Google's application verification service for Android phones, new for Android 4.2 Jelly Bean, needs to go back to school.
The program, meant to detect malicious apps, failed in a big way in tests, detecting less than 16 percent of more than 1,200 sample bugs it was challenged with.
The tests, carried out by North Carolina State University computer scientist Xuxian Jiang, were performed on Nexus 10 tablets with Android 4.2 onboard. Xuxian said he picked random code samples from 49 different families of malware.
When he ran the test against third-party anti-virus products from Kaspersky, Symantec and Avast, the detection rates were much higher — between 50 and 100 percent, tech site Ars Technica reported.
"This mechanism is fragile and can be easily bypassed," Xuxian wrote, noting that the software was heavily reliant on a library of hash signatures in order to identify malicious code. [ The Top 10 Threats to Your Smartphone ]
Xuxian also criticized Google's decision to host the service remotely, rather than on devices themselves.
"The client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement," he wrote. "However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded."
Xuxian also pointed out that Google's recent anti-virus acquisition, VirusTotal, a constantly updated reference database, outperformed the native detection program. He suggested that, if integrated, the combined software could become a much more robust and effective anti-virus tool.
Follow Ben on Twitter.