• Data Collection: decreased over 40% to 0.08% of installs
  • Spyware: decreased 60% to 0.02% of installs
  • Hostile Downloader: decreased 50% to 0.01% of installs
Overall, PHAs were installed on fewer than 0.15% of devices that only get apps from Google Play. About 0.5% of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.

It’s critical that we also protect users that install apps from sources other than Google Play. Our Verify Apps service protects these users and we improved the effectiveness of the PHA warnings provided by Verify Apps by over 50%. In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play.


New security features in the Android platform

Last year, we launched Android 6.0 Marshmallow, introducing a variety of new security protections and controls:
  • Full disk encryption is now a requirement for all new Marshmallow devices with adequate hardware capabilities and is also extended to allow encryption of data on SD cards.
  • Updated app permissions enable you to manage the data they share with specific apps with more granularity and precision.
  • New verified boot ensures your phone is healthy from the bootloader all the way up to the operating system.
  • Android security patch level enables you to check and make sure your device has the most recent security updates.
  • And much more, including support for fingerprint scanners, and SELinux enhancements.
Deeper engagement with the Android ecosystem

We’re working to foster Android security research and making investments to strengthen protections across the ecosystem now and in the long run.

In June, Android joined Google’s Vulnerability Rewards Program, which pays security researchers when they find and report bugs to us. We fixed over 100 vulnerabilities reported this way and paid researchers more than $200,000 for their findings.

In August, we launched our monthly public security update program to the Android Open Source Project, as well as a security update lifecycle for Nexus devices. We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs. Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner.


Greater transparency, well-informed discussions about security, and ongoing innovation will help keep users safe. We'll continue our ongoing efforts to improve Android’s protections, and we look forward to engaging with the ecosystem and security community in 2016 and beyond.


Number of freshly compromised sites Google detects every week.

Over the last year Google detected nearly 800,000 compromised websites—roughly 16,500 new sites every week from around the globe. Visitors to these sites are exposed to low-quality scam content and malware via drive-by downloads. While browser and search warnings help protect visitors from harm, these warnings can at times feel punitive to webmasters who learn only after-the-fact that their site was compromised. To balance the safety of our users with the experience of webmasters, we set out to find the best approach to help webmasters recover from security breaches and ultimately reconnect websites with their audience.
Finding the most effective ways to aid webmaster

  1. Getting in touch with webmasters: One of the hardest steps on the road to recovery is first getting in contact with webmasters. We tried three notification channels: email, browser warnings, and search warnings. For webmasters who proactively registered their site with Search Console, we found that email communication led to 75% of webmasters re-securing their pages. When we didn’t know a webmaster’s email address, browser warnings and search warnings helped 54% and 43% of sites clean up respectively.
  2. Providing tips on cleaning up harmful content: Attackers rely on hidden files, easy-to-miss redirects, and remote inclusions to serve scams and malware. This makes clean-up increasingly tricky. When we emailed webmasters, we included tips and samples of exactly which pages contained harmful content. This, combined with expedited notification, helped webmasters clean up 62% faster compared to no tips—usually within 3 days.
  3. Making sure sites stay clean: Once a site is no longer serving harmful content, it’s important to make sure attackers don’t reassert control. We monitored recently cleaned websites and found 12% were compromised again in 30 days. This illustrates the challenge involved in identifying the root cause of a breach versus dealing with the side-effects.
Making security issues less painful for webmasters—and everyone

We hope that webmasters never have to deal with a security incident. If you are a webmaster, there are some quick steps you can take to reduce your risk. We’ve made it easier to receive security notifications through Google Analytics as well as through Search Console. Make sure to register for both services. Also, we have laid out helpful tips for updating your site’s software and adding additional authentication that will make your site safer.

If you’re a hosting provider or building a service that needs to notify victims of compromise, understand that the entire process is distressing for users. Establish a reliable communication channel before a security incident occurs, make sure to provide victims with clear recovery steps, and promptly reply to inquiries so the process feels helpful, not punitive.

As we work to make the web a safer place, we think it’s critical to empower webmasters and users to make good security decisions. It’s easy for the security community to be pessimistic about incident response being ‘too complex’ for victims, but as our findings demonstrate, even just starting a dialogue can significantly expedite recovery.




In addition to beacon manufacturers, we’ve been working with a range of innovative companies to demonstrate Eddystone-EID in a variety of different scenarios.
  • Samsonite and Accent Systems have developed a suitcase with Eddystone-EID where users can securely keep track of their personal luggage.
  • K11 is a Hong Kong museum and retail experience using Sensoro Eddystone-EID beacons for visitor tours and customer promotions.
  • Monumental Sports in Washington, DC, uses Radius Networks Eddystone-EID beacons for delivering customer rewards during Washington Wizards and Capitals sporting events.
  • Sparta Digital has produced an app called Buzzin that uses Eddystone-EID beacons deployed in Manchester, UK to enable a more seamless transit experience.
You can get started with Eddystone-EID by creating a Google Cloud Platform project and purchasing compatible hardware through one of our manufacturers. Best of all, Eddystone-EID works transparently to beacon subscriptions created through the Google Play Services Nearby Messages API, allowing you to run combined networks of Eddystone-EID and Eddystone-UID transparently in your client code!



Here’s the full set of data we share with network administrators:
  • Compromised: Pages harming users through drive-by-download or exploits.
  • Distribution: Domains that are responsible for launching exploits and serving malware. Unlike compromised sites, which are often run by innocent webmasters, distribution domains are typically set up with the primary purpose of serving malicious content.
  • Social Engineering: Deceptive websites that trick users into performing unwanted actions such as downloading software or divulging private information. Social engineering includes phishing sites that trick users into revealing passwords.
  • Unwanted Software: URLs which lead to software that violates our Unwanted Software Policy. This kind of software is often distributed through deceptive means such as social engineering, and has harmful software traits such as modifying users’ browsing experience in unexpected ways and performing unwanted ad injections. You can learn more about Unwanted Software, or UwS, here.
  • Malware Software: Traditional malware downloads, such as trojans and viruses.
Network administrators can use the data provided by our service to gain insights into the security and quality of their network. By working together, we can make it more challenging and expensive for attackers to profit from user harm.


If you’re a network administrator and haven’t yet registered your AS, you can do so here. If you are experiencing problems verifying ownership, please contact us.
Share on Twitter Share on Facebook