Eugen Rochko
Denzil Ferreira@Gargron the review process at Google can be a PITA, but for a good reason. Permissions to access more than an app really needs can be exploited for harvesting private information on a seemless update that most won't even notice. Side loaded apps downloaded from say APK mirror can have been tampered with using smali edits and you won't know. What Google should do is certified dev signing keys to trace and confirm if an APK is legit or not and coming from the actual dev, regardless of being side loaded.
David Chisnall (*Now with 50% more sarcasm!*)Except that, it doesn't prevent malware. Note that this news article is from today. I went to find the most recent example of this and it turns out that I didn't even have to go back as far as yesterday.
Proper safety is done by reducing kernel attack surface, reducing the size of the TCB, and making it easy for applications to respect the principle of least privilege so that ones that don't stand out as things that obviously request more permissions than they should have.
@david_chisnall @Gargron yep, there is only so much that automated and human review of code can do to prevent or minimize malicious code.
Kevin Karhan 
@david_chisnall @Gargron @denzilferreira in fact all #malware that gets into #GooglePlay works with lies and deciet as in the original account and code submitted is all clean and onlynafterwards do they slowly "update" maliciois functionality.
- You can see this with fake minecraft clones / blatant copies that start out as #shovelware but also distinguish IP ranges between #Google's reviewers and genuine users, downloading different sets of files...
Stolen Minecraft Is Now More Popular Than Minecraft.
@kkarhan @david_chisnall @Gargron yep... it may be that with AI assistance, code could be analysed on every update to prevent or mitigate some of this backdoor malicious updates. Will it be perfect? No.
@denzilferreira @david_chisnall @Gargron not really.
Also "#AI" is wasteful computing that results in unmaintainable code and hallucinated solutions.
@kkarhan @david_chisnall @Gargron I meant to analyze the code for possible CVE or exploits at scale. Doing it manually with a lot of humans will take more resources if that is what you are comparing to (computers, electricity, etc). AI has it's place to help.
@denzilferreira @david_chisnall @Gargron
1. Google and Apple do that to an extent. Obviously they can't work against maliciois devs knowing that and thus detecting their sandbox-testing.
2. What you point out as "#AI" is at best a worse version of #VirusTotal.
@kkarhan @david_chisnall @Gargron yep, that's why I said before there are limits to what AI or humans can actually do 😄 VirusTotal looks very interesting, thanks for sharing!