Android Security & Privacy 2018 report: Continued maturation of Google’s security efforts

PHA numbers continue to show a decline, as Google refines and adds to their Android security posture.

Google released their 2018 review of Android security and privacy a few weeks ago, and we’re finally getting time to look at it with back-to-back conferences out of the way. We previously reviewed their 2017 edition for our mobile security review, so let’s take a quick look at the data worth talking about.

Android security continues to improve

In a not-at-all-surprising development, but a good one to see nonetheless, the 2018 Android report [PDF] shows a continued downward trend of what Google calls potentially harmful apps (PHAs). However, due to click fraud getting added to the PHA definition (used to be considered just a policy violation), PHA installation rates for Android devices installing only from Google Play look on par with 2017 at 0.08%. But, otherwise the numbers show a decline.

Only 0.45% of all Android devices running Google Play Protect installed PHAs in 2018, down from 0.56% in 2017. There was a similar decline with devices that installed apps from outside the Google Play store: 0.68% from 0.80% installed PHAs.

Android security report

Sideloaded app installation overall dropped from 1.48% in 2017 to 0.92% in 2018. Sideloaded apps will be a thing to keep an eye on, especially if more app developers follow in Epic’s footsteps, and release apps outside of Google Play. (I’m doubtful since few developers/publishers are big enough to avoid the walled marketplaces where most users discover apps.)

But, we are curious how many people downloaded Fortnite and then decided to sideload more apps. Did Fortnite act as a sort of gateway, did most people download just one title and return to Google Play, or were they already sideloading? This is something we just don’t have the data on right now, but it’s a meaningful topic of conversation in the EMM and mobile security space.

Pre-installed PHAs exist, but Google scans OEM builds
One area that interested me during our mobile security review was pre-installed malware, and it makes a small appearance in the 2018 Android security report. Google mentioned it in the 2017 report, and noted they had started scanning for them, but provided little info beyond that. The 2018 report offers a little more data, but it remains hard to get a clear picture of how often pre-installed PHAs are actually an issue.

Google has a Build Test Suite (BTS) partner OEMs can use to look at the security stance of the system image. In 2018, BTS prevented 242 builds with PHAs from making it to market—but no mention how many builds a year they scan. We know that there are tens of thousands of device models out there, so we’re likely talking a very small rate of affected devices.

The Android Security & Privacy report says that the majority of pre-installed PHAs affect users outside of the U.S., like in India. PHAs discovered on Indian devices were introduced via supply chain attacks either through pre-installed PHA or OTA updates, and even then PHA installation remains low at 0.65% of all devices (35% YoY drop).

Android security continues to improve

The statistics Google opted to reveal show they’re getting better each year at securing their OS, but there’s nothing truly revelatory in the majority of the data here. It’s important to see what Google has to say and show around PHAs, but our biggest security concern revolves around user identities, protecting passwords, and social engineering/phishing.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.