Based on data collected by Google, less than one percent of Android devices had a potentially harmful application installed last year. This includes devices on which users have installed applications from outside the official Google Play store.
The data was collected through a feature called Verify Apps that was first introduced in Android 4.2 back in 2012. The feature, which was also backported to Android 2.3 and higher in 2013, checks locally installed applications for potentially harmful behavior regardless of whether they were downloaded from Google Play or other sources.
Verify Apps initially scanned applications only at installation time, but since March 2014 it also performs background scans, so it can later detect malicious applications that weren’t flagged when they were initially installed.
It can detect threats that fall into several categories: Generic PHA (potentially harmful application), Phishing, Rooting Malicious, Ransomware, Rooting, SMS Fraud, Backdoor, Spyware, Trojan, Harmful Site, Windows Threat, NonAndroid Threat, WAP Fraud and Call Fraud.
According to Google’s data, the number of devices scanned by Verify Apps has increased steadily since the feature was first introduced, reaching over 200 million devices per day in November 2014.
Prior to October 2014, Verify Apps did not differentiate between devices that only installed apps from Google Play and devices with the “unknown sources” security setting enabled, which allow apps to also be installed from third-party apps stores and other sources, an action commonly known as sideloading.
Sideloading is believed to increase the risk of malware infection for Android devices. Unlike third-party app stores, Google Play has automated mechanisms in place to scan and detect potentially harmful apps uploaded by developers, so it’s viewed as safer, even though some malicious applications do sometime make their way into the official store.
“During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA installed (excluding non-malicious Rooting apps),” Google said in a report released Thursday.
On Android, rooting is the process of gaining access to the highest privileged account on the system, called root. This is used by power users to enable advanced functionality that’s normally restricted by default, or can be used by malware to escape the Android application sandbox and read data from other apps. So, rooting tools can be both non-malicious and malicious—usually in the form of exploits.
Devices that have been rooted, intentionally or otherwise, are believed to be at higher risk so Android’s Verify Apps scanner can detect both types of rooting apps.
In October, approximately 0.25% of devices had a non-malicious Rooting application installed, Google said.
Some general statistics in Google’s report are based on data collected between November 2013 and November 2014, but those that break down data between devices with Google Play-only apps and those with sideloaded apps only cover a two-week period—mid-October to Nov. 1.
During those two weeks, potentially harmful applications (excluding non-malicious rooting applications) were detected on 0.7 percent of devices with sideloaded apps and on under 0.1 percent of devices that only had apps from Google Play installed.
Verify Apps doesn’t track the physical location of devices, but tracks the language (locale) configured on them. While the locale is not an accurate indication of device location, Google found that locale data generally reflected the expected Android user population across different countries, so it was used to draw some conclusions.
For example, devices with the Russian locale that allowed sideloading were more likely to have a potentially harmful application installed than devices with other locales. Between 3 and 4 percent of Russian devices had a PHA installed, Google said.
Their infection rate was considerably higher than that of devices with any other locale, including Chinese, whose rate was 0.8 percent. That’s surprising given that Google Play is not available in China so most devices in the country are configured for sideloading.
Meanwhile, only 0.4 percent of devices that allowed sideloading and were configured with the US English locale had a PHA installed, 0.2 percent under the worldwide average, Google said.
When rooting apps were also taken into account, devices with Chinese locale jumped to the top, with a rate of around 8 percent.
“Chinese devices which install apps from outside of Google Play are more likely to have a non-malicious Rooting application than any other region or type of PHA,” Google said. “In fact, there are numerous applications from major Chinese corporations that include rooting exploits to provide functionality that is not provided by the Android API. Some of these Rooting applications explicitly describe that they will use an exploit to root the device, but there are some applications which do not describe this functionality to users.”
If we exclude Russia, the worldwide rate of PHA installations from outside Google Play has decreased by almost half between the first quarter and the second quarter of 2014, Google said.