Play Store still hosts malware. What’s lacking?

Researchers spotted a number of apps on the Google Play Store two months ago that eavesdrop on notifications.
1 July 2022

Countless security measures later, malicious apps are still lingering in Google Play Store. What’s lacking? (Photo by NOAH BERGER / AFP)

  • Report highlights the most dangerous aspect of those apps lingering in Google Play Store is spyware tools capable of stealing information from other apps’ notifications.
  • While apps allegedly containing malicious code have been removed from the Play Store, up to five of those apps remain online.
  • The activity of advertising trojans had also increased.
  • Although Google has safeguards in place, much malware still managed to slip through.

Android’s hallmark has always been ‘openness’—the platform’s huge scale is in fact one of its core strengths. Its size, however, makes the Play Store a diverse morass for Google to guard. Yet, despite fortifying its scanning defenses for years, malicious apps still beat Play Store’s security, threatening millions of users.

Software company, Dr.Web, discovered apps with built-in adware and information-stealing malware on the Google Play Store two months ago. In a report, the researchers highlighted that at least five apps are still available in the app store, and had amassed over two million downloads. Other apps allegedly containing malicious codes have been removed by the Play Store, according to Dr.Web.

The report, published two weeks ago, came on heels of Google’s monthly Android security bulletin, which outlined the fixing of a large number of critical vulnerabilities. Apparently, the most dangerous of these apps features spyware tools capable of stealing information from other apps’ notifications, mainly to capture one-time two-factor authentication (2FA), one-time passwords (OTP), and thus create the possibility of takeover of accounts.

The most common threats of the month:

Threats of the month: Source: Dr.Web

Among the remaining apps, PIP Pic Camera Photo Editor, a malicious app with over a million downloads, reportedly steals people’s Facebook credentials. Dr. Web also lists Wild & Exotic Animal Wallpaper, an adware app that currently has 500,000 downloads which changes its name to SIM Tool Kit after installation. Another app highlighted was Magnifier Flashlight.

Dr. Web researchers concluded that for the whole month of May, although numbers of apps stealing other apps’ notifications decreased, activity of advertising trojans had increased. “In May, Android.Spy.4498, which steals information from other apps’ notifications, was again the most common mobile threat.”

“That said, its activity continued to decrease. Advertisement trojans from the Android.HiddenAds family also remained among the most widespread Android threats. Their activity, on the contrary, increased slightly compared to April,” the Dr.Web May 2022 virus activity review reads. In the report, researchers also highlighted the emergence of new malicious applications on the Google Play Store.

“Among them are fraudulent apps from the Android.FakeApp family and Android.Subscription trojans that subscribe users to paid services. Above that, new variants of trojans from the Android.PWS.Facebook family were revealed,” the report stated.

What is Google doing about those apps?

Google Play has built-in mechanisms to screen every submitted app for malware, ransomware, and assorted sketchiness. The most obvious vulnerability in the chain is the end-user accidentally installing malware, which is why Google promotes Google Play Protect—a security service bundled with Google Play and that runs by default on recent Android versions.

According to Android Police, by default, Google Play Protect will keep a device safe by scanning apps before downloading them and occasionally scanning apps already installed on a device to ensure they are not infected with any known malware or security vulnerabilities. “Play Protect will warn you if it finds an app with misleading or dangerous data collection policies,” it added.

In a 2017 write up by Wired, then Android security head Adrian Ludwig was quoted saying that Google benchmarks its internal scanning and screening against all the other Android anti-malware products it can find.

“We make the best antivirus that’s available for Android,” he says. But Ludwig emphasizes that Google knows it doesn’t catch everything, and has been promoting threat-intelligence sharing and collaboration with third-party firms that find issues Google misses. “We’ve been struggling to figure out how to get that last one percent, and we encourage the security community to reach out to us,” Ludwig added.

In essence, the tech giant is more concerned about “making sure we’re doing the right thing than gaming the numbers. We’ve always reported on misses,” Ludwig iterated. Ultimately, as Wired put it five years ago, no matter how robust and advanced Play Store security gets — a highly stringent prevention mechanism is somewhat at odds with Android’s broader design and philosophical approach which emphasises more choice and options for its users. With a large and partially open operating system like Android, Google Play Store can both be the market leader, and the most prone to hackers and all the problems that follow.