Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Android App Verification Service “Fragile,” Researcher Says

A security researcher at North Carolina University has found that the app verification service used by Google to determine whether a particular Android application is malicious is “fragile and can be easily bypassed.”

A security researcher at North Carolina University has found that the app verification service used by Google to determine whether a particular Android application is malicious is “fragile and can be easily bypassed.”

Android Malware Not Detected by GoogleThe study comes roughly a month after Google announced the inclusion of an application verification feature as part of Android 4.2, known as “Jelly Bean.” In Jelly Bean, users can choose to enable a “Verify Apps” feature that will screen an application prior to installation. In his report, Associate Professor Xuxian Jiang discovered that when he targeted Nexus 10 tablets running Android 4.2 with 1,260 malware samples, only 193 were detected by the service.  

“Specifically, our study indicates that the app verification service mainly uses an app’s SHA1 value and the package name to determine whether it is dangerous or potentially dangerous,” he writes. “This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it).”

“To be more effective, additional information about the app may need to be collected,” he added. “However, how to determine the extra information for collection is still largely unknown — especially given user privacy concerns.”‘

Jiang is one of the minds behind the Android Malware Genome Project, which is an effort to catalog and analyze Android malware. According to Jiang, when an application is installed and the verification service is turned on, it will collect and send information about the app – its name, size, SHA1 value, etc – as well as information about the device to the Google cloud. Afterwards, the device will receive a respond back, and if the application is unsafe the user will see a warning declaring it either dangerous or potentially dangerous.

Advertisement. Scroll to continue reading.

Jiang notes that the new service relies largely on the server component in the cloud to determine whether an app is malicious or not.  

“Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names),” according to Jiang. “From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded.”

Google did not respond to a request for comment before publication.

Jiang also found that the detection rates of antivirus engines were significantly higher than the service, with AV detection ranging from 51.02 percent to 100 percent and the service’s detection at 20.41 percent.

“Last but not least, we notice that VirusTotal (owned by Google) has not been integrated yet into this app verification service,” he writes. “From our measurement results, VirusTotal performs much better than this standalone service. For improved detection results, we expect such integration in the future will be helpful.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.