Interested in downloading that new, enticing mobile “app” for your Android phone?

Want to verify it’s free of malware?

If so, you might want to be careful in utilizing Google’s recently launched “application verification service.”

N.C. State professor and researcher Xuxian Jiang reports that the Google service detected less than 15 percent of malware whereas third-party “apps” checkers discovered 51 percent to 100 percent of threats.

“By introducing this new app verification service in Android 4.2, Google has shown its commitment to continuously improve security on Android. However, based on our evaluation results, we feel this service is still nascent and there exists room for improvement,” Jiang wrote in a blog Monday about his study.

Jiang, who warned against mobile app threats before, helped create the Android malware genome project and has targeted “smishing,” decided to test the Google app checker as part of its Android 4.2, or Jelly Bean, release after reading on a Google blog: 

“Now, with Jelly Bean Android 4.2 devices that have Google Play installed have the option of using Google as an application verifier. We will check for potentially harmful applications no matter where you are installing them from.”

Responded Jiang:

“It is indeed an exciting security feature! We think it was a really good move by Google to directly face Android malware threats and take such measures to better protect Android users.”

Jiang wrote he decided to “demystify this service” with his own test, the purposes being:

“(1) We want to understand better how the app verification service works;

“(2) We also want to quantify the effectiveness of this service and compare it with existing third-party anti-virus engines.”

The results were not very comforting.

Jiang found that the service is “fragile and can be easily bypassed.”

“To be more effective, additional information about the app may need to be collected. However, how to determine the extra information for collection is still largely unknown — especially given user privacy concerns,” Jiang added.

“In addition, the new app verification service largely relies on the server component (in the Google cloud) to determine whether an app is malicious or not. Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names). From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded.”

Jiang also points out that another tool, VirusTotal which is own by Google, is not part of the apps service.

“From our measurement results, VirusTotal performs much better than this standalone service,” Jiang concluded. “For improved detection results, we expect such integration in the future will be helpful.”