Silence speaks louder than words when finding malware

The Android Security team employs a multi-layered approach to enhance device security by identifying and mitigating potentially harmful apps (PHAs) through systems like Verify apps, which checks for PHAs and warns users, allowing them to uninstall such apps. A key metric used in this process is the Dead or Insecure (DOI) score, which evaluates the retention rate of devices after app downloads to detect suspicious apps with unusually low retention rates. This DOI score helps flag apps that may degrade the Android experience, such as those from malware families like Hummingbad, Ghost Push, and Gooligan, which can lead users to factory reset or abandon their devices. By using statistical methods such as the Z-score to identify apps with significant deviations in retention rates, the DOI metric works alongside other security measures to protect users and aid in the early detection of PHAs before they become widespread.