Google has been showcasing its built in malware protection for Android, Play Protect, this year with the slogan “securing 2 billion users daily.” But according to new research, this couldn’t be further from the truth.
The research, by independent testing organization AV-TEST found that Google’s Play Protect scan tool was only able to detect just over a third of malware samples from a total of 6,700. In other words, 4,000 examples of malware were able to sneak through Google’s own security protection.
The results were so poor that the researchers are warning Android users to install one of the other apps tested by the lab in addition to Google Play Protect. “The current test indicates that Android users should not rely solely on Play Protect,” the researchers said.
Putting 17 Android apps to the test
AV-TEST’s lab put 17 Android security apps through a three-part test, with up to six points awarded for each category. Within this, the test for protection gave each security app 6,700 malware apps to detect.
Of all the apps tested, Google Play Protect achieved the worst result by far, with a measly six points in total. In contrast, the best possible result of 18 points was achieved by security apps from Avira, Bitdefender, G Data, Kaspersky, NortonLifeLock, SK Telecom and Trend Micro.
Meanwhile, securiON’s app achieved 17.5 points, while an additional eight apps achieved 17 and 16 points respectively in the test. Google Play Protect’s result was so poor that it doesn’t qualify for AV-TEST’s certificate documenting an app’s proven security–while all the other apps in the test did.
Google’s Android protection fails in false alarms too
It worked the other way too. The TEST-AV lab tested a “false alarm” scenario, where a security app will classify something harmless as malware. In the test of more than 2,000 apps from Google Play and 850 from other sources, Google also came behind the other security apps, falsely branding 30 apps as a threat.
“As the detection rates of Google Play Protect are really quite poor, the use of a good security app is highly recommended,” the researchers advise.
Although the apps with the maximum point score of 18 are all paid with annual license fees, TEST-AV thinks the cost is “worthwhile to users in exchange for their security.”
Android users are still plagued with issues
Google Android users face continuing security issues, so this latest research will come as yet another blow. In January, Google confirmed a critical flaw affecting Android 8 and 9. Meanwhile, the March Android security update came with more bad news, this time of a critical “rooting” vulnerability already being exploited.
Last year the issue appeared to be getting worse, but soon afterwards Google acted by setting up the App Defense Alliance in collaboration with security companies ESET, Lookout, and Zimperium to help boost security on the Play Store.
That is set to improve further: Google Android 11 will offer more granular permissions, while a Google campaign to reduce permissions has already impacted 55 billion Play Store installs.
Google sent me a statement via email, which reads: “We invest heavily in keeping users safe and our refreshed Google Play Protect experience is there to ensure the quality and security of apps on Android devices.
“Google Play Protect scans over 100 billion apps everyday, providing users with information about potential security issues and actions they can take to keep their devices safe and secure. Last year, Google Play Protect also prevented more than 1.9B malware installs from non-Google Play sources.”
Google Android security: A word of advice
Android lacks Apple’s walled garden approach–as a user you have to accept that the ecosystem is somewhat fragmented, so you need to take extra steps to stay secure.
John Opdenakker a cybersecurity industry professional, says the test “confirms what we actually already know for a long time”–Google “isn’t protecting its users from downloading malware infected apps from its Play Store.”
He says the test results are “quite shocking” and advises Android users to “not rely on Google’s malware detection capabilities and install a security app.”
As well as installing extra security apps in addition to Google Play Protect, security researcher Sean Wright advises users to “do your homework” before installing any app: “Don’t just blindly install it.”
Ian Thornton-Trump, CISO at Cyjax agrees: “The key thing about apps is to do research on them. Google the app, read the reviews and take a moment and ask why a downhill skiing app needs access to your contacts, messages, camera, or microphone.”
It’s also a good idea to keep your phone clean–and not just with antibacterial wipes. “If you have not used an app in the last six months, get it the hell off your phone to reduce your attack surface,” says Thornton-Trump, adding that as an Android user, you “need to keep your phone up to date.”
The Google Play Store’s security problems are already well documented. However, when choosing a security app, you would do well to regard this report with a critical eye. Do your own research and always ensure you trust an app before downloading it. Be aware, for example, that Cheetah Mobile is included in this benchmarking test, and this is an app removed from the Play Store for known security issues.
Android users–you can keep your device secure, as long as you are proactive about it. Take the advice I’ve outlined here, and make sure you have another trustworthy security app installed in addition to Google Play Protect.