Google’s Play Store has been criticized in recent weeks, as the scale of malware-laced apps available for download has come to light. It is clear that even as the platform introduces more safeguards, threat actors find ways to work around them. The bottom line—users need to be extremely cautious before downloading apps from sources they don’t fully know and trust.
A new set of research made public on social media on Thursday (August 1) continued the theme, not providing exhaustive data but an indication of just how much harm can be found hidden in apps presumed safe to download. ESET’s Lukas Stefanko—supported by various other researchers—claims to have identified 205 “harmful” apps available for download last month (July), which doesn’t sound too terrible until you realize that those apps were downloaded an eye-watering 32 million times.
This research is just the tip of a frightening iceberg. In June, I reported on the results of a study conducted by the University of Sydney and CSIRO’s Data61 that had used AI to unearth thousands of dangerous apps on Google Play, tricking users by mimicking popular alternatives. The study deployed a neural network to examine the icons and descriptions associated with 1.2 million apps, and found “2,040 potential counterfeits that contain malware in a set of 49,608 apps that showed high similarity to one of the top 10,000 popular apps in the Google Play Store.” The research also found “1,565 potential counterfeits asking for at least five additional dangerous permissions than the original app and 1,407 potential counterfeits having at least five extra third-party advertisement libraries.”
“When we do the math only on last month and only from available sources,” Stefanko told me, “not counting apps that could be there still hidden—this number is huge.”
The latest research highlights hidden ads as the main culprit, accounting for the vast majority of the downloads. More worryingly, three subscription scams accounted for more than one-third of the downloads. Stefanko told me that two of those three apps “are typical scam apps that try to exploit 3-day trial and then they can charge even $50 per week—unfortunately, Google doesn’t refund payments after 3 days.” The other one, though, he described as special: “This scam app with ten-million-plus downloads actually wanted subscription from users for receiving Samsung firmware updates for $34.99, even though these updates are free for every Samsung user.”
There are other hidden dangers on the store that carry far more risk. Last month, I also reported on the BianLian “dropper” that had pushed the Anubis banking trojan onto Android devices that had returned as malware in its own right, bringing new techniques to the attack on banking apps, recording screens to steal credentials, locking out users to hide its activities, “rendering devices unusable.”
Ad fraud schemes were in the news last year when Buzzfeed News reported that “eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars.” All eight apps were Chinese in origin, with seven from a single developer, Cheetah Mobile.
And earlier this year, ZDNet reported that “three-quarters of mobile applications have vulnerabilities relating to insecure data storage, leaving both Android (and iOS) users open to cyber attacks.” Smartphone users cannot claim that they’re not being warned.
Google is losing the fight despite trying to stem the tide of malware in its store. The company’s Google Play Protect was introduced to guard against app vulnerabilities and, in 2018, Google “introduced a series of new policies to protect users from new abuse trends, detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%.”
But malware-laced apps and nuisance scam apps are not being caught by the measures in place. And that puts the onus on users to take care. As I’ve said before, “there’s no substitute for common sense and treating apps from unknown sources as potential threats.”
Rarely a week now goes by without the exposure of malware of some sort targeting our smartphones, devices that contain the keys to our digital worlds. And while we worry about viral crazes like FaceApp stealing our data, the truth is that it’s the apps we don’t see coming that we should worry about, those apps we’re downloading millions of times but which usually don’t make headlines.