Newsletter
Google could boost Play Protect’s local app scanning capabilities soon. Now, the system would be more powerful and efficient thanks to the implementation of the YARA tool. The change would be a new step in the mixed malware-scanning approach implemented last year by the company.
Play Protect, Play Services, and Play Store are Google’s main tools to keep your Android device free of malware. Play Protect works both on apps you download from the Play Store and on APKs from external sources. Previously, the company used a cloud-based approach that required sending APKs from external sources to Google for analysis.
However, since last year, Google Play Protect can locally scan unknown APKs for malware. This way, the Mountain View giant adopted a mixed malware-scanning approach instead of a fully cloud-based one. Now, Play Protect’s local malware scanning could get more powerful thanks to the implementation of YARA.
YARA would enhance Google Play Protect’s local APK scanning
YARA is not exactly a new tool, and it has even been used in traditional antivirus for a long time. YARA is a tool capable of detecting malware by classifying it by “families.” It works by searching for code that is common among a “family” of malware. Families are set through “YARA rules” where files (apps in this case) meet certain common characteristics.
This approach prevents malware from bypassing traditional hash-based scanning. The latter works by searching for an exact hash match, but modern malware is capable of modifying itself to generate a new hash. So, basically, local malware scanning should become more efficient and effective soon, with greater detection capacity. YARA scanning references are available in the latest Play Store v41.7.16 update, as spotted by Android Authority.
It’s notable that local scanning is less powerful than cloud-based scanning. Mobile devices do not have the hardware resources necessary to run all the scanning tools that Google runs on its powerful servers. That’s why the company takes a mixed approach rather than local-only. However, the implementation of YARA will make Play Protect’s local malware analysis more capable, powerful, and autonomous.