Hummingbad, Ghost Push, and Googligan — malware that didn't stand a chance against Google's DOI metric.

Security! No, really, security. That word is practically synonymous with the Android operating system, which is why the Android Developers Blog is always taking about it. In today's installation, Megan Ruthven, Software Engineer for Android, writes about how the development team developed a metric to help identify Dead or Insecure (DOI) apps floating around in the Play Store.

If you remember back to Marshmallow, Android introduced the Verify apps functionality to scan devices for any Potentially Harmful Apps (also known PHAs). Over time, some devices stopped checking in with Verify apps. This usually occurs when you've switch phones or something more pressing is happening in the background. If it's the latter situation, that's because there's an app installed on your device that refuses to identify itself against the Verify apps database. The Android dev team is using the statistics from those apps devices to find other offensive ones:

A device is considered retained if it continues to perform periodic Verify apps security check ups after an app download. If it doesn't, it's considered potentially dead or insecure (DOI). An app's retention rate is the percentage of all retained devices that downloaded the app in one day. Because retention is a strong indicator of device health, we work to maximize the ecosystem's retention rate.

Therefore, we use an app DOI scorer, which assumes that all apps should have a similar device retention rate. If an app's retention rate is a couple of standard deviations lower than average, the DOI scorer flags it.

You can read more about the formula employed by the Android development team in the blog post. Thus far, the DOI metric managed to flag over 25,000 apps related to three well-known malware families, including Hummingbad, Ghost Push, and Googligan.