There were a number of stories last year about malicious apps, or those with massive security holes, making their way to Android phones via the Google Play store.
It seems like those high profile stories were just the tip of the iceberg. In an announcement earlier this week, Google said that last year alone it removed 700,000 ‘bad apps’ and stopped 100,000 bad app developers from sharing their apps on the Google Play store. If the app number sounds high, it is: It’s a 70% jump from 2016.
Google classifies ‘bad apps’ as those that have inappropriate content (like pornography), install malware on target operating systems or steal data, or are copycats of other legitimate apps.
Last August, Google rolled out Google Play Protect to stop the ever-increasing number of malicious apps from popping up in Play. Play Protect uses machine learning to continuously figure out what kinds of behaviors bad apps adapt, to try and spot them in the wild.
We reported on a number of the bad apps in the Android ecosystem last year: Some of them installed malware with malicious, persistent pop-up ads, other apps used malware like SonicSpy to steal private data from their users, others went even further and behaved like ransomware on the phone, holding data hostage. These apps often impersonated legitimate, popular apps like WhatsApp and Pokemon GO to convince unwitting users to download and install them, which is why copycat apps aren’t just an intellectual property issue.
What to do?
- Stick to Google Play. In the post, Google writes that 99% of apps with abusive content were discovered and removed before anyone even downloaded them. Although that still leaves 7,000 bad apps that got through last year, it’s still safest to download apps from the Google Play store than to go rogue and download apps elsewhere online. Many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
- Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, you’ll be protected even if something slips through the cracks and into the Play store.
- Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
- Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features.
Further reading
SophosLabs recently discovered several malicious cryptomining apps on Google Play. Read the report to find out just how much effort cybercriminals are willing to put into getting their cryptomining code accepted onto Google Play.
DevhenApplab
It’s a great move by Google. It makes users feel more secure.
Paul Ducklin
Feeling secure isn’t quite as good as actually being secure, though…
Laurence Marks
“…, it’s still safest to download apps from the Google Play store than to go rogue and download apps elsewhere online.”
Seems like you could be a bit more specific. Did you intend to smear e.g., the Amazon app store with that brush?
Paul Ducklin
My advice is usually slightly more conciliatory: try to live without off-market apps. If you need one, turn on the security option to “allow off-market apps” while you install it, and then turn that option off again afterwards.
Mahhn
“Still” waiting on gugel to show some responsibility and send notices to people that had downloaded these apps while they were approved. I can’t imagine any other company getting away with not notifying people they downloaded malicious software from them. And in such volume.