Most people know Google Play Protect works, by default, whether or not you
have a Google Account by scanning all the apps every day (even if they are
not installed off the Google Play Store) once a day - and also scanning
every app (even if it's not installed off the Google Play Store) at the
time of installation of that app (no matter how it's installed).

But neither of those two scans were real time in terms of app execution.
Until now...

https://www.droid-life.com/2023/10/20/spot-malicious-apps-with-google-play-protects-real-time-app-scanning/
Google Play Protect is getting real-time app scanning, utilizing on-device
machine learning and similarity comparisons to ensure apps users are trying
to install don't contain malicious code.

Said to be available as part of Google Play Store version 37.5 which was
broken down by our friend Mishaal Rahman, "Real-time app scanning will help
combat malicious polymorphic apps that change their identifiable features
to avoid detection."

The software will extract important "signals" from the app and then send
them to the Play Protect backend for code-level evaluation. After the
analysis is done, users will then get a result letting them know if the app
appears safe to install or is potentially harmful. You can see what they
warning looks like above in the header image.
--
The whole point of Usenet is to find people who know more than you do.
And to contribute to the overall tribal knowledge value of the newsgroup.

Wally J <walterjones@invalid.nospam> wrote:

> Most people know Google Play Protect works, by default, whether or not you
> have a Google Account by scanning all the apps every day (even if they are
> not installed off the Google Play Store) once a day - and also scanning
> every app (even if it's not installed off the Google Play Store) at the
> time of installation of that app (no matter how it's installed).
>
> But neither of those two scans were real time in terms of app execution.
> Until now...
>
> https://www.droid-life.com/2023/10/20/spot-malicious-apps-with-google-play-protects-real-time-app-scanning/
> Google Play Protect is getting real-time app scanning, utilizing on-device
> machine learning and similarity comparisons to ensure apps users are trying
> to install don't contain malicious code.
>
> Said to be available as part of Google Play Store version 37.5 which was
> broken down by our friend Mishaal Rahman, "Real-time app scanning will help
> combat malicious polymorphic apps that change their identifiable features
> to avoid detection."
>
> The software will extract important "signals" from the app and then send
> them to the Play Protect backend for code-level evaluation. After the
> analysis is done, users will then get a result letting them know if the app
> appears safe to install or is potentially harmful. You can see what they
> warning looks like above in the header image.

The Play Store app is still disabling permissions on apps that haven't
been used for a long time (don't remember how long) despite configured
to disable that "feature". I had to go into each app to restore
permissions. I had set auto-remove = off, but, gee, mysteriously it
changed to auto-remove = on.

Wonder with whom they contracted to add the AV engine and feature set.
However, doesn't look like they use signatures, but cloud analysis of
trigger, resources, or events generated by an app (aka heuristics only).

The user is still prompted to decide to allow an install or not, and
therein is the failure point: users deciding on what is malicious.

Another article mentioning the same feature enhancement of Play Protect:

https://arstechnica.com/gadgets/2023/10/android-will-now-scan-sideloaded-apps-for-malware-at-install-time/

I'm using Play Store 37.9 on Android 8. Don't see anything in the Play
Protect settings that hint a different in AV behavior or features. But
then I'm not in India.