Google Enhances Play Protect to Defend Against Polymorphic Malware
Google is strengthening its Google Play Protect tool with new real-time scanning features that aim to deal with the growing challenge of malicious apps that use polymorphic malware to evade detection.
The new capabilities enable Play Protect to scan in real time apps that have never been scanned before and will let the Android device user know if the app is safe to install or if it’s potentially harmful.
“Scanning will extract important signals from the app and send them to the Play Protect backend infrastructure for a code-level evaluation,” Steve Kafka, group product manager, and Roman Kirillov, senior engineering manager, wrote in a blog post this week. “This enhancement will help better protect users against malicious polymorphic apps that leverage various methods, such as AI, to be altered to avoid detection.”
Polymorphic malware is malicious software that can change its code and behavior. Such malware can change its appearance each time it’s executed, obfuscate its code through encryption or by including useless or irrelevant code, and can evade such defenses as sandboxes, according to Corey Nachreiner, CSO at WatchGuard Technologies.
“As it hides and evades detection so effectively, it can have a devastating impact on computer systems, steal sensitive information, compromise network security and cause irreparable damage,” Nachreiner wrote in a blog post in June.
AI Makes Malicious Code Creation Easier
The accelerated mainstreaming of generative AI tools like OpenAI’s ChatGPT complicates the situation by making it easier for bad actors to quickly create malicious code and mutate it to create polymorphic malware.
“ChatGPT could easily be used to create polymorphic malware,” CyberArk researchers Eran Shimony and Omer Tsarfati wrote in January. “This malware’s advanced capabilities can easily evade security products and make mitigation cumbersome with very little effort or investment by the adversary.”
Nachreiner added that it may look complicated, but bypassing content filters that prevent ChatGPT from creating malicious code is straightforward, which “expands the pool of cybercriminals capable of creating advanced threats, as it simplifies the processes and eliminates the need for advanced technical knowledge.”
Using continuous queries, demanding that ChatGPT obey after first refusing, and using the Python API rather than the web version to help bypass content files enabled them to get ChatGPT to write malicious code and then mutate the code to create polymorphic malware, he wrote.
A Stronger Play Protect
Google is using the new features in Google Play Protect to push back against this trend. Play Protect already is enabled on all Android devices that use Google Play Services. It scans 125 billion apps every day to protect against malware and will send users a warning or prevent an app from installing if it seems harmful.
It also can disable the app automatically, according to Kafka and Kirillov. It does all this for apps that are downloaded from the Google Play Store or from other sources. To get around Play Protect and similar services, bad actors are using malicious apps to infect devices with polymorphic malware.
“They’re turning to social engineering to trick users into doing something dangerous, such as revealing confidential information or downloading a malicious app from ephemeral sources – most commonly via links to download malicious apps or downloads directly through messaging apps,” they wrote.
Play Protect runs a real-time check when a user was installing an app, using intelligence collected from other scans or the device’s machine learning capabilities to warn if the app was known to be malicious. The new features will recommend a real-time scan when installing apps that haven’t been scanned before.
The real-time scanning functionality will roll out to all Android devices with Google Play services, starting in India and then expanding to other regions in the coming months.
Information from the real-time scans feeds into future scans, according to Google.
“Our security protections and machine learning algorithms learn from each app submitted to Google for review and we look at thousands of signals and compare app behavior,” Kafka and Kirillov wrote. “Google Play Protect is constantly improving with each identified app, allowing us to strengthen our protections for the entire Android ecosystem.”
