Profile cover photo
Profile photo
Adrian Ludwig

Post has attachment
Had an awesome time presenting "What's New in Android Security" with +xiaowen xin​ today at Google I/O.

Post has attachment
I’m really excited to see us unveil Google Play Protect [] at Google I/O earlier today. As most people who read my G+ page probably already know -- this isn’t entirely a “new” product launch, this is the culmination of years of work defending users and protecting devices against both broad threats and targeted attacks.

The launch of Google Play Protect is about making sure the average consumer or enterprise user understands that Google is really serious about doing everything we can to protect Android users. We’ve built our name and reputation into these protections. And we’re committed to strengthening these protections through the services we provide, the operating system we build, and the work that we do with ecosystem partners to make sure that devices are safe and secure.

Congratulations to all of the engineers, security analysts, product managers (and now marketers!) who have been working for years to make Google Play Protect a reality!

Post has attachment
"Although ransomware has begun to target mobile devices, it’s still rare: Since 2015, less than 0.00001 percent of installations from Google Play, and less than .01 percent of installations from sources other than Google Play, were categorized as ransomware. (That's less than the odds of getting struck by lightning twice in your lifetime!)."

I'm really excited to see the Android Security Year in Review go out this morning. This reflects the work of a huge number of teams, from across Google and the Android ecosystem. Congratulations and thank you to so many people!

Full report:
Blog post:
Video Summary:

I'm especially excited this year because we're already seeing discussion about some of the more complex stories that are deeper down in the report. (Which means people are actually reading the 70 page report!)

Here are just a few different perspectives I've seen so far:

Google's expanding efforts to prevent Mobile Unwanted Software take the front stage in this ZDNet Piece here:

Forbes highlights the role of Android's endpoint security technology and Google's focus on sophisticated attackers:

This piece in The Verge talks a bit about the progress we've made in evolving the Android ecosystem to deliver Android updates:

Post has attachment
According to Samsung Mobile Security, the company has worked through "challenges" and will begin releasing monthly security updates for unlocked Galaxy smartphones in the US.

Post has attachment
"Chamois was one of the largest PHA families seen on Android to date and distributed through multiple channels. To the best of our knowledge Google is the first to publicly identify and track Chamois."

Post has attachment
I'm really excited about the progress we've made helping Android developers write more secure applications.

The fight against Ghost Push continues

Since 2014, the Android security team has been tracking a family of malware called 'Ghost Push,' a vast collection of 'Potentially Harmful Apps' (PHAs) that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps. For over two years, we’ve used Verify Apps to notify users before they install one of these PHAs and let them know if they’ve been affected by this family of malware.

Ghost Push has continued to evolve since we began to track it. As we explained in last year's Android Security report [], in 2015 alone, we found more than 40,000 apps associated with Ghost Push. Our actions have continued at this increasingly large scale: our systems now detect and prevent installation of over 150,000 variants of Ghost Push.

Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we've worked closely with Check Point [], a cyber security company, to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps. This morning, Check Point detailed those findings on their blog.

As always, we take these investigations very seriously and we wanted to share details about our findings and the actions we've taken so far.


- No evidence of user data access: In addition to rolling back the application installs created by Ghost Push, we used automated tools to look for signs of other fraudulent activity within the affected Google accounts. None were found. The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant.
- No evidence of targeting: We used automated tools to evaluate whether specific users or groups of users were targeted. We found no evidence of targeting of specific users or enterprises, and less than 0.1% of affected accounts were GSuite customers. Ghost Push is opportunistically installing apps on older devices.
- Device integrity-checks can help: We’ve taken multiple steps to protect devices and user accounts, and to disrupt the behavior of the malware as well. Verified Boot [], which is enabled on newer devices including those that are compatible with Android 6.0, prevents modification of the system partition. Adopted from ChromeOS, Verified Boot makes it easy to remove Ghost Push.
- Device updates can help: Because Ghost Push only uses publicly known vulnerabilities, devices with up-to-date security patches have not been affected. Also, if a system image is available (such as those we provide for Nexus and Pixel devices[]) a reinstall of the system software can completely remove the malware.


- Strengthening Android ecosystem security: We’ve deployed Verify Apps [] improvements to protect users from these apps in the future. Even if a user tries to install an offending app from outside of Play, Verify Apps has been updated to notify them and stop these installations.
- Removing apps from Play: We’ve removed apps associated with the Ghost Push family from Google Play. We also removed apps that benefited from installs delivered by Ghost Push to reduce the incentive for this type of abuse in the future. Downloading apps from Google Play, rather than from unknown sources [], is a good practice and will help reduce the threat of installing one of these malicious apps in the future.
- Protecting Google Accounts: We revoked affected users’ Google Account tokens and provided simple instructions so they can sign back in securely. We have already contacted all users that we know are affected.
- Teaming-up with Internet service providers: We are working with the Shadowserver Foundation and multiple major ISPs that provided infrastructure used to host and control the malware. Taking down this infrastructure has disrupted the existing malware, and will slow the future efforts.


We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall. These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether.

This was a team effort within Google, across the Android security, Google Accounts, and the Counter-Abuse Technology teams. It also required close coordination with research firms, OEMs, and hosting companies. We want to thank those teams for their assistance and commitment during our ongoing efforts to fight Ghost Push and keep users safe.

Post has attachment
Excited to see LG launch a new security site with security news and security bulletins for their Android devices.

(Spiffy logo, too, btw.)

Post has attachment
I've been told "you look like a boyband gone bad", which sounds about right.
Wait while more posts are being loaded