which are safe by analyzing our entire app database. The algorithms look at hundreds of signals and compare behavior across the Android ecosystem to see if any apps show suspicious behavior, such as interacting with other apps on the device in unexpected ways, accessing or sharing personal data without authorization, aggressively installing apps (including PHAs), accessing malicious websites, or bypassing built-in security features. These algorithms also help us understand where PHAs come from and how they make money, so we can determine the motivation behind these types of apps.
Here are some of the tools we use to teach machines to identify good and bad behavior.
The app’s code is analyzed and the features are extracted and compared against expected good behavior and potential bad behavior.
GPP cultivates active relationships with industry and academic security researchers. These researchers evaluate apps in a variety of ways and send in feedback regarding their findings.
GPP uses signatures to compare apps against a database of known bad apps and vulnerabilities.
GPP analyzes non-code features to determine possible relationships between applications and to evaluate whether the developer that created the application has been associated with the creation of PHAs.
GPP runs applications to identify interactive behavior that can’t be seen with static analysis. This allows reviewers to identify attacks that require server access and dynamic code downloading.
GPP compares applications to find trends that identify harmful apps.
SafetyNet is a privacy preserving sensor network that spans the Android ecosystem and identifies apps and other threats that can harm devices.
Classifying apps
After analyzing the apps, GPP classifies them on a scale of safe to harmful. Apps and app updates that are marked as safe are adopted into Google Play. Apps that are marked as harmful are blocked. If the review algorithms are unclear whether an app is safe or harmful, it’s marked as potentially harmful. Android Security Team members review PHAs manually. Developers who knowingly perform malicious actions are banned and can no longer publish apps on Google Play.
Ongoing protection
GPP continues protecting users after they’ve installed an app, even if the is app downloaded from outside of Google Play. GPP’s on-device protections scan and analyze every app on the device.