Recently, Google announced plans for its new App Defense Alliance – a partnership with three leading antivirus firms Zimperium, ESET and Lookout – that would help block malware-riddled apps from entering the Play store.
This is a much-needed improvement (given that it works) over the current system: an app Wild Wild West where anything goes. A place where suspicious, unknown and low-budget apps rank highly for search terms, raking up billions of installs, and infecting users with malware, adware, or just run-of-the-mill privacy violations.
But by its very design, the App Defense Alliance just isn’t enough, because it doesn’t really do much to help users that have already downloaded these malicious apps.
Recent cases of malware on Play store
Google’s Play store has been in the news time and again for allowing malicious apps to be downloaded millions or even billions of times.
Let’s take a look at some of the worst cases in just the last year alone.
BuzzFeed News exposes apps committing ad fraud
BuzzFeed News uncovered that a group of popular apps from a major Chinese developer, DO Global, was committing “large-scale ad fraud and abusing user permissions.” They also showed how other Chinese developers, Cheetah Mobile and Kika Tech, was “part of an ad fraud scheme that could have stolen millions of dollars.” These two developers have combined installs of more than 2 billion.
In another investigation, they discovered a multinational fraud scheme involving more than 125 Android apps where the malicious apps where their behavior was secretly tracked. The apps had been downloaded millions of times.
Dropper apps discovered by Wandera
Security research firm Wandera discovered that a group of apps were functioning as dropper apps: after the user installs these apps, they drop other apps into the user’s phone. These other apps are malicious, although mostly focused on bombarding the user with full screen video ads or other types of intrusive ads.
Hiddad adware rakes up millions of downloads
Quick Heal Security Labs discovered that 29 separate apps, which altogether had been downloaded 10 million times, were carrying malicious code. These apps contained what’s known as the Hiddad malware, which is adware. Once users download these Hiddadd apps, the apps will hide their icons and start displaying intrusive video ads.
Google’s history of Play store defense
Google has promised many times before to clean up its Play store. In a 2018 blog post, Google promised to improve its AI that detects malware and suspicious behaviors, having blocked 99% of apps with abusive contents before they could even enter the Play store. However, in 2017 it still had to remove 700,000 apps from the Play store that had gotten past their AI defenses.
However, in July 2018, it once again updated its policies to improve its malware detection. In its new Developer Policy, it expanded the amount of apps that it would ban to include crypto miners, firearms and accessories sellers, adult apps aimed at kids, and more.
Time and again, however, the problem still persists: malicious apps are getting into the Play store, and it’s causing damage to people.
Why the App Defense Alliance isn’t enough
The problem then, is simple: Google – a company that seems to have unlimited resources – doesn’t have the resources to keep the Play store clean. For that reason, it’s teamed up with the security firms Zimperium, ESET and Lookout to help scan and identify threats in apps submitted to the Play store before they’re approved.
That’s pretty good, and it will most certainly help Google stop even more malicious apps from getting into people’s phones. But there’s one important question that remains:
What happens to the bad apps, removed from the Play store, that are still on people’s phones?
As it is right now, Google and the App Defense Alliance will block bad apps from going live in the first place. Perhaps with the Alliance’s help, Google will also be able to identify apps that are already live and remove them from the Play store.
That’s great. However, looking at the examples above of malware from the past year, we see that Google removed most of those apps. But those apps are still on people’s phones, and they’re still able to do exactly what they were meant to do: commit click fraud, ad fraud and other malicious things.
What Google needs to do is one of the following:
- alert users immediately that have already downloaded these apps that they need to delete the apps from their phones (this should be technically straightforward)
- force updates that would automatically uninstall the software for those users
This latter one is technically feasible, but could present some ethical questions about ownership. On the other hand, the Play store is a private service, and it could be included into their developer’s policies.
At the end of the day, the safety of users and their devices is the prime goal here, and on that front Google is unfortunately failing.
Let’s hope the new App Defense Alliance can change that.