How Google finds Android malware

A post on the Android Developers Blog has explained how the company detects and deals with malware.

“One security solution included on all devices with Google Play is Verify apps. Verify apps checks if there are Potentially Harmful Apps on your device,” stated the post.

If harmful apps are found, they are uninstalled.

If a device stops “checking up with Verify apps”, it is considered dead or insecure (DOI).

“An app with a high enough percentage of DOI devices downloading it, is considered a DOI app.”

This metric is used to help determine if an app is potentially harmful to users, said Google.

The Android team uses a “dead or insecure scorer”, which is based on an app’s device retention rate, as part of its calculations.

An app’s retention rate is the percentage of all retained devices that downloaded the app in one day

“Because retention is a strong indicator of device health, we work to maximize the ecosystem’s retention rate.”

To calculate the number of standard deviations from the average is called a Z-score. The equation for the Z-score is below.

  • N = Number of devices that downloaded the app.
  • x = Number of retained devices that downloaded the app.
  • p = Probability of a device downloading any app will be retained.


The Z-score indicates whether an app has a statistically-significant lower retention rate if it is much less than -3.7.

“This allows for percolation of extreme apps – with low retention rate and high number of downloads – to the top of the dead or insecure list.”

This is used to help decide whether an app is harmful or not.

Now read: Government not seeking surveillance with Cybersecurity Bill

Latest news

Partner Content

Show comments


Share this article
How Google finds Android malware