Google explains how it spots malicious Android apps

Even if they prevent Android's Verify Apps feature from working properly.

Android's Verify Apps feature performs malware scans on newly downloaded applications to make sure they're safe. But since some malicious apps can prevent the feature from working, the company had to find an alternative way to figure out if a phone stopped using Verify because you no longer use it or if it's due to malware lurking in your device. In a blog post on Android Developers, Google explains how it detects if a particular application is harmful even with the absence of Verify's verdict. "To understand this problem more deeply," the post reads, "the Android Security team correlates app install attempts and Dead or Insecure (DOI) devices." To note, the team marks devices that stopped checking up with Verify as DOI and those that continue to use the feature as "retained."

The security team compute for the app's retention rate, or the "percentage of all retained devices that downloaded [it] in one day" using the formula below wherein:

N = Number of devices that downloaded the app.
x = Number of retained devices that downloaded the app.
p = Probability of a device downloading any app will be retained.
Z = Represents the DOI score.

If Z or the DOI score falls below -3.7, it means a large number of phones or tablets stopped checking with Verify the moment they installed the app. Google then inspects it more closely to determine if it's truly harmful before removing existing installs and preventing future downloads. The company says this method allowed the Security team to find a lot of apps loaded with the Hummingbad, Ghost Push and Gooligan malware in the past. Those applications would've slipped by unnoticed if they didn't employ this technique.