Google Fails Again by Allowing More Rogue Apps on Google Play

Google Fails Again by Allowing More Rogue Apps on Google Play

Although today’s cybersecurity boasts sophistication and proactivity through cutting-edge techniques such as machine learning, a completely tamper-proof system has yet to be invented.Even the services of global technology giants are susceptible to exploitation by malicious actors.The Google Play store is no exception. It turns out that this huge software marketplace has been swarming with PUAs (potentially unwanted applications) for years, and Google’s efforts to stop this trend aren’t as effective as expected.

According to the findings of numerous threat analysts, malware on Google Play isn’t a marginal phenomenon. It appears to be easy for harmful apps to make its way into this major software repository, despite the many claims made by Google engineers about stringent code verification.Below are a few examples that demonstrate how serious the problem is, and a look at what Google is doing about it.

Camera apps lead to phishing sites and collect user images

Security researchers from Trend Micro have recently discovered several dozen camera apps for Android that display ads leading to unsafe content and adult sites. Some of these apps have millions of installs, so the scope of the issue is broad.

While posing as tools for beautifying photos through various filters, the apps in question access ad servers that adjust the sponsored content based on the device model and its geographical location. In many cases, the victims are redirected to phishing websites camouflaged as prize claim pages requesting personally identifiable information.

Quite a few of these booby-trapped applications have a more unsettling functionality under the hood. They are capable of uploading the unsuspecting users’ images (often “selfies”) to the fraudsters’ servers. Having ended up in the wrong hands, this type of content can be compromising. One more adverse quirk of the shady apps has to do with bogus update popups that promote other junk or download malicious software onto the device.

Fake GPS apps do nothing but show ads

Another sketchy malvertising campaign came to the attention of analysts in mid-January 2019. ESET malware researchers spotted 19 Android apps on Google Play that pretend to be GPS navigation tools but actually serve ads while using Google Maps as bait. These dubious applications have more than 50 million installs combined.

As part of their unethical marketing, the developers scraped screenshots from other reputable services and added them to the download pages for a false sense of legitimacy. When downloaded and launched, the apps trigger a full-screen advertisement and then simply open Google Maps, which proves that they have no geolocation and navigation capability of their own. To add insult to injury, some of these rogue tools display dialogs requesting the ability to manage phone calls on the device and access the user’s contacts.

The white hats unveiled that these applications were developed by publishers from India, Pakistan, and Germany. Upon closer inspection, it turned out that most of them hail from only two different authors. At the time of writing, they continue to collect installs in spite of poor ratings. One of them has been installed more than 5 million times.

Adware apps successfully resist uninstallation

In early March 2019, Android malware analysts found three adware applications on the Google Play Store that leverage a very unusual mechanism to evade removal and thereby persevere on a device. All of them are disguised as camera enhancement apps but don’t do much more than pushing ads to the victims. Although these are clearly junk apps, they have collected more than 700,000 installs.

The trickiest part about these culprits is that the icon created on the home screen after the installation doesn’t work as intended. From Android 6.0 (Marshmallow) onwards, a program’s default icon can be used to remove it from the device. All it takes is long-tapping the icon and dragging it to the Uninstall area that appears.

In the case of the three malicious apps under scrutiny, though, the only thing that can be wiped this way is the program’s shortcut. The bad entities actually remain intact and keep doing their job. The only uninstall method is to go to Android Settings, proceed to the Apps section and eradicate the unwelcome objects from there. The victims who find the latter approach tedious run the risk of staying infected for a long time.

Who is at risk?

Whereas the intended set of victims seems to be isolated to regular mobile users, numerous trojanized apps on the Google Play store may pose risks to companies as well. Many businesses have a BYOD (“Bring Your Own Device”) policy that allows employees to use personal devices at the workplace.

Imagine a scenario where a staff member installs one of these rogue applications onto their smartphone and clicks on a fishy ad leading to spyware. The next time this person logs into their corporate email account or database using the same device, the perpetrators may intercept the credentials and thereby gain access to these sensitive resources. The consequences can be really unsettling: industrial espionage, blackmail, spear phishing, and more.

What is Google doing about it?

The company admits that the scourge of harmful apps reaching the Google Play Store is a serious concern while reassuring the community about increasingly effective countermeasures being adopted to fend off the threat. As per the recently published annual report regarding Android security , the number of rejected app submissions increased by more than 55 percent in 2018 versus 2017. Additionally, 66 percent more apps were suspended.

According to Andrew Ahn , Google Play’s product manager, this progress is due to a combination of tightened policies, machine learning-based defenses, and refined human review workflows for detecting unwanted applications fast. The company has also updated the developer guidelines to address the issue of SMS and call log access permissions being requested by apps that don’t need such privileges.

The executive has also emphasized the importance of Google Play Protect, a security system that scans roughly 50 billion apps on more than 2 billion users’ gadgets on a daily basis. The latest tweaks of this feature include alerts popping up when a user is trying to launch a rare app whose reputation hasn’t been vetted, as well as auto-disabling malicious programs that violate the store’s policies. Google is obviously fine-tuning their protection vectors to keep Android users on the safe side, but is it enough?

The plague is underway regardless

Google’s endeavors to combat harmful apps on the Google Play Store aren’t complete shots in the dark and have had some success, but they don’t live up to the expectations. The examples above show that new adware and identity-stealing programs continue to slither their way into the marketplace and collect thousands or even millions of installs. In addition, Android users may get infected when just browsing the web.

Google Play is a juicy target for malefactors, who are constantly looking for new tricks to cloak malicious activity and get around restrictions and defenses. All in all, the fight against threat actors and unscrupulous app developers seems to be a process that will never end, so the only thing Google can do is enhance the countermeasures and try to be one step ahead.


Regular users should be very careful about installing new apps. It is always better to read user reviews and provide app permissions with caution. In addition, in order to steer clear of hazardous code on your Android device, be sure to download apps from the official store only. Doing so isn’t an ultimately effective countermeasure, but it can significantly reduce the risk of installing deleterious code. It is also good to keep the Play Protect feature enabled at all times and ascertain that its “Scan device for security threats” toggle is on. Last but not least, use a reputable Android VPN service whenever you are surfing the web on your gadget, especially if you are connected to insecure networks such as public WiFi. This way, no one can snoop on your online activities and your privacy stays intact.

Read More News:

Fake review factories fooling online Amazon shoppers

Tech companies know what you are doing right now