Google Play Protect could soon get an upgrade for local APK scanning (APK teardown)

Google Play Protect, alongside Google Play Services and the Play Store, plays a very important part in keeping your Android flagship free from malware. Play Protect lets you run a safety check not only on apps that you have downloaded from the Google Play Store but also on APKs that you have manually installed. Google could soon upgrade the APK scan with more powerful rules-based local scanning, potentially protecting users from a wider range of malware.

Last year, Google added the ability to locally analyze unknown apps for malware with Play Store v37.5. This saves the user from uploading and submitting suspicious apps to Google for analysis. This also moves threat scanning under Play Protect away from a server-side model.

With Play Store v41.7.16, Google is upgrading Play Protect’s local scanning abilities by integrating YARA into it. We’ve spotted a new flag in the newest Play Store version that clearly points to “new YARA scanning features in APK analysis.”

What exactly is YARA, though? YARA is a tool that helps identify and classify malware samples, focusing more on the wider malware families than on individual malware. Traditional hash-based malware detectors look for an exact hash match (which the malware can sidestep by changing small parts about itself, creating a new hash). YARA works by detecting common code (aka malware family) instead of an exact hash, and it does so by taking a rule-based approach to create a family description. This allows YARA to detect a wider network of malware and do it efficiently.

From what we can see, Google Play Protect could soon offer local scan capabilities through the YARA model. This would be a good upgrade to local APK scanning, and while it may still be no match for cloud-based scanning, it should work well enough for basic scans.