Google cracks down on malicious Android developers

Google is enforcing more rigorous policies on Android developers, which could see app makers see the publication of their apps delayed for days.

The tech giant laid out its case for more stringent vetting policies on developers that it has not worked with before in an effort to catch bad actors who could be using the platform to distribute malware.  

On the Android Developers blog, Google said that it had sought to craft Android as “completely open source operating system” from the outset, adding that this “developer-centric” approach was a cornerstone of the operating system.

“Everyday, billions of people around the world use the apps you’ve built to do incredible things like connect with loved ones, manage finances or communicate with doctors,” said Sameer Samat, VP of Product Management at Android & Google Play.

“While the vast majority of developers on Android are well-meaning, some accounts are suspended for serious, repeated violation of policies that protect our shared users,” he added.

According to Google, “bad-faith” developers will often try to get around a ban by opening new accounts or using other developers’ existing accounts, to publish unsafe apps.

While Google doesn’t go into detail regarding what constitutes an “unsafe app”, Kristy Edwards, director of Portland-based cybersecurity company Lookout, told the BBC that malware authors often change their account information on Android to conceal their identities.

Edwards said that one malware author was discovered to have changed their ID codes more than 700 times.

The new checks, which Google assures will take “days, not weeks”, will be focused on developers who apparently don’t have a track record with Android. Reviews will aim to establish whether developers have links to “bad faith” actors behind malicious or unsafe apps.

Samat said that those found to be attempting to ‘game the system’ would be blocked, adding that those suspended unfairly would be able to appeal to a ‘human’ member of the team.

“While 99%+ of these suspension decisions are correct, we are also very sensitive to how impactful it can be if your account has been disabled in error.

“You can immediately appeal any enforcement, and each appeal is carefully reviewed by a person on our team. During the appeals process, we will reinstate your account if we discover that an error has been made,” said Samat.

While Google will be scrutinizing developers more thoroughly, other policy changes include requiring app developers to disclose what data they want to gather, which restricts access to some phone features.

That included features of apps which access SMS and call log data, such as text message apps, with policy updates seeing the number of apps with access to the information decrease by more than 98 percent.

While users find many of the features in question valuable, the company said the policies were in place to limit the abuse of personal information people volunteer to apps.

The updates, which form part of a “comprehensive look” Google is giving the Android platform and policies, come ahead of Google’s developer conference IO in May.