maxkabakov - Fotolia
Google this week touted security improvements based on human help, rather than algorithm smarts alone.
Google announced, in 2018, its bug bounty program -- aka Vulnerability Reward Program -- paid out $3.4 million in total rewards to 317 researchers who submitted issues. Those 317 researchers, from 78 different countries, earned more than 1,300 rewards, with the biggest reward being $41,000. Of the $3.4 million awarded, half of all rewards went to issues submitted for either Google Chrome or Android.
And it wasn't just outside human help that provided benefits to Google, as the company also announced improvements in Google Play security.
"The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%," Andrew Ahn, product manager for Google Play, wrote in a blog post. "These increases can be attributed to our continued efforts to tighten policies to reduce the number of harmful apps on the Play Store, as well as our investments in automated protections and human review processes that play critical roles in identifying and enforcing on bad apps."
Ahn said a big part of improving Google Play security came from the discovery that "over 80% of severe policy violations are conducted by repeat offenders and abusive developer networks." A combination of machine smarts and human reviewers stopped these Google Play security threats more often before malicious apps were published.
Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said malware developers seem to be similar to real-life criminals in that those who "spend time in jail have a high chance of becoming repeat offenders once they're released."
"Since we're talking about the digital world, it's obvious that the consequences for submitting malware and being caught are not as harsh as going to jail, which is why it makes sense for malware developers to keep trying until they succeed," Arsene said. "Using human reviewers in the screening process does help iron out threats designed to bypass automatic scanning filters, or at least cast away suspicion from apps that have been tagged by automated machine-learning-enabled systems as malicious."
Arsene added that there is still a major Google Play security threat that needs to be addressed.
"Google has made considerable efforts in the past couple of years in terms of plugging malware that gets smuggled into their app store," Arsene wrote. "However, there's still the matter of privacy-intrusive apps that collect more data than they need. Defining which apps are intrusive and which ones are not is something that's probably the biggest challenge right now."