Joe Hindy / Android Authority
TL;DR
- Google Play Protect offers the ability to locally scan APKs installed from outside the Google Play Store.
- This local scanning feature could soon be upgraded to use the YARA model for a rules-based approach to detecting malware families.
- YARA should allow Play Protect to detect a wider network of malware more efficiently.
Google Play Protect, alongside Google Play Services and the Play Store, plays a very important part in keeping your Android flagship free from malware. Play Protect lets you run a safety check not only on apps that you have downloaded from the Google Play Store but also on APKs that you have manually installed. Google could soon upgrade the APK scan with more powerful rules-based local scanning, potentially protecting users from a wider range of malware.
An APK teardown helps predict features that may arrive on a service in the future based on work-in-progress code. However, it is possible that such predicted features may not make it to a public release.
Last year, Google added the ability to locally analyze unknown apps for malware with Play Store v37.5. This saves the user from uploading and submitting suspicious apps to Google for analysis. This also moves threat scanning under Play Protect away from a server-side model.
With Play Store v41.7.16, Google is upgrading Play Protect’s local scanning abilities by integrating YARA into it. We’ve spotted a new flag in the newest Play Store version that clearly points to “new YARA scanning features in APK analysis.”
Code
PlayProtect__enable_new_yara_scanning_features_in_apk_analysisWhat exactly is YARA, though? YARA is a tool that helps identify and classify malware samples, focusing more on the wider malware families than on individual malware. Traditional hash-based malware detectors look for an exact hash match (which the malware can sidestep by changing small parts about itself, creating a new hash). YARA works by detecting common code (aka malware family) instead of an exact hash, and it does so by taking a rule-based approach to create a family description. This allows YARA to detect a wider network of malware and do it efficiently.
From what we can see, Google Play Protect could soon offer local scan capabilities through the YARA model. This would be a good upgrade to local APK scanning, and while it may still be no match for cloud-based scanning, it should work well enough for basic scans.
Got a tip? Talk to us! Email our staff at [email protected]. You can stay anonymous or get credit for the info, it's your choice.