AI now detects the majority of new malware on Android

Android's security lead boasts about success, but warned that AI "is not pixie dust" that magically solves the operating system's security problems.
ad network malware
Scammers are filling ad networks with malicious ads that appear in Android apps. (Maurizio Pesce / Flickr / CC-BY-2.0)

The way Google detects malware on Android is changing rapidly.

Fifty-five percent percent of Google’s new malware detections on their mobile operating system in the last week came through machine learning. That’s an exponential increase over just six months ago when that figure sat at around five percent, according to Adrian Ludwig, an NSA veteran who now oversees Android security inside Google.

Google Play Protect, Android’s automated application security software, is on more than 2 billion devices, in every country in the world.

After three years of testing, Google started applying machine learning models to Google Play Protect only about a year ago in what’s described as a nascent and experimental period.


The last six months have seen “an inflection point,” Ludwig told CyberScoop. “We’re now actually starting to see some of that return on investment.”

Android employs a team of machine learning experts and security researchers to drive the technology forward and handle it on a daily basis. The same time period, he said, coincides with a dramatic drop in malware across Android.

“Since the beginning of the year, the number of devices affected by user-installed malware across the ecosystem went from about 0.63 percent, which is well under one percent where it was tracking steadily for years, to about 0.25 percent,” Ludwig said. That’s almost a 60 percent reduction. “So we basically cut that in half.”

The team’s biggest change since March, when the numbers rapidly shifted, was a shift from “broad models to very, very precise models” that don’t simply look for malware but instead hunt for specific families of malware by identifying different threat actors and the software they produce. Now instead of one model or dozens of models of malware, Google Play Protect looks for hundreds of discrete models.

It’s been an effective change, Ludwig said, that allows Android’s security analysts to observe an expanding range of threats including malware with less than 10 installs. Those types of threats previously would have been put on the back burner in a human-driven environment. Instead, the analysts can be more aggressive in blocking malware with small install base — a metric that could indicate a highly targeted attack, the early days of deployment or polymorphic code.


Machine learning’s use is growing across the cybersecurity industry, including at companies like Cylance and China’s $70 billion-per-year tech behemoth Baidu, the latter of which has spent the last two years developing malware-hunting AI.

Google’s adoption and success is especially important because Android owns around 90 percent of the global mobile market share, which makes it one of the most important companies on the planet when it comes to cybersecurity.

Speaking a the Structure Security conference in Silicon Valley, Ludwig was careful to warn that machine learning “is not pixie dust” and will “not solve all your problems magically. It’s just another tool.”

The caveat is well-deserved, of course, because no form of machine learning will fix some of Android’s most fundamental security issues. The majority of Android devices run years-old versions of the operating system.

Ludwig nevertheless proselytized Android’s open system and unique security approach, saying that Android’s open platform is making security stronger. As evidence, he pointed to dropping malware rates and the deployment of standard security features like full-disk encryption.


“Well over 99 percent of devices are clean,” he said. “One big Googlism is to set goals that we know we can’t reach. Our goal is to hit less than 1 in a million.”

Latest Podcasts