Not a single Android user actually installed a frightening piece of ransomware called Lockdroid, according to Google, despite reports that two-thirds of users were at risk.
Only last week Symantec claimed up to 67 per cent of Android devices, but not one Android user was successfully fooled into downloading the ransomware, after Google's security features would have flagged it up, claimed Elena Kovakina, senior security analyst at Google.
Speaking at Kaspersky's Security Analyst Summit in Tenerife, Kovakina said malicious apps featuring Lockdroid were downloaded by fewer than 1,000 devices a far cry from the potential billion suggested by headlines and Google's own analytics revealed that "no users actually installed it".
The Lockdroid campaign failed to take off thanks to warnings via Google's Verify Apps system, which scans not only all the apps available via its own Google Play Store, but as many of those side-loaded through other app stores as possible.
Scanning for harmful apps
Kovakina said Google scans two million apps weekly both on its own market and others looking for what it calls "potentially harmful apps" (PHAs), which can include anything from ransomware and Trojans to surveillance and snooping.
Thanks to that programme, she said fewer than 0.5 per cent of Android devices globally have a PHA installed on them. "Which is quite a good stat," she said.
The vast majority of PHAs come via side-loaded apps, as in those not on Google Play but other app stores. Indeed, Google Play apps are ten times safer - while the infection rate of Android handsets with apps from third-party stores has slid from 2 per cent to 1 per cent in the past three months, those with only Google Play apps are all but zero, Google claimed.
Despite such external markets being more dangerous, Google does not want to ban rival app markets, because that would reduce openness and choice.
Instead, it is trying to gently push users towards making safer security choices, such as by pre-installing Google Play on the store, making it the easiest source of applications. Plus, it pops up warnings when apps are asking for too much access or if they look dodgy, tracking the decisions users make.
"This is a massive set of data, and we base security improvements on this feedback," Kovakina said.
This is also where Verify Apps plays a part, because it scans apps regardless of origin. While it is not enabled by default, users are prompted to enable the app scanning system and most Android users say yes, some 1.4 billion.
"It's actually heartwarming to know that the majority of users are enrolled by Verified Apps and trust us to protect them," the security expert said.
Despite non-Google Play apps being scanned by the company, there is still a discrepancy between users who never leave the Google marketplace and those that do. Kovakina said that was down to choice: some users ignore Google's warning and click through to install anyway.
About a fifth of users faced with such a warning ignore it, but that stat is higher than might be expected because it includes commercial spyware and non-malicious rooting, Kovakina said, both of which users might be installing knowing full well what the risks are.
Google's data analysis can also spot when users are not blocking or uninstalling devices after repeat warnings, which can suggest the app is using persistence techniques to dodge removals, such as getting administrator powers.
Such a case recently occurred in Russia, and Google used Verified Apps to remove the malicious app without user permission on the assumption that people were trying to get rid of it and failing, something it only uses "sparingly" for "extremely malicious campaigns", she said.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.