You’ve probably heard a hundred times that you should only ever install apps from the official Google Play store on your Android device. It’s a sensible rule, but it’s increasingly clear it’s no guarantee of security. Google’s size and set-up means there’s always a chance of rogue apps getting through its defences, and that risk is increasing.


The Price of Freedom

The very nature of Android means you must balance flexibility and security. Unlike the locked-down world of iOS, the Android system and the devices that run it are much less restricted. You can run any compatible application on your Android device, the only barrier being a confirmation warning screen where you confirm understanding the risks.

Google’s own advice is to stick to the default setting of only downloading, installing and running apps from the Google Play store. These apps go through a security vetting process that’s designed to make sure they do what they say they do, and more importantly that they don’t access or share data or use device resources without permission.

Unfortunately this creates a false sense of security.


Malware Gets Massive

Google’s own published figures show that in 2017 alone it had to remove 700,000 different malicious applications from the store, a rise of 70 percent over the previous year. The good news is that around 99 percent of these were caught before anyone installed them. The bad news is that leaves around 7,000 malicious apps that did get on people’s devices through the ‘secure’ Play Store.

Around a third of the apps Google took down were deliberately designed to resemble existing popular legitimate applications. Many had earned strong ratings and reviews, adding to their apparent legitimacy. In some cases this may have been through shady practices that drown out genuine negative reviews. In others it’s because the apps appeared to work as advertised and the user was unaware what was happening in the background.

Unfortunately that means that while the proportion of rogue apps that sneak through the process is low, the number of victims can be high. Indeed, some malware spotted by third parties, rather than Google itself, was found in apps with downloads in the millions.

The aim of the malware varies widely, but a common goal of the fraudsters is to flood your device with ads while claiming credit and revenue from advertisers – many of whom don’t realise their message is being delivered in such an underhand way.

Sometimes the malware is even more damaging: Secure-D found one of the biggest culprits was a popular weather app named Weather- Simple weather forecast. It all looked legitimate: the app had more than 10 million downloads and an average user rating of 4.4 out of 5.  The app was also pre-installed on many smartphone devices.

malicious weather app

As far as most users knew, the app was doing exactly what it promised.

The problem was what they didn’t know. The app was secretly connecting to remote servers and attempting to sign up users to premium services – which had nothing to do with weather — without their knowledge or permission. It was a blatant abuse of trust.


Beating the System

Malware creators get rogue apps into the Google Play store by exploiting three factors:

The sheer scale of the store— The most recent published figures show the store had 2.6 million different apps in September 2018. Despite Google’s best efforts, it’s almost inevitable some malicious apps will get round the checks.

Gaming the system Google has boosted its efforts to catch malicious apps through Play Protect, a security scanning system that tries to learn and recognize common characteristics in how such apps operate, rather than simply checking them for known rogue files. Malware creators have learned ways round these scans such as encrypting code, starting the malicious actions on a delay, or even creating an app that does pass Google’s security checks but then downloads and run another which contains the malware components.

The use of open source software— Put simply, malware creators have far more access to the inner workings of Android than they do Apple software. That gives them more flexibility for finding increasingly creative ways to gain access to devices and wreak havoc.


Lessons to Learn

Only installing Android apps from Google Play remains a good rule of thumb for most users, but it should never be your only defensive measure.

Here are some other ways to protect yourself:

— Carefully read reviews and check the developer details in the Google Play listing to reduce the chance of installing an imposter app, but never rely on good reviews as a guarantee the app is legitimate.

— When you install a new app, check the app’s permission in “permission details”. Review the apps on your phone and uninstall any that don’t come from trusted sources.

— Keep your OS software up-to-date to get the latest security fixes.