Google Play Protect changes: is it really real-time scanning on Android?

Google Play Protect is a security service that aims to protect Android devices from harmful or unwanted apps. It is integrated into the operating system Android (enabled on all devices that integrate i Play Services) and offers a basic line of defense against applications that may pose a threat to users and their data.

Google software does the app scanning present on the device and those that the user downloads from the Play Store. The analysis activity checks for the presence of malwarespyware and other harmful components on the Android terminal.

Google Play Protect improves app scanning

The Google Play Protect software scans for something like every day 125 billion apps because it is practically ubiquitous on users’ Android devices. Such widespread diffusion calls the Mountain View company to implement continuous improvements, essential when it comes to security and with an extremely large user base.

As leaked a few weeks ago, now comes the official confirmation: Google Play Protect becomes capable of examine in real time what happens on the device by detecting suspicious behavior and neutralizing it accordingly.

To try to avoid detection by services like Play Protect, cybercriminals use malicious apps that they make available outside of the Play Store. Furthermore, as Google technicians explain, attackers are using it more and more often polymorphic malwaredesigned to change its signature or code every time it infects a new device.

There is also increasing reference to the use ofsocial engineering to trick users into doing something dangerous, such as revealing confidential information or downloading a malicious app from unofficial and therefore potentially risky sources.

How the new scanning mechanism works

Despite its solid presence on end-user devices, Google Play Protect is still not convincing today. Already in mid-2021 we underlined that Play Protect did not offer advanced protection on Android: the opinion has not changed even in 2023. Unfortunately, the most updated tests still highlight how Play Protect offers a reduced level of protection, especially when compared to the main solutions for protection of Android devices.

With the new approach described by Google, something could finally change. The new Google Play Protect, being distributed on end user devices in a few months’ time, suggests one app scanning when installing applications that have never been scanned before. As a rule, in fact, Play Protect recognizes the application with which he has to deal starting from his own hash and from other descriptive characteristics it then queries Google’s databases, available on the company’s servers, to establish whether it is a legitimate app or not.

Google Play Protect, real-time scanning

When Play Protect doesn’t recognize an app, it will now be possible to extract some essential information and transmit it to the infrastructure backend of Google for one code-level evaluation. This is the essence of the important innovation introduced in Play Protect: once thereal-time analysis, users will receive a result informing them whether the app appears safe (and can therefore be installed without problems) or whether the scan has detected potential problems. Play Protect’s enhanced scanner will leverage static analysis, along with heuristics andmachine learning, to identify patterns indicative of malicious activity. The signals extracted from the app serve as key inputs for theanalyses in-cloud based on artificial intelligence.

With this revamped scheme, Play Protect should better protect users from polymorphic malware that exploits various methods, such asartificial intelligenceto continuously self-modify and avoid recognition.

It’s not really a real-time scan

The one introduced by Google in its Play Protect is therefore not a real-time scan in the strict sense. With this expression we are in fact referring to anti-malware applications which remain constantly running in backgroundautomatically block and report any suspicious behavior to the user.

It’s quite a improved scanning which is activated when the user tries to install still unknown Android apps, whatever source they come from.

Of course, some malicious apps will continue to be able to bypass Google’s protection system, for example by adding rather long delays before download of the malicious code (payload). Because Play Protect scans when apps are installed and on a periodic basis, some attackers might evade detection over a rather broad time window.

Play Protect update and multi-level protection

L’Play Protect update, like other basic components of Android, is separate from that of the actual operating system. This way you can enjoy the new ones defense measures gradually introduced by Google regardless of the version of the operating system installed on its terminals.

Google technicians underline that Android’s defenses are increasingly looking at a multi-level approach: Play Protect is supported with continuous security updates, also combining the control of permissions assigned to apps (with the automatic revocation of permissions for Android apps that you don’t use at all…) and the Safe navigation of Chrome, also active by default at the level of the System WebView system component.


Please enter your comment!
Please enter your name here