Google has been showcasing its built in malware protection for Android, Play Protect, this year with the slogan “securing 2 billion users daily.” But according to new research, this couldn’t be further from the truth.
The research, by independent testing organization AV-TEST found that Google’s Play Protect scan tool was only able to detect just over a third of malware samples from a total of 6,700. In other words, 4,000 examples of malware were able to sneak through Google’s own security protection.
The results were so poor that the researchers are warning Android users to install one of the other apps tested by the lab in addition to Google Play Protect. “The current test indicates that Android users should not rely solely on Play Protect,” the researchers said.
Putting 17 Android apps to the test
Today In: Cybersecurity
AV-TEST’s lab put 17 Android security apps through a three-part test, with up to six points awarded for each category. Within this, the test for protection gave each security app 6,700 malware apps to detect.
Of all the apps tested, Google Play Protect achieved the worst result by far, with a measly six points in total. In contrast, the best possible result of 18 points was achieved by security apps from Avira, Bitdefender, G Data, Kaspersky, NortonLifeLock, SK Telecom and Trend Micro.
Meanwhile, securiON’s app achieved 17.5 points, while an additional eight apps achieved 17 and 16 points respectively in the test. Google Play Protect’s result so poor that it doesn’t qualify for AV-TEST’s certificate documenting an app’s proven security–while all the other apps in the test did.
Google’s Android protection fails in false alarms too
It worked the other way too. The TEST-AV lab tested a “false alarm” scenario, where a security app will classify something harmless as malware. In the test of more than 2,000 apps from Google Play and 850 from other sources, Google also came behind the other security apps, falsely branding 30 apps as a threat.
“As the detection rates of Google Play Protect are really quite poor, the use of a good security app is highly recommended,” the researchers advise.
Although the apps with the maximum point score of 18 are all paid with annual license fees, TEST-AV thinks the cost is “worthwhile to users in exchange for their security.”
Android users are still plagued with issues
Google Android users face continuing security issues, so this latest research will come as yet another blow. In January, Google confirmed a critical flaw affecting Android 8 and 9. Meanwhile, the March Android security update came with more bad news, this time of a critical “rooting” vulnerability already being exploited.
Last year the issue appeared to be getting worse, but soon afterwards Google acted by setting up the App Defense Alliance in collaboration with security companies ESET, Lookout, and Zimperium to help boost security on the Play Store.
Google says of its Google Play Protect: “All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app and developer in Google Play, and suspend those who violate our policies.
“Then, Play Protect scans billions of apps daily to make sure that everything remains spot on. That way, no matter where you download an app from, you know it’s been checked by Google Play Protect.”
I have contacted Google for further comment on this story and will update if they respond.
Google Android security: A word of advice
Android lacks Apple’s walled garden approach–as a user you have to accept that the ecosystem is somewhat fragmented, so you need to take extra steps to stay secure.
John Opdenakker a cybersecurity industry professional, says the test “confirms what we actually already know for a long time”–Google “isn’t protecting its users from downloading malware infected apps from its Play Store.”
He says the test results are “quite shocking” and advises Android users to “not rely on Google’s malware detection capabilities and install a security app.”
In addition to installing extra security apps in addition to Google Play Protect, security researcher Sean Wright advises users to “do your homework” before installing any app: “Don’t just blindly install it.”
Ian Thornton-Trump, CISO at Cyjax agrees: “The key thing about apps is to do research on them. Google the app, read the reviews and take a moment and ask why a downhill skiing app needs access to your contacts, messages, camera, or microphone.”
It’s also a good idea to keep your phone clean–and not just with antibacterial wipes. “If you have not used an app in the last six months, get it the hell off your phone to reduce your attack surface,” says Thornton-Trump, adding that as an Android user, you “need to keep your phone up to date.”
Android users, you can keep your device secure, as long as you are proactive about it. Take the advice I’ve outlined here, and make sure you have another security app installed in addition to Google Play Protect.
All Rights Reserved for Forbes Editors’ Picks